labunix's blog

labunixのラボUnix

Win7、Fortigate、外部プロキシ間でパケットキャプチャしてみる。

■Win7、Fortigate、外部プロキシ間でパケットキャプチャしてみる。
 今回のDebianはおまけ。

 Debian 8.2 Jessie VMware (VMDK) 32bit
 http://www.osboxes.org/debian/

 IE11 on Win7 VirtualBox
 https://dev.modern.ie/tools/vms/linux/


■ネットワーク接続イメージ
 vmnet1は、vmnet2やbridgeの代用。L3である必要は無い。

$ echo "[Win7/vmnet1.102]   -- FW-in --> \
        [FGT/vmnet1.105]    -- FW-vip --> \
        [FGT/vmnet8.100]    -- FW-out --> \
        [FGT/vmnet8.1]      -- vmnat --> \
        [host]              --> [next-hop-proxy]" | \
    graph-easy

■jessieの初期設定
 初期設定はnatのままで作業する。
 無駄にGUIなので、[Ctrl]+[Alt]+[F2]でコンソールに移動。
 ちなみに英語キーボード配列。

# cat /etc/apt/apt.conf;\
  # proxy
Acquire::http::Proxy "http://172.16.16.254:3128/";
# grep -v "^#\|^\$" /etc/apt/sources.list; \
  # add jessie
deb http://security.debian.org/ jessie/updates main contrib
deb-src http://security.debian.org/ jessie/updates main contrib
deb http://ftp.debian.org/debian/ jessie-updates main contrib
deb-src http://ftp.debian.org/debian/ jessie-updates main contrib
deb http://ftp.debian.org/debian/ jessie main contrib
deb-src http://ftp.debian.org/debian/ jessie main contrib

# grep -v "^#\|^\$" /etc/network/interfaces; \
  # vmnet8
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
	address 192.168.152.101
	netmask	255.255.255.0
	network	192.168.152.0
	broadcast 192.168.152.255
	gateway 192.168.152.2
# ifup eth0;apt-get update && apt-get install -y openssh-server; \
  # enable network interface
# passwd root
# passwd osboxes

$ ssh osboxes@192.168.152.101
$ su root -c 'echo "UseDNS no" | tee -a /etc/ssh/sshd_config '
$ su
# apt-get install -y vim
# apt-get purge nano network-manager

■Windows7の初期設定
 VirtualBox Guest Additionsをアンインストールして、
 VMware Toolsをインストール
 ちなみにこちらも英語配列。

> appwiz.cpl

■Fortigate-VMのイメージはいつものとおり、
 代理店から入手するか、ダウンロード権限のあるアカウントを作成してください。

■Fortigate-VMの設定

# 日本語設定
config system global
    set language japanese
    set timezone 60
end
system interface
    # vmnet8
    edit "port1"
        set ip 192.168.152.100 255.255.255.0
        set allowaccess ping https http telnet
    next
    # vmnet1
    edit "port2"
        set ip 172.16.76.100 255.255.255.0
        set allowaccess ping
    next
# next-hop-proxy
system autoupdate tunneling
    set status enable
    set address "172.16.16.254"
    set port 3128
end
# DNS Client
config system dns
    set primary 172.16.16.252
    set secondary 172.16.16.251
end
# VWAN-proxy 172.16.76.105:3128 -> 172.16.16.254
config firewall vip
    edit "VWAN-proxy"
        set extip 172.16.76.105
        set extintf "any"
        set portforward enable
        set mappedip "172.16.16.254"
        set extport 3128
        set mappedport 3128
    next
end
# proxy service
config firewall service custom
    edit "next-hop-proxy"
        set tcp-portrange 3128
    next
end
# Intra -> dmz
config firewall address
    edit "dmz"
        set subnet 192.168.152.0 255.255.255.0
    next
    edit "Intra"
        set subnet 172.16.76.0 255.255.255.0
    next
end
# firewall policy
config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "Intra"
        set dstaddr "VWAN-proxy"
        set action accept
        set schedule "always"
        set service "next-hop-proxy"
        set utm-status enable
        set logtraffic-start enable
        set av-profile "default"
        set profile-protocol-options "default"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
        set fixedport enable
    next
end
# static route
config router static
    edit 0
        set dst 172.16.76.0 255.255.255.0
        set gateway 172.16.76.2
        set device "port2"
    next
    edit 0
        set gateway 192.168.152.2
        set device "port1"
    next
end

