School Project...
I suck at making titles for threads, so we'll call this School Project for now.
Ok lets see, where do I start?
Ok let me first explain the problem.
My school has gone over-board with the internet filtering, they've blocked most sites and are adding more each day. It is getting to the point where almost everything is blocked and teachers have to email the administrator to unblock sites and justify why they need it unblocked for their class.
The way the internet traffic used to flow at my school was that there was a state proxy server, district proxy server, and a local proxy server. All connected to each other. The state blocked certain sites I think, but mostly left that up to the districts who were given guidelines and the filtering software. Additionally, the local schools could block sites as they saw fit.
Well apparently things are changing, the state proxy is supposedly gone, and the local proxy has been replaced with iPrism. iPrism took the filtering to a new level, blocking all the sites we wanted to get to, plus legitimate sites used for research. Even the state's webmail site was blocked! The state/district/whoever required that every student have an email address, which we can access by going to ketsmail.us but the school has now blocked ketsmail.us!!!
Now I run a small lab network in the IT room, about 44 clients not counting my own computer. 22 of those are used by the PC hardware/software class to tear apart, reinstall windows, etc on. Each student has a user account on that network that is administrative so that they can do things that the school network won't let them do. Being so pissed off at my schools network, I stay on my own, the lab network.
On this network is a proxy server that is behind a router, the reason it's behind a router is so that the school's network administrator can't get to it. I setup the router to connect to the schools proxy server and that worked fine for a while.
Then they switched to the iPrism server, but I found that I could bypass that by using the district proxy server. The district proxy didn't have as many sites blocked
Today they shut off the district proxy server!
Meaning that if I want to go online with my network, I had to route through the schools iPrism proxy.
Ok, so somehow I want to get passed this. Somehow there must be a way to achieve a direct route to the internet.
I say that because, on the school network, programs like Limewire can connect to the internet even though they're set to connect directly, and if you try to set it to connect through a proxy, it doesn't connect.
The webserver is another curiosity, how does it connect to the internet when it is in the IT room and connected just like any student machine is.
I would have thought that there was a proxy server that had 2 NICs and that the only route to the internet from the schools internal network was through the proxy. Which is how my Lab network is set up.
So I was just thinking, can they somehow block webtraffic so that you have to use a proxy server to connect and view webpages, but have other ports are open? Ports that could be used for a direct connection?
If it is possible, then how could I route the web traffic from my proxy server, to one of those open ports and gain access?
I may not be thinking clearly, and I am freezing my butt off as I write this so that might be distracting me.
It's a crazy idea I had, I just wondered if it would work.. What are your thoughts?
Have questions? Ask and I'll answer as best as possible.
Ok lets see, where do I start?
Ok let me first explain the problem.
My school has gone over-board with the internet filtering, they've blocked most sites and are adding more each day. It is getting to the point where almost everything is blocked and teachers have to email the administrator to unblock sites and justify why they need it unblocked for their class.
The way the internet traffic used to flow at my school was that there was a state proxy server, district proxy server, and a local proxy server. All connected to each other. The state blocked certain sites I think, but mostly left that up to the districts who were given guidelines and the filtering software. Additionally, the local schools could block sites as they saw fit.
Well apparently things are changing, the state proxy is supposedly gone, and the local proxy has been replaced with iPrism. iPrism took the filtering to a new level, blocking all the sites we wanted to get to, plus legitimate sites used for research. Even the state's webmail site was blocked! The state/district/whoever required that every student have an email address, which we can access by going to ketsmail.us but the school has now blocked ketsmail.us!!!
Now I run a small lab network in the IT room, about 44 clients not counting my own computer. 22 of those are used by the PC hardware/software class to tear apart, reinstall windows, etc on. Each student has a user account on that network that is administrative so that they can do things that the school network won't let them do. Being so pissed off at my schools network, I stay on my own, the lab network.
On this network is a proxy server that is behind a router, the reason it's behind a router is so that the school's network administrator can't get to it. I setup the router to connect to the schools proxy server and that worked fine for a while.
Then they switched to the iPrism server, but I found that I could bypass that by using the district proxy server. The district proxy didn't have as many sites blocked
Today they shut off the district proxy server!
Meaning that if I want to go online with my network, I had to route through the schools iPrism proxy.
Ok, so somehow I want to get passed this. Somehow there must be a way to achieve a direct route to the internet.
I say that because, on the school network, programs like Limewire can connect to the internet even though they're set to connect directly, and if you try to set it to connect through a proxy, it doesn't connect.
The webserver is another curiosity, how does it connect to the internet when it is in the IT room and connected just like any student machine is.
I would have thought that there was a proxy server that had 2 NICs and that the only route to the internet from the schools internal network was through the proxy. Which is how my Lab network is set up.
So I was just thinking, can they somehow block webtraffic so that you have to use a proxy server to connect and view webpages, but have other ports are open? Ports that could