Solved

Building a transparent proxy (if that is what I need)

Posted on 2006-07-17
18
382 Views
Last Modified: 2013-11-13
Hi.

I am building an internet gateway.  The device is a WinXPPro box with two ethernet interfaces (LAN and WAN).  I need to be able to intercept all web requests (HTTP + HTTPS) regardless of the port, and process the request.

For example, if a user on the LAN interface opens up a browser and tries to go to google.com, then I want to redirect them to the local web server where they receive a login page instead.  Once the user successfully logs in, then I want to redirect them back to their requested page.

I assume that I need to create a proxy of some kind in order to be able to intercept the traffic?  It would have to be transparent to the user as this device is for a public access location (wifi hotspot, internet cafe), so I cannot set a proxy address in the browser.  

I guess I am looking for a C++ DLL component to allow me to do this from VB.  I am a VB/ASP/SQL developer but I realise that in order to handle 100s (max of about 2000) concurrent user requests, then something a little more thread-friendly like C++ must be used.  I have not the time to improve my scarce C knowledge to build this in C.

Please let me know if I am on the right track, or if there is a better way to do this.  The rest of the TCPIP access is controlled by a firewall, for which my application creates rules for the user, on the fly when they successfully log in, and then deletes the rule when they log off or their time expires.

Thanks, TheFoot
0
Comment
Question by:Barry Jones
  • 10
  • 7
18 Comments
 
LVL 9

Expert Comment

by:justchat_1
Comment Utility
You probably want to have a winsock control listening on port 80 of the lan network and then another winsock retransmit data on the wan network... But thats only for internet data-should this gateway also prevent access to services likes games, aol, msn, email access...etc.?

Also, If you actually want to filter requests a better idea might be to only filter dns querys and redirect them to your login server...

The only other suggestion I can think of is actual packet sniffing and manipulation (http://winpcap.org)
0
 
LVL 9

Expert Comment

by:justchat_1
Comment Utility
There are many free programs that do what you are asking...are you sure you want to code it yourself?
0
 
LVL 12

Author Comment

by:Barry Jones
Comment Utility
Justchat_1,

Thanks for your comments.  If there are free programs, please let me know - great if I dont have to code anything.  even better if there are components that I can build a wrapper around.  I just dont know what exactly it is that I need..

Filtering only internet data is fine - a firewall blocks the rest and my app will create rules for other ports/apps when the user successfully logs in via my redirect page.

My main concern with using a winsock control from vb is that I do not know how to filter for HTTP traffic, rather than via a specific port.  For example, many users' webmail is on a non-standard port such as 8080 or 2020.  I need to be able to minotor all ports, but for specifically HTTP traffic.  Also, if the gatewayhas to process a 1000 concurrent users, then can VB handle this OK?  Im not so sure..re threading etc.

Please tell me how I filter DNS - that sounds interesting...

Thanks, TheFoot
0
 
LVL 9

Expert Comment

by:justchat_1
Comment Utility
It all depends, 1000 users checking email-probably
1000 users logging in at once-probably not
1000 users playing games or downloading files-no program code you need load balancing

Heres some programs you might consider:
http://www.snapfiles.com/Freeware/network/fwproxy.html
0
 
LVL 9

Expert Comment

by:justchat_1
Comment Utility
* 1000 users playing games or downloading files-no program code could...you need server load balancing
0
 
LVL 12

Author Comment

by:Barry Jones
Comment Utility
Thanks for your answer.  OK ideally I would like to cope with 1000s of users, but for now I have only small clients that will probably have 10s of users at a time.

I initially thought that 1000s of users would be possible on one box because it should just be a case of handling authentication, but on thinking about it, all communications will probably have to be monitored to at least check that they have previously authenticated.

I cannot find a proxy server that doesnt require the user to change the browser settings.  Isnt that what a "transparent proxy" does?  I cant seem to find one from your link or otherwise...

Lets say then that I code a winsock component in VB.  Do I have to create a socket for each port, to ensure that all HTTP traffic is intercepted?  How does the DNS filtering work that you mentioned?

Thanks, TheFoot
0
 
LVL 9

Expert Comment

by:justchat_1
Comment Utility
To monitor all ports your dealing with packet sniffing which is definitaly on the limits of what vb can do....you probably want to look at winpcap, specifically packet injection.

