I read this web page many years ago that described how someone used their unencrypted WiFi
network to prank neighbors by turning all images upside down or making them blurry or simply
redirecting them to cats. I always wanted to do it myself, but I didn’t have the required knowledge
or hardware until now.
In my previous post, I wrote about how I installed DD-WRT onto my Asus RT-N16 wireless
router. You might be able to do this prank with the factory default firmware for your router.
Your firmware needs to let you do the steps in this awesome tutorial to create a separate
guest WiFi network and add custom iptables rules. If it doesn’t, get a better router or flash
Install the squid3 proxy caching server on a computer on the LAN using this tutorial from
Ubuntu. Instead of using the Apache web server and that Perl script (which didn’t work for me),
I used Nginx and wrote an analogous Python script. I skipped their “Networking Setup” section
because I need to setup iptables rules in my router to redirect all traffic from the guest WiFi to
the squid proxy host. I setup a new subdomain “newsubdomain.davidxia.com” to point to the
proxy host and added the Nginx configuration for it as shown below.
#!/usr/bin/env pythonimportosimportsubprocessimportsysimporturllibimportuuidIMG_DIR='/var/www/images/'BASE_URL='http://newsubdomain.davidxia.com/'defmodify_url(line):list=line.split(' ')# The first element of the list is the requested URL.old_url=list# The returned needs to contain a '\n' at the end.# A '\n' by itself means do not rewrite the URL.new_url='\n'# If the requested URL is a JPG, save it to a file on the proxy host, flip it upside down,# and give the user the URL to the upside down image. :pifold_url.lower().endswith('.jpg'):img_file_name=str(uuid.uuid4())+'.jpg'img_file_path=os.path.join(IMG_DIR,img_file_name)try:urllib.urlretrieve(old_url,img_file_path)subprocess.check_output(['/usr/bin/mogrify','-flip',img_file_path])new_url=BASE_URL+img_file_name+'\n'excepturllib.ContentTooShortError:# TODO log this and return original URLpassexceptsubprocess.CalledProcessError:# TODO log and return original URL and delete the image filepassreturnnew_urlwhileTrue:# The format of the line read from stdin is# URL ip-address/fqdn ident method, e.g. http://saini.co.in 172.17.8.175/saini.co.in - GET -line=sys.stdin.readline().strip()# new_url is a simple URL only, e.g. http://fedora.co.innew_url=modify_url(line)sys.stdout.write(new_url)sys.stdout.flush()
In the squid configuration section, be sure to have acl localnet src <network range> where
network range is 192.168.2.1/24 if you used the aforementioned tutorial. Make sure you can
make HTTP requests to the proxy on localhost:3128 in order to debug. If you can’t, you might need to
add extra ACL rules to the squid conf file (something like http_access allow localnet).
I found instructions to configure the router’s firewall rules but realized my setup
was different. I don’t want to proxy traffic from my regular WiFi subnet 192.168.1.1/24 to my proxy
host on 192.168.1.134 but instead from 192.168.2.1/24 to 192.168.1.134. Use these rules:
iptables rules for router
# Allow traffic coming into interface br0 from proxy host 192.168.1.134 to exit interface br1 to any destination IP
iptables -I FORWARD -i br0 -o br1 -s 192.168.1.134 -j ACCEPT
# Allow traffic coming into interface br1 from any IP to exit interface br1 to proxy host 192.168.1.134
# make stricter later
iptables -I FORWARD -i br1 -o br0 -d 192.168.1.134 -j ACCEPT
LAN_IP=`nvram get br1_ipaddr`
LAN_NET=$LAN_IP/`nvram get br1_netmask`
# Modify the destination address of packets as soon as they come in.
# Change their destination address to the squid proxy on 192.168.1.134:3128.
# Only change packets matching these criteria: came into the br1 interface, are TCP packets, destined for port 80.
# This redirects HTTP traffic from the guest WiFi to the squid proxy.
iptables -t nat -A PREROUTING -i br1 -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
# Modify the destination address of packets as they are about to go out.
# Change their destination address to the br1 interface's IP, ie the virtual Wifi's router IP of 192.168.2.1.
# Only change packets matching these criteria: leaving the br1 interface, have a source address
# from the 192.168.2.1/24 subnet, are TCP packets, destined for the proxy IP.
# This makes the squid proxy return HTTP requests back to the guest Wifi, I think...
iptables -t nat -I POSTROUTING -o br1 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
# Allow traffic coming into the br1 interface and leaving br0 with a source IP from the guest WiFi.
# Packets have to be TCP and destined for the squid proxy's port.
iptables -I FORWARD -i br1 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT