Ing artikel iki, aku pengin mbukak kemungkinan proxying transparan, sing ngidini sampeyan ngarahake kabeh utawa sebagian lalu lintas liwat server proxy eksternal sing ora diweruhi dening klien.
Nalika aku miwiti ngrampungake masalah iki, aku ngadhepi kasunyatan manawa implementasine duwe masalah sing signifikan - protokol HTTPS. Ing jaman biyen, ora ana masalah khusus karo proxy HTTP transparan, nanging kanthi proxying HTTPS, browser nglaporake gangguan karo protokol lan ing kono rasa seneng bakal rampung.
Ing pandhuan umum kanggo server proxy Squid, malah menehi saran nggawe sertifikat dhewe lan nginstal ing klien, sing paling ora ana gunane, ora rasional lan katon kaya serangan MITM. Aku ngerti sing cumi wis bisa nindakake soko padha, nanging artikel iki bab cara buktiaken lan digunakake nggunakake 3proxy saka 3APA3A ajeni.
Sabanjure, kita bakal nliti kanthi rinci babagan proses mbangun 3proxy saka sumber, konfigurasi, proxy lengkap lan selektif nggunakake NAT, distribusi saluran menyang sawetara server proxy eksternal, uga panggunaan router lan rute statis. Kita nggunakake Debian 9 x64 minangka OS. Mulai!
Nginstal 3proxy lan mbukak server proxy biasa
1. Instal ifconfig (saka paket net-tools)
apt-get install net-tools
2. Instal Midnight Commander
apt-get install mc
3. Saiki kita duwe 2 antarmuka:
enp0s3 - njaba, katon ing Internet
enp0s8 - internal, kudu katon menyang jaringan lokal
Ing distribusi basis Debian liyane, antarmuka biasane disebut eth0 lan eth1.
ifconfig -a
mukaenp0s3: gendera=4163 mtu 1500
inet 192.168.23.11 netmask 255.255.255.0 siaran 192.168.23.255
inet6 fe80::a00:27ff:fec2:bae4 prefixlen 64 scopeid 0x20 eter 08:00:27:c2:ba:e4 txqueuelen 1000 (Ethernet)
Paket RX 6412 byte 8676619 (8.2 MiB)
Kasalahan RX 0 dropped 0 overruns 0 frame 0
Paket TX 1726 byte 289128 (282.3 KiB)
Kasalahan TX 0 dropped 0 overruns 0 operator 0 tabrakan 0
enp0s8: gendera=4098 mtu 1500
eter 08:00:27:79:a7:e3 txqueuelen 1000 (Ethernet)
Paket RX 0 byte 0 (0.0 B)
Kasalahan RX 0 dropped 0 overruns 0 frame 0
Paket TX 0 byte 0 (0.0 B)
Kasalahan TX 0 dropped 0 overruns 0 operator 0 tabrakan 0
lo: gendera=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1 (Loopback Lokal)
Paket RX 0 byte 0 (0.0 B)
Kasalahan RX 0 dropped 0 overruns 0 frame 0
Paket TX 0 byte 0 (0.0 B)
Kasalahan TX 0 dropped 0 overruns 0 operator 0 tabrakan 0
Antarmuka enp0s8 saiki ora digunakake, kita bakal ngaktifake yen kita pengin nggunakake Proxy NAT utawa konfigurasi NAT. Iku banjur bakal logis kanggo nemtokake IP statis.
4. Ayo miwiti nginstal 3proxy
4.1 Nginstal paket dhasar kanggo kompilasi 3proxy saka sumber
root@debian9:~# apt-get install build-essential libevent-dev libssl-dev -y
4.2. Ayo nggawe folder kanggo ndownload arsip kanthi sumber
root@debian9:~# mkdir -p /opt/proxy
4.3. Ayo menyang folder iki
root@debian9:~# cd /opt/proxy
4.4. Saiki ayo download paket 3proxy paling anyar. Nalika nulis, versi stabil paling anyar yaiku 0.8.12 (18/04/2018) Unduh saka situs web 3proxy resmi
root@debian9:/opt/proxy# wget https://github.com/z3APA3A/3proxy/archive/0.8.12.tar.gz
4.5. Ayo mbongkar arsip sing wis diundhuh
root@debian9:/opt/proxy# tar zxvf 0.8.12.tar.gz
4.6. Pindhah menyang direktori unpacked kanggo mbangun program
root@debian9:/opt/proxy# cd 3proxy-0.8.12
4.7. Sabanjure, kita kudu nambah baris menyang file header supaya server kita rampung anonim (pancen bisa digunakake, kabeh wis dicenthang, IP klien didhelikake)
root@debian9:/opt/proxy/3proxy-0.8.12# nano +29 src/proxy.h
Tambah baris
#define ANONYMOUS 1
Pencet Ctrl + x lan Ketik kanggo nyimpen owah-owahan.
