Docker redsocks proxy behind HTTP proxy with no internet DNS - proxy

Network Environment
No internet DNS available
Corporate squid proxy allowing HTTP and HTTPS traffic on port 3128
Docker Environment
Docker is running on an Ubuntu 15.04 guest inside VirtualBox on OS X.
A container docker-forgetproxy (https://github.com/k-labs/docker-forgetproxy) which is running redsocks on top of the host's network infrastructure, run with:
$ docker run -it --rm --net=host --privileged \
-e http_proxy=$http_proxy \
-e https_proxy=$https_proxy \
klabs/docker-forgetproxy
This modifies the host's iptables rules by issuing the following commands where $1 is set to A:
iptables -t nat -$1 PREROUTING -i docker0 -d 127.0.0.0/8 -j RETURN
iptables -t nat -$1 PREROUTING -i docker0 -d 169.254.0.0/16 -j RETURN
iptables -t nat -$1 PREROUTING -i docker0 -d 172.16.0.0/12 -j RETURN
iptables -t nat -$1 PREROUTING -i docker0 -d 192.168.0.0/16 -j RETURN
iptables -t nat -$1 PREROUTING -i docker0 -d 224.0.0.0/4 -j RETURN
iptables -t nat -$1 PREROUTING -i docker0 -d 240.0.0.0/4 -j RETURN
iptables -t nat -$1 PREROUTING -p tcp --dport 80 -i docker0 -j REDIRECT --to 12345 2>/dev/null
iptables -t nat -$1 PREROUTING -p tcp --dport 8080 -i docker0 -j REDIRECT --to 12345 2>/dev/null
iptables -t nat -$1 PREROUTING -p tcp --dport 53 -i docker0 -j REDIRECT --to 5300
iptables -t nat -$1 PREROUTING -p tcp -i docker0 -j REDIRECT --to 12346
and launches redsocks is launched with the
base {
log_debug = off;
log_info = on;
log = "stderr";
daemon = off;
user = redsocks;
group = redsocks;
redirector = iptables;
}
redsocks {
type = http-relay;
ip = http://my-proxy;
port = 3128;
local_ip = 0.0.0.0;
local_port = 12345;
}
redsocks {
type = http-connect;
ip = http://my-proxy;
port = 3128;
local_ip = 0.0.0.0;
local_port = 12346;
}
dnstc {
local_ip = 127.0.0.1;
local_port = 5300;
}
Problem
When I launch a new docker container with docker run -it --rm ubuntu apt-get update it seems the container's requests aren't getting rerouted to the redsocks container.
Watching the packets on wireshark it appears the DNS resolution for archive.ubuntu.com from the apt-get container tries to go to my domain DNS server (which can't perform internet look ups) if I set the DNS server to that of the docker0 iface it seems it gets captured by the 172.16.0.0/12 iptables rule since today it was 172.17.42.1


This applies to a Ubuntu Xenial host.
On your host, under Connection Information, get your current DNS addresses; in my case, 172.21.17.212 and 172.21.17.210.
Under /etc/default/docker, add the DNS addresses on DOCKER_OPTS:
DOCKER_OPTS="--dns 172.21.17.212 --dns 172.21.17.210"
Create /etc/systemd/system/docker.service.d/ubuntu.conf, with the following:
[Service]
EnvironmentFile=/etc/default/docker
ExecStart=
ExecStart=/usr/bin/docker daemon -H fd:// $DOCKER_OPTS
Then:
sudo systemctl daemon-reload
sudo systemctl restart docker

Related

redirection from port 443 to 8443 not working from external for standalone tomcat

I have a ec2 instance with centos and a tomcat server running on it on port 8080.
My security group has an open port for HTTPS (443)
For the redirection I've added the following iptables rules:
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 8443 -j ACCEPT
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 8443
sudo iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 8443
Now i can connect from my instance to port 443 and get redirected to port 8443.
https://localhost
https://54.247.86.18 (elastic ip)
But from external this doesn't work. If I connect to https://54.247.86.18 from browser I get an no server found error.
Any ideas how to resolve it?