■Win7(x86)の設定変更
 唯一のネットワークを「host-only」に変更し、
 gatewayは設定しない。(L2)

 IE11のプロキシ設定を「172.16.76.105:3128」に設定し、
 Fortigateで通過していることを確認。

# diagnose sys session filter dport 3128
# diagnose sys session filter proto 6
# diagnose sys session filter 
session filter:
	vd: any
	sintf: any
	dintf: any
	proto: 6-6
	proto-state: any
	source ip: any
	NAT'd source ip: any
	dest ip: any
	source port: any
	NAT'd source port: any
	dest port: 3128-3128
	policy id: any
	expire: any
	duration: any
# diagnose sys session list | grep 172
orgin->sink: org pre->post, reply pre->post dev=3->2/2->3 gwy=192.168.152.2/172.16.76.102
hook=pre dir=org act=dnat 172.16.76.102:49191->172.16.76.105:3128(172.16.16.254:3128)
hook=post dir=org act=snat 172.16.76.102:49191->172.16.16.254:3128(192.168.152.100:49191)
hook=pre dir=reply act=dnat 172.16.16.254:3128->192.168.152.100:49191(172.16.76.102:49191)
hook=post dir=reply act=snat 172.16.16.254:3128->172.16.76.102:49191(172.16.76.105:3128)

■Debian jessieの設定変更
 唯一のネットワークを「host-only」に変更し、
 APTのプロキシ設定を「172.16.76.105:3128」に設定し、
 Fortigateで通過していることを確認

# sed -i -e 's/192.168.152./172.16.76./g' /etc/apt/apt.conf; \
  sed -i -e 's/192.168.152./172.16.76./g' /etc/network/interface; \
  /etc/init.d/networking restart

# diagnose sys session list | grep 172
orgin->sink: org pre->post, reply pre->post dev=3->2/2->3 gwy=192.168.152.2/172.16.76.101
hook=pre dir=org act=dnat 172.16.76.101:41849->172.16.76.105:3128(172.16.16.254:3128)
hook=post dir=org act=snat 172.16.76.101:41849->172.16.16.254:3128(192.168.152.100:41849)
hook=pre dir=reply act=dnat 172.16.16.254:3128->192.168.152.100:41849(172.16.76.101:41849)
hook=post dir=reply act=snat 172.16.16.254:3128->172.16.76.101:41849(172.16.76.105:3128)
orgin->sink: org pre->post, reply pre->post dev=3->2/2->3 gwy=192.168.152.2/172.16.76.101
hook=pre dir=org act=dnat 172.16.76.101:41848->172.16.76.105:3128(172.16.16.254:3128)
hook=post dir=org act=snat 172.16.76.101:41848->172.16.16.254:3128(192.168.152.100:41848)
hook=pre dir=reply act=dnat 172.16.16.254:3128->192.168.152.100:41848(172.16.76.101:41848)
hook=post dir=reply act=snat 172.16.16.254:3128->172.16.76.101:41848(172.16.76.105:3128)

■FortigateのGUIでパケットキャプチャ設定を行う。
 CUIで探すと、「config firewall sniffer」

 http://172.16.76.100/p/firewall/sniffer/

# show | grep -f "set port .3128"
config firewall sniffer
    edit 1
        set status disable
        set logtraffic disable
        set interface "port1"
        set port "3128" <---
        set protocol "6"
    next
end

■今回はFortigateは「内部IP:3128 -> 外部IP:3128」に渡すだけなので、
 パケットキャプチャ結果は見ないがwireshark形式でダウンロードできる。
 ※CUIで実行すれば当然その場で平文で見れる。

■Win7でパケットキャプチャ
 [Telnet Client][Telnet Server]をインストールして、
 [services.msc][Telnet]のプロパティで、有効、起動する。
 [wireshark]をFGTでNATした上位プロキシを経由してダウンロード、インストール
 [TelnetClient]グループに[IEUser]を追加してtelnet接続。

username:IEUser
password:Passw0rd!