4.8. Ayo dadi miwiti ngrakit program
root@debian9:/opt/proxy/3proxy-0.8.12# make -f Makefile.Linux
Makelognggawe [2]: Ninggalake direktori '/opt/proxy/3proxy-0.8.12/src/plugins/TransparentPlugin'
nggawe [1]: Ninggalake direktori '/opt/proxy/3proxy-0.8.12/src'
Ora ana kesalahan, ayo terus.
4.9. Instal program ing sistem
root@debian9:/opt/proxy/3proxy-0.8.12# make -f Makefile.Linux install
4.10. Pindhah menyang direktori root lan priksa ing ngendi program kasebut diinstal
root@debian9:/opt/proxy/3proxy-0.8.12# cd ~/
root@debian9:~# whereis 3proxy
3proxy: /usr/local/bin/3proxy/usr/local/etc/3proxy
4.11. Ayo nggawe folder kanggo file konfigurasi lan log ing direktori ngarep pangguna
root@debian9:~# mkdir -p /home/joke/proxy/logs
4.12. Pindhah menyang direktori ing ngendi konfigurasi kudu
root@debian9:~# cd /home/joke/proxy/
4.13. Nggawe file kosong lan nyalin konfigurasi ana
root@debian9:/home/joke/proxy# cat > 3proxy.conf
3 proxy.confdaemon
pidfile /home/joke/proxy/3proxy.pid
nserver 8.8.8.8
nscache 65536
pangguna tester: CL: 1234
wektu entek 1 5 30 60 180 1800 16 60
log /home/joke/proxy/logs/3proxy.log D
format log "- +_L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T"
muter 3
atine kuwat
flush
ngidini tester
kaos kaki -p3128
proxy -p8080
Kanggo nyimpen, pencet Ctrl + Z
4.14. Ayo nggawe file pid supaya ora ana kesalahan nalika wiwitan.
root@debian9:/home/joke/proxy# cat > 3proxy.pid
Kanggo nyimpen, pencet Ctrl + Z
4.15. Ayo miwiti server proxy!
root@debian9:/home/joke/proxy# 3proxy /home/joke/proxy/3proxy.conf
4.16. Ayo ndeleng apa server ngrungokake port
root@debian9:~/home/joke/proxy# netstat -nlp
log netstatSambungan Internet aktif (mung server)
Proto Recv-Q Kirim-Q Alamat Lokal Alamat Asing Negara PID/Program
tcp 0 0 0.0.0.0:8080 0.0.0.0:* NGrungokake 504/3proxy
tcp 0 0 0.0.0.0:22 0.0.0.0:* NGrungokake 338/sshd
tcp 0 0 0.0.0.0:3128 0.0.0.0:* NGrungokake 504/3proxy
tcp6 0 0 :::22 :::* NGrungokake 338/sshd
udp 0 0 0.0.0.0:68 0.0.0.0:* 352/dhklien
Kaya sing ditulis ing konfigurasi, proxy web kita ngrungokake port 8080, proxy Socks5 ngrungokake port 3128.
4.17. Kanggo miwiti layanan proxy kanthi otomatis sawise urip maneh, sampeyan kudu nambahake menyang cron.
root@debian9:/home/joke/proxy# crontab -e
Tambah baris
@reboot /usr/local/bin/3proxy /home/joke/proxy/3proxy.conf
Kita pencet Ketik, amarga cron kudu ndeleng mburi karakter baris, lan nyimpen file.