How to whitelist IP addresses on Amazon Lightsail

I used Amazon Lightsail to deploy a wordpress site and it worked like a charm. Now I have the need to restrict the IP addresses that can access on port 80 to the ones associated to the Firewall from SiteLock, and I am looking for the best and cleanest solution.
It looks like in Lightsail simplified version of the world, I can only open a port for public access, or close it.
My only idea now is logging in via SSH and use iptables, but I wanted to understand if that's the only way I can do this, or there is something "smarter".

This is what I came out with, that actually works, but uses iptables which I am not sure is the best option, so the question is still open to get a better solution.
Since SiteLock website says these IP ranges are to be allowed in:
SiteLock Firewall IP Ranges
199.83.128.0/21
198.143.32.0/19
149.126.72.0/21
103.28.248.0/22
45.64.64.0/22
185.11.124.0/22
192.230.64.0/18
107.154.0.0/16
2a02:e980::/29
I created a script to allow them all, and then close all the rest with an explicit DROP rule
sudo iptables -A INPUT -p tcp -s 199.83.128.0/21 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 198.143.32.0/19 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 149.126.72.0/21 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 103.28.248.0/22 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 45.64.64.0/22 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 185.11.124.0/22 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 192.230.64.0/18 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 107.154.0.0/16 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 2a02:e980::/29 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 80 -j DROP

now, IPs can be whitelisted from AWS console itself. Go to your Lightsail instance in console, then networking. there you can choose ports to open, and to whitelist IP, check Restrict to IP. then enter whielisted IP or range and save.
reference: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-editing-firewall-rules

How do I make a Bash script run a command in the background in another Terminal window?

I'm new to bash script and I need to make a script that runs the following commands:
service apache2 start
airmon-ng start wlan0
airbase-ng -e FREEINTERNET -c 1 -P wlan0mon
ifconfig at0 192.168.1.129 netmask 255.255.255.128
route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface wlan1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.4:80
iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 80
iptables -t nat -A POSTROUTING -j MASQUERADE
dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
service isc-dhcp-server start
My big doubt is how to make the script open the airbase-ng -e FREEINTERNET -c 1 -P wlan0mon command in a different terminal and keep executing both airbase and the remaining commands. I’m using Kali 64-bit with GNOME.

You can run something in the background by suffixing it with &. If you want to run something in a new GNOME Terminal window, you can do so with gnome-terminal -e. Putting those together, to run your airbase-ng command in a new GNOME Terminal window while letting the rest of your script continue to run:
# …
airmon-ng start wlan0
gnome-terminal -e 'airbase-ng -e FREEINTERNET -c 1 -P wlan0mon' &
ifconfig at0 192.168.1.129 netmask 255.255.255.128
# …

How to direct traffic from router to squid proxy server?

I have three boxes: a Linux client, a OpenWRT router, and a Squid server. I'm trying to get the client (which is connected to the router) web traffic to go through the proxy server without any client configuration.
Using this iptables rule on the router seems to make the client traffic go to the proxy just fine (I can see the request in the access.log):
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to $PROXY_IP:3128
But the traffic doesn't seem to make it back to the client. I get this error on the client's web browser:
The requested URL could not be retrieved. Invalid URL
It almost looks like the hostname is missing by the time it get's back to the client. Am I missing an iptables rule? On the router or on the proxy server? Or do I need set a route?
My end goal is to have dansguardian running on the proxy server. The router is not powerful enough to run the filter and that is why I have a separate server for that.

Got it to work!
The only iptables rule I needed on the router was:
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to $PROXY_IP:8080
And the rules I needed on the squid/dansguardian server was:
iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner proxy -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080
After creating those rules, I was able to see the client's traffic in the /var/log/squid3/access.log and /var/log/dansguardian/access.log logs and all of the client's traffic was coming back through just fine (with the web content filtering working perfectly).

How to route traffic through a VM's host when under host-only

I'm using virtualbox (under windows) with host-only and I'm trying to make the host (that's running windows) forward the packets that are arriving from the virtual machine's interface to the interface that has an internet connection so the virtual machine can also have internet access.
In Ubuntu I did this simply like this:
iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
How could I do this under windows?

Resources