I recently bought a new D-Link ADSL ( DSL-2740B )modem/router in the hope to get WOL working over internet. The day after the really fast installation I found an unknown MAC address in the wifi connection log. I thought it could be an unsuccessful attempt get into my lan, raising the log to debug the next day I found the same MAC address successfully connecting to my wifi. Ok I know my wifi password isn’t really secure, but I thought my neighbours wouldn’t be able to hack it nor they won’t have time to spend for such things. Anyway, how did he manage it? I want to know, but first I have to find out who he is, and the best way is to take a look at the pages he is looking at. How to do it without getting him know, very simple a transparent proxy.
Traspartent Squid3 proxy
In the past I installed transparent proxies without problem, bu t everything was on the same machine (iptables, router, proxy). Now what I have is my htpc based on Ubuntu 13.04 and a D-Link router. Installing a transport proxy based on squid is very simple:
sudo apt-get install squid
Now edit your configuration file
nano /etc/squid3/squid.conf
Apply the following changes:
http_port 3128 transparent
acl localnet src 192.168.1.0/16
http_access allow localnet
This should be enough, remember to useyour net IPs, restart
sudo service squid3 stop ;sudo service squid3 start
Router configuration
Now this is the part which made me really happy in buying the new modem. If you look at the web interface you will never be able to get the things working, the web interface is too limited. But… if you connect to the router with telnet you have the power of a full linux environment. Running some commands I thought that it would be possible to route incoming http connections to the proxy and routing the answers back to the client. Perhaps this could work with other modems too, just try the command:
iptables -L -t nat
If you see an output you can manage to use your modem to route requests to your external proxy server, run this lines:
iptables -t nat -I PREROUTING 1 -s 192.168.1.3 -p tcp –dport 80 -j DNAT –to 192.168.1.2:3128
iptables -t nat -I POSTROUTING 1 -s 192.168.1.3 -d 192.168.1.2 -j SNAT –to 192.168.1.1
iptables -I FORWARD 1 -s 192.168.1.3 -d 192.168.1.2 -p tcp –dport 3128 -j ACCEPT
If you want to remove the routing rules just run the following commands:
iptables -t nat -D PREROUTING -s 192.168.1.3 -p tcp –dport 80 -j DNAT –to 192.168.1.2:3128
iptables -t nat -D POSTROUTING -s 192.168.1.3 -d 192.168.1.2 -j SNAT –to 192.168.1.1
iptables -D FORWARD -s 192.168.1.3 -d 192.168.1.2 -p tcp –dport 3128 -j ACCEPT
Be sure to do the follow things correctly to make everything work:
- Don’t use -A (append) option but use -I $CHAIN 1 (insert at position one), so you will be sure your rules will be executed before the routers rules
- Use the router DHCP to ensure your intruder get the IP you used in the router’s configuration
- Be very carefully playing with iptables rules, bad things could happen 🙂
After some more try it seem that the only necessary rule s the first one:
iptables -t nat -I PREROUTING 1 -s 192.168.1.3 -p tcp –dport 80 -j DNAT –to 192.168.1.2:3128
Using the second rule makes the all requests arriving to the proxy coming from the router itself instead the remote machine.