Mesthine ana pesen babagan nginstal crontab anyar.
crontab: nginstal crontab anyar
4.18. Ayo urip maneh sistem lan nyoba nyambungake liwat browser menyang proxy. Kanggo mriksa, kita nggunakake browser Firefox (kanggo proxy web) lan tambahan FoxyProxy kanggo socks5 kanthi otentikasi.
root@debian9:/home/joke/proxy# reboot
4.19. Sawise mriksa operasi proxy sawise urip maneh, sampeyan bisa ndeleng log. Iki ngrampungake persiyapan server proxy.
3 log proxy1542573996.018 PROXY.8080 00000 panguji 192.168.23.10:50915 217.12.15.54:443 1193 6939 0 CONNECT_ads.yahoo.com: 443_HTTP
1542574289.634 SOCK5.3128 00000 panguji 192.168.23.10:51193 54.192.13.69:443 0 0 0 CONNECT_normandy.cdn.mozilla.net:443
Nyetel lan mbukak konfigurasi Transparent Proxy NAT
Ing konfigurasi iki, kabeh piranti ing jaringan internal bakal transparan ing Internet liwat server proxy remot. Pancen kabeh sambungan TCP bakal redirected menyang siji utawa luwih (pancen ngembangaken jembarΓ© saluran, contone konfigurasi No. 2!) server proxy. Layanan DNS bakal nggunakake kapabilitas 3proxy (dnspr). UDP ora bakal "metu" metu, amarga kita durung nggunakake mekanisme maju (dipateni minangka standar ing kernel Linux).
1. Iku wektu kanggo ngaktifake antarmuka enp0s8
root@debian9:~# nano /etc/network/interfaces
/etc/network/interfaces file# Berkas iki nggambarake antarmuka jaringan sing kasedhiya ing sistem sampeyan
# lan carane ngaktifake. Kanggo informasi luwih lengkap, deleng antarmuka (5).
sumber /etc/network/interfaces.d/*
# Antarmuka jaringan loopback
mobil iku
iface lo inet puter maneh
# Antarmuka jaringan utama
ngidini-hotplug enp0s3
iface enp0s3 inet dhcp
# Antarmuka jaringan sekunder
ngidini-hotplug enp0s8
iface enp0s8 inet statis
alamat 192.168.201.254
netmask 255.255.255.0
Ing kene kita menehi antarmuka enp0s8 alamat statis 192.168.201.254 lan topeng 255.255.255.0
Simpen konfigurasi Ctrl + X lan urip maneh
root@debian9:~# reboot
2. Priksa antarmuka
root@debian9:~# ifconfig
log ifconfigenp0s3: gendera=4163 mtu 1500
inet 192.168.23.11 netmask 255.255.255.0 siaran 192.168.23.255
inet6 fe80::a00:27ff:fec2:bae4 prefixlen 64 scopeid 0x20 eter 08:00:27:c2:ba:e4 txqueuelen 1000 (Ethernet)
Paket RX 61 byte 7873 (7.6 KiB)
Kasalahan RX 0 dropped 0 overruns 0 frame 0
Paket TX 65 byte 10917 (10.6 KiB)
Kasalahan TX 0 dropped 0 overruns 0 operator 0 tabrakan 0
enp0s8: gendera=4163 mtu 1500
inet 192.168.201.254 netmask 255.255.255.0 siaran 192.168.201.255
inet6 fe80::a00:27ff:fe79:a7e3 prefixlen 64 scopeid 0x20 eter 08:00:27:79:a7:e3 txqueuelen 1000 (Ethernet)
Paket RX 0 byte 0 (0.0 B)
Kasalahan RX 0 dropped 0 overruns 0 frame 0
Paket TX 8 byte 648 (648.0 B)
Kasalahan TX 0 dropped 0 overruns 0 operator 0 tabrakan 0
lo: gendera=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1 (Loopback Lokal)
Paket RX 0 byte 0 (0.0 B)
Kasalahan RX 0 dropped 0 overruns 0 frame 0
Paket TX 0 byte 0 (0.0 B)
