Friday, October 28, 2011

Setup transparent net access over insti proxies

If you are a student at an institute that forces you to cross a damn proxy server for accessing internet, you must be fed up of entering your username and password time and again in browsers, as well as configuring each new application you install, to use the proxy. And if an application doesn't have any proxy configuration option, then you can't use that application! For example you can't install the Android Development plugin for eclipse. This is very irritating. And, some campuses add to this torture further by using crappy NTLM authentication.
Here in IIT Madras exactly this condition prevails. But here I present a step by step walk through to get rid of this situation. Welcome to transparent proxying!

What is transparent proxy?
A transparent proxy(correctly called intercepting proxy) intercepts your requests and forwards to the destination without letting your applications know that there is a proxy between you and internet. This is done with some intervention from iptables in Linux. So what are the advantages? You need not configure each and every application with the proxy address, port, username and passwords. You can keep the setting "Direct connection to internet" in every application and every darn-so-ever app will work flawlessly!!!! Cool?? Eh?? Lets start.

Configure a transparent proxy on your notebook
I assume you are using a recent version of Ubuntu. Even older ones will do :) The steps should work for any Linux distro provided you use appropriate distro specific commands.

Before installing software you should have a working internet connection. You may setup proxy in /etc/apt/apt.conf for the time being to install required software for now. You need to put the proxy details in apt.conf as follows for https, https and ftp:

Acquire::http::Proxy "http://<username>:<password>@<proxy-address>:<port>

An example:

Acquire::http::Proxy "";
Acquire::https::Proxy "";
Acquire::ftp::Proxy "";

If you are not from computer science background then I should tell you that, to edit /etc/apt/apt.conf you should open terminal then type sudo gedit /etc/apt/apt.conf

Step 1: 
If your campus doesn't require NTLM authentication then you can simply install and configure squid to setup transparent proxying. The details for that are beyond the scope of this post and I may cover that sometime later or you may search the net for other writers who might have posted the same.
IIT Madras campus network has NTLM. So I need to install cntlm. It works as a proxy and performs NTLM authentication on your behalf so you don't need to enter username and password everytime ypu lauch the browser. Type the following command and press enter:
sudo apt-get install cntlm 
Now edit /etc/cntlm.conf file and edit these lines to reflect your settings:

Username cs11m039
Domain iitm
Password password
If you have different proxies in institute and hostels then you can specify them all in these lines

Edit socks proxy details too

SOCKS5Proxy 3128
SOCKS5User cs11m039:password

Leave all other settings as default. Instead of cs11m039, put your username and instead of password put your password. Instead of domain as iitm put your institutes NTLM domain. For SOCKS5Proxy put the port number of proxy.

Now restart cntlm by typing:

sudo service cntlm restart

Now open any browser and set the http proxy as and port 3128. Try opening If it works, means you got cntlm installed perfectly. Proceed to next step. Else, double check your configuration. Make sure cntlm got installed. Also make sure if your computer is even turned on!!!!! If all else fails, write a comment here and I may reply if I feel like.(:P)

Step 2:
Install tinyproxy.
sudo apt-get install tinyproxy

Open its configuration file

sudo gedit /etc/tinyproxy.conf 

Edit these lines:
Port 8888
Comment the line that says Allow by adding a leading # symbol before Allow.
Don't touch any other line.

Step 3:
Open /etc/default/tinyproxy and put this inside and close the file:

case "$1" in
    iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to 8888
    iptables -t nat -F OUTPUT
    start-stop-daemon --stop --quiet -t --exec $DAEMON > /dev/null || exit 0

    iptables -t nat -F OUTPUT
    iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to 8888

Now restart tinyproxy by typing sudo service tinyproxy restart 
Disable proxy settings in the browser and try opening a website. If you followed all the above steps correctly then the website should open. Also, you may now safely truncate the /etc/apt/apt.conf file and it will work. All your apps like installing software in Eclipse will work too without any problems.

This is how your internet is working now:

Your application requests for internet access which is received by Linux kernel and due to the iptables rule setup above the request is redirected to port 8888 where tinyproxy is running. Tinyproxy intercepts the non-proxyified request and makes it http-proxy request compliant then forwards it to upstream proxy which is cntlm running on port 3128. Cntlm then performs NTLM authentication and contacts the insti proxy server to serve your request.

User application<==>Kernel(iptables)<==>tinyproxy intercepting proxy<==>cntlm authentication proxy<==>insti squid proxy<==>The internet

Happy browsing!

On 3rd November, IIT Madras ditched the NTLM authentication and implemented rather insecure HTTP Basic authentication with OpenLDAP. Now you don't require cntlm if you want to setup transparent proxy.

In step 1 above don't install cntlm. Just install polipo by:
sudo apt-get install polipo

Then open its configuration file by:
sudo gedit /etc/polipo/config

And set these values:
parentProxy = ""
parentAuthCredentials = "username:password"

where username and password should be your username and your password for OpenLDAP.Also make sure to comment the lines that stand for SOCKS proxy.
Also set its listening port to 3128, so that tinyproxy doesn't need to be reconfigured. And don't forget to uninstall or disable cntlm(if it is installed) from startup because both polipo and cntlm will try to capture port 3128 for listening and you may face issues.