>cd c:\Program Files
>cd Wireshark
>tshark.exe -L
Data link types of interface \Device\NPF_{2167A7E2-D209-418A-9A67-81242A11EA0C} (use option -y to set):
  EN10MB (Ethernet)
  DOCSIS (DOCSIS)
>tshark.exe -D
1. \Device\NPF_{2167A7E2-D209-418A-9A67-81242A11EA0C} (Local Area Connection 4)
>tshark -i 1 -f "tcp port 3128" -T fields -E separator=';' -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e http.host -e http.request.uri
Capturing on 'Local Area Connection 4'
Nov  2, 2015 04:57:22.853452000 Pacific Standard Time'172.16.76.102'49238'172.16.76.105'3128''
Nov  2, 2015 04:57:22.854385000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49238''
Nov  2, 2015 04:57:22.854430000 Pacific Standard Time'172.16.76.102'49238'172.16.76.105'3128''
Nov  2, 2015 04:57:22.854633000 Pacific Standard Time'172.16.76.102'49238'172.16.76.105'3128'www.modern.ie'http://www.modern.ie/vmhome?IEVersion=11&GuestOS=Win7&VirtPlatform=VirtualBox&VirtOS=Windows&VMBuild=20141027
Nov  2, 2015 04:57:22.855129000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49238''
Nov  2, 2015 04:57:23.215836000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49238''
Nov  2, 2015 04:57:23.215881000 Pacific Standard Time'172.16.76.102'49238'172.16.76.105'3128''
Nov  2, 2015 04:57:23.250250000 Pacific Standard Time'172.16.76.102'49239'172.16.76.105'3128''
Nov  2, 2015 04:57:23.255843000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49239''
Nov  2, 2015 04:57:23.255883000 Pacific Standard Time'172.16.76.102'49239'172.16.76.105'3128''
Nov  2, 2015 04:57:23.256145000 Pacific Standard Time'172.16.76.102'49239'172.16.76.105'3128'dev.modern.ie:443'dev.modern.ie:443
Nov  2, 2015 04:57:23.256608000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49239''
Nov  2, 2015 04:57:23.539844000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49239''
Nov  2, 2015 04:57:23.539913000 Pacific Standard Time'172.16.76.102'49239'172.16.76.105'3128''
Nov  2, 2015 04:57:23.558996000 Pacific Standard Time'172.16.76.102'49239'172.16.76.105'3128''
Nov  2, 2015 04:57:23.559833000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49239''
Nov  2, 2015 04:57:23.671385000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49239''
Nov  2, 2015 04:57:23.671512000 Pacific Standard Time'172.16.76.102'49239'172.16.76.105'3128''
Nov  2, 2015 04:57:23.671652000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49239''
Nov  2, 2015 04:57:23.671653000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49239''
Nov  2, 2015 04:57:23.671675000 Pacific Standard Time'172.16.76.102'49239'172.16.76.105'3128''
Nov  2, 2015 04:57:23.708780000 Pacific Standard Time'172.16.76.102'49239'172.16.76.105'3128''
Nov  2, 2015 04:57:23.709913000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49239''
Nov  2, 2015 04:57:23.819371000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49239''
Nov  2, 2015 04:57:23.819404000 Pacific Standard Time'172.16.76.102'49239'172.16.76.105'3128''
Nov  2, 2015 04:57:23.861574000 Pacific Standard Time'172.16.76.102'49239'172.16.76.105'3128''
Nov  2, 2015 04:57:23.862853000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49239''
Nov  2, 2015 04:57:24.237642000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49239''
Nov  2, 2015 04:57:24.237644000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49239''
Nov  2, 2015 04:57:24.237694000 Pacific Standard Time'172.16.76.102'49239'172.16.76.105'3128''
Nov  2, 2015 04:57:24.237834000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49239''
Nov  2, 2015 04:57:24.237846000 Pacific Standard Time'172.16.76.102'49239'172.16.76.105'3128''
Nov  2, 2015 04:57:24.237966000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49239''
Nov  2, 2015 04:57:24.237967000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49239''
Nov  2, 2015 04:57:24.237977000 Pacific Standard Time'172.16.76.102'49239'172.16.76.105'3128''
Nov  2, 2015 04:57:24.555057000 Pacific Standard Time'172.16.76.102'49240'172.16.76.105'3128''
Nov  2, 2015 04:57:24.558593000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49240''
Nov  2, 2015 04:57:24.558636000 Pacific Standard Time'172.16.76.102'49240'172.16.76.105'3128''
Nov  2, 2015 04:57:24.560744000 Pacific Standard Time'172.16.76.102'49240'172.16.76.105'3128'c.microsoft.com'c.microsoft.com:443
Nov  2, 2015 04:57:24.561918000 Pacific Standard Time'172.16.76.105'3128'172.16.76.102'49240''
Nov  2, 2015 04:57:24.562713000 Pacific Standard Time'172.16.76.102'49241'172.16.76.105'3128''