Kasalahan TX 0 dropped 0 overruns 0 operator 0 tabrakan 0
3. Kabeh wis rampung, saiki sampeyan kudu ngatur 3proxy kanggo proxying transparan.
root@debian9:~# cd /home/joke/proxy/
root@debian9:/home/joke/proxy# cat > 3proxytransp.conf
Conto konfigurasi server proxy transparan No. 1daemon
pidfile /home/joke/proxy/3proxy.pid
nserver 8.8.8.8
nscache 65536
wektu entek 1 5 30 60 180 1800 16 60
log /home/joke/proxy/logs/3proxy.log D
format log "- +_L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T"
muter 3
flush
auth iponly
dnspr
izin *
wong tuwa 1000 kaos kaki5 EXTERNAL_PROXY_IP_ADDRESS 3128 tester 1234
plugin /opt/proxy/3proxy-0.8.12/src/TransparentPlugin.ld.so transparent_plugin
tcppm -i0.0.0.0 888 127.0.0.1 11111
4. Saiki kita miwiti 3proxy karo config anyar
root@debian9:/home/joke/proxy# /usr/local/bin/3proxy /home/joke/proxy/3proxytransp.conf
5. Tambah menyang crontab maneh
root@debian9:/home/joke/proxy# crontab -e
@reboot /usr/local/bin/3proxy /home/joke/proxy/3proxytransp.conf
6. Ayo ndeleng apa proxy kita ngrungokake saiki
root@debian9:~# netstat -nlp
log netstatSambungan Internet aktif (mung server)
Proto Recv-Q Kirim-Q Alamat Lokal Alamat Asing Negara PID/Program
tcp 0 0 0.0.0.0:22 0.0.0.0:* NGrungokake 349/sshd
tcp 0 0 0.0.0.0:888 0.0.0.0:* NGrungokake 354/3proxy
tcp6 0 0 :::22 :::* NGrungokake 349/sshd
udp 0 0 0.0.0.0:53 0.0.0.0:* 354/3proksi
udp 0 0 0.0.0.0:68 0.0.0.0:* 367/dhklien
7. Saiki proxy siap nampa sambungan TCP apa wae ing port 888, DNS ing port 53, supaya bisa dialihake menyang proxy socks5 remot lan DNS Google 8.8.8.8. Kita mung kudu ngatur netfilter (iptables) lan aturan DHCP kanggo nerbitake alamat.
8. Instal paket iptables-persistent lan dhcpd
root@debian9:~# apt-get install iptables-persistent isc-dhcp-server
9. Sunting file wiwitan dhcpd
root@debian9:~# nano /etc/dhcp/dhcpd.conf
dhcpd.conf# dhcpd.conf
#
# Conto file konfigurasi kanggo ISC dhcpd
#
# definisi opsi umum kanggo kabeh jaringan sing didhukungβ¦
opsi jeneng domain "example.org";
opsi domain-jeneng-server ns1.example.org, ns2.example.org;
wektu sewa-standar 600;
max-lease-wektu 7200;
ddns-update-style none;
# Yen server DHCP iki minangka server DHCP resmi kanggo lokal
# jaringan, arahan wewenang kudu ora diwenehi komentar.
wibawa;