But DNS should save you from all that:
As far as the DNS that I was talking about-allow all ports (except 53) to flow through the router to the internet but foward all packets on port 53 to the authentication server.  Now your server can check if they are coming from an authenticated user or not.  If they are then you pass the DNS request to your ISP's DNS Server but if they are not you return a response directing the request to your Lan's login server.
0
 
LVL 12

Author Comment

by:Barry Jones
Comment Utility
OK - DNS...

So I use WinSock to capture port 53 and process these requests?  Do you have any reference on the structure of DNS packets, and how I go about retrieving information from them?

thanks, TheFoot
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 9

Expert Comment

by:justchat_1
Comment Utility
http://www.netfor2.com/dns.htm
-or-
http://www.rhyshaden.com/dns.htm
-or-
http://www.windowsnetworking.com/articles_tutorials/Understanding-DNS-Protocol-Part1.html

Also, free software that does this:
http://www.softpedia.com/get/Internet/Other-Internet-Related/DNS-Redirector.shtml

Exactly...it should be simple-you check if the ip is allowed to access to the internet-if it is you dont even worry what the dns packet says just pass it along

If its not you pass along a preconfigured response (to a lookup request)...instead of trying to figure out what to say run a DNS lookup of your login server while running a packet sniffer (ethereal or packetyzer) and hard code that response in your program
0
 
LVL 12

Author Comment

by:Barry Jones
Comment Utility
OK I have installed DNS Redirector - works great - thanks!  All clients now get redirected to my asp page.

I still have to work out how my web app then redirects to the appropriate URL.  I will examine the ASP request object and see what that holds, hopefully the originally requested URL.

Q.  What about other types of traffic?  Take MSN for example.  It will make a DNS request and then get forwarded to the web server.  I am assuming that the protocol used is not HTTP so what would my web server do with it?

Still some loose ends to tie up here, but thanks for your help getting me this far justchat_1...

I'm happy to give you the points, but for now I would like to keep the question open so that it will contain the final solution.

TheFoot
0
 
LVL 9

Expert Comment

by:justchat_1
Comment Utility
Yes it uses MSNP-a unique protocol that I have done alot of work with in the past:

But the protocol doesnt matter-it needs to connect to the MSN login server first-and in order to do that...it needs to send a dns request to find the servers IP

All other programs have the same issue-they rely on a DNS lookup because IP's can change
0
 
LVL 12

Author Comment

by:Barry Jones
Comment Utility
OK - so thats good - it means that my app doesnt have to integrate so much with the firewall, as complete TCP and UDP access can be enabled or disabled with the DNS yes?

I am not so sure how I handle the DNS side of things from my ASP app though - I will start looking into this later.  If you have any pointers at all or can point me to some good ASP/VB/IIS docs that help me to understand it...

Thanks, TheFoot
0
 
LVL 9

Accepted Solution

by:
justchat_1 earned 500 total points
Comment Utility
Im not really an asp person but I do know you can enable TCP and UDP to freely flow through your router as long as port 53 is fowarded to the gateway...

Take a look at this to answer your questions:
http://www.dnsredirector.com/readme/

It includeds a link to a demo welcome page that you should be able to figure out
0
 
LVL 12

Author Comment

by:Barry Jones
Comment Utility
OK - sorry I had the readme file, but didnt get as far as the demo pages.. :)  Thanks..
0
 
LVL 9

Expert Comment

by:justchat_1
Comment Utility
As stated above I got the points but was leaving the question open:
"I'm happy to give you the points, but for now I would like to keep the question open so that it will contain the final solution."
0
 
LVL 12

Author Comment

by:Barry Jones
Comment Utility
OK ok..  I will give the points to justchat_1.

Basically the DNSRedirector software is what I need to redirect all gateway traffic.  Although this project has been delayed and is not completed, I am pretty certain that I can do what I need to with this software.  I may add programmatic firewall control for extra security using Tinys Personal firewall.

Thanks justchat_1 for your help..

TheFoot
0
 
LVL 9

Expert Comment

by:justchat_1
Comment Utility
thanks for the points...and if you need more help with this issue feel free to post
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Having just graduated from college and entered the workforce, I don’t find myself always using the tools and programs I grew accustomed to over the past four years. However, there is one program I continually find myself reverting back to…R.   So …
The purpose of this article is to demonstrate how we can use conditional statements using Python.
The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now