# Konfigurasi sing rada beda kanggo subnet internal.
subnet 192.168.201.0 netmask 255.255.255.0 {
kisaran 192.168.201.10 192.168.201.250;
opsi domain-jeneng-server 192.168.201.254;
router pilihan 192.168.201.254;
alamat siaran pilihan 192.168.201.255;
wektu sewa-standar 600;
max-lease-wektu 7200;
}
11. Urip maneh lan priksa layanan ing port 67
root@debian9:~# reboot
root@debian9:~# netstat -nlp
log netstatSambungan Internet aktif (mung server)
Proto Recv-Q Kirim-Q Alamat Lokal Alamat Asing Negara PID/Program
tcp 0 0 0.0.0.0:22 0.0.0.0:* NGrungokake 389/sshd
tcp 0 0 0.0.0.0:888 0.0.0.0:* NGrungokake 310/3proxy
tcp6 0 0 :::22 :::* NGrungokake 389/sshd
udp 0 0 0.0.0.0:20364 0.0.0.0:* 393/dhcpd
udp 0 0 0.0.0.0:53 0.0.0.0:* 310/3proksi
udp 0 0 0.0.0.0:67 0.0.0.0:* 393/dhcpd
udp 0 0 0.0.0.0:68 0.0.0.0:* 405/dhklien
udp6 0 0 :::31728 :::* 393/dhcpd
mentah 0 0 0.0.0.0:1 0.0.0.0:* 393/dhcpd
12. Sing isih ana yaiku pangalihan kabeh panjalukan tcp menyang port 888 lan simpen aturan ing iptables
root@debian9:~# iptables -t nat -A PREROUTING -s 192.168.201.0/24 -p tcp -j REDIRECT --to-ports 888
root@debian9:~# iptables-save > /etc/iptables/rules.v4
13. Kanggo nggedhekake bandwidth saluran, sampeyan bisa nggunakake sawetara server proxy bebarengan. Total kudu 1000. Sambungan anyar ditetepake kanthi kemungkinan 0.2, 0.2, 0.2, 0.2, 0,1, 0,1 menyang server proxy sing ditemtokake.
Cathetan: yen kita duwe proxy web, banjur tinimbang socks5 kita kudu nulis connect, yen socks4, banjur socks4 (socks4 ORA Ndhukung LOGIN / AUTORISASI PASSWORD!)
Conto konfigurasi server proxy transparan No. 2daemon
pidfile /home/joke/proxy/3proxy.pid
nserver 8.8.8.8
nscache 65536
maxconn 500
wektu entek 1 5 30 60 180 1800 16 60
log /home/joke/proxy/logs/3proxy.log D
format log "- +_L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T"
muter 3
flush
auth iponly
dnspr
izin *
wong tuwa 200 kaos kaki5 IP_ADDRESS_EXTERNAL_PROXY#1 3128 tester 1234
wong tuwa 200 kaos kaki5 IP_ADDRESS_EXTERNAL_PROXY#2 3128 tester 1234
wong tuwa 200 kaos kaki5 IP_ADDRESS_EXTERNAL_PROXY#3 3128 tester 1234
wong tuwa 200 kaos kaki5 IP_ADDRESS_EXTERNAL_PROXY#4 3128 tester 1234
wong tuwa 100 kaos kaki5 IP_ADDRESS_EXTERNAL_PROXY#5 3128 tester 1234
wong tuwa 100 kaos kaki5 IP_ADDRESS_EXTERNAL_PROXY#6 3128 tester 1234
plugin /opt/proxy/3proxy-0.8.12/src/TransparentPlugin.ld.so transparent_plugin
tcppm -i0.0.0.0 888 127.0.0.1 11111
Nyetel lan mbukak konfigurasi NAT + Transparent Proxy
Ing konfigurasi iki, kita bakal nggunakake mekanisme NAT biasanipun kanthi proxying selektif utawa transparan lengkap saka alamat individu utawa subnet. Pangguna jaringan internal bakal nggarap layanan/subnet tartamtu tanpa ngerti yen lagi nggarap proxy. Kabeh sambungan https bisa digunakake kanthi becik, ora ana sertifikat sing kudu digawe / diganti.
Pisanan, ayo mutusake subnet/layanan sing arep diproksi. Ayo nganggep yen proxy eksternal dumunung ing ngendi layanan kaya pandora.com beroperasi. Saiki tetep kanggo nemtokake subnet / alamat.
1. Ping
root@debian9:~# ping pandora.com
PING pandora.com (208.85.40.20) 56(84) byte data.
2. Ketik BGP 208.85.40.20 menyang Google
Ayo menyang situs
Bisa dideleng yen subnet sing dakgoleki yaiku AS40428 Pandora Media, Inc
Mbukak awalan v4
Ing ngisor iki subnet sing dibutuhake!
199.116.161.0/24
199.116.162.0/24
199.116.164.0/23
199.116.164.0/24
199.116.165.0/24
208.85.40.0/24
208.85.41.0/24
208.85.42.0/23
208.85.42.0/24
208.85.43.0/24
208.85.44.0/24
208.85.46.0/23
208.85.46.0/24
208.85.47.0/24
3. Kanggo nyuda jumlah subnet, sampeyan kudu nindakake agregasi. Pindhah menyang situs
199.116.161.0/24
199.116.162.0/24
199.116.164.0/23
208.85.40.0/22
208.85.44.0/24
208.85.46.0/23
4. Clear iptables aturan
root@debian9:~# iptables -F
root@debian9:~# iptables -X
root@debian9:~# iptables -t nat -F
root@debian9:~# iptables -t nat -X
Aktifake mekanisme maju lan NAT
root@debian9:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@debian9:~# iptables -A FORWARD -i enp0s3 -o enp0s8 -j ACCEPT
root@debian9:~# iptables -A FORWARD -i enp0s8 -o enp0s3 -j ACCEPT
root@debian9:~# iptables -t nat -A POSTROUTING -o enp0s3 -s 192.168.201.0/24 -j MASQUERADE
Kanggo mesthekake yen maju diaktifake kanthi permanen sawise urip maneh, ayo ngganti file kasebut
root@debian9:~# nano /etc/sysctl.conf
Lan uncomment baris
net.ipv4.ip_forward = 1
Ctrl + X kanggo nyimpen file
5. Kita mbungkus subnet pandora.com ing proxy
root@debian9:~# iptables -t nat -A PREROUTING -s 192.168.201.0/24 -d 199.116.161.0/24,199.116.162.0/24,199.116.164.0/23,208.85.40.0/22,208.85.44.0/24,208.85.46.0/23 -p tcp -j REDIRECT --to-ports 888
6. Ayo padha netepi aturan
root@debian9:~# iptables-save > /etc/iptables/rules.v4
Nyetel lan mbukak Transparent Proxy liwat konfigurasi router
Ing konfigurasi iki, server proxy transparan bisa dadi PC sing kapisah utawa mesin virtual ing mburi router omah/perusahaan. Cukup kanggo ndhaptar rute statis ing router utawa piranti lan kabeh subnet bakal nggunakake proxy tanpa perlu setelan tambahan.
PENTING! Perlu gateway kita nampa IP statis saka router, utawa diatur dadi statis dhewe.
1. Konfigurasi alamat gateway statis (adaptor enp0s3)
root@debian9:~# nano /etc/network/interfaces
/etc/network/interfaces file# Berkas iki nggambarake antarmuka jaringan sing kasedhiya ing sistem sampeyan
# lan carane ngaktifake. Kanggo informasi luwih lengkap, deleng antarmuka (5).
sumber /etc/network/interfaces.d/*
# Antarmuka jaringan loopback
mobil iku
iface lo inet puter maneh
# Antarmuka jaringan utama
ngidini-hotplug enp0s3
iface enp0s3 inet statis
alamat 192.168.23.2
netmask 255.255.255.0
gerbang 192.168.23.254
# Antarmuka jaringan sekunder
ngidini-hotplug enp0s8
iface enp0s8 inet statis
alamat 192.168.201.254
netmask 255.255.255.0
2. Ngidini piranti saka subnet 192.168.23.0/24 nggunakake proxy
root@debian9:~# iptables -t nat -A PREROUTING -s 192.168.23.0/24 -d 199.116.161.0/24,199.116.162.0/24,199.116.164.0/23,208.85.40.0/22,208.85.44.0/24,208.85.46.0/23 -p tcp -j REDIRECT --to-ports 888
3. Ayo padha netepi aturan
root@debian9:~# iptables-save > /etc/iptables/rules.v4
4. Ayo ndhaftar subnet ing router
Dhaptar jaringan router199.116.161.0 255.255.255.0 192.168.23.2
199.116.162.0 255.255.255.0 192.168.23.2
199.116.164.0 255.255.254.0 192.168.23.2
208.85.40.0 255.255.252.0 192.168.23.2
208.85.44.0 255.255.255.0 192.168.23.2
208.85.46.0 255.255.254.0 192.168.23.2
Bahan / sumber sing digunakake
1. Situs web resmi program 3proxy
2. Pandhuan kanggo nginstal 3proxy saka sumber
3. Cabang pangembangan 3proksi ing GitHub
Source: www.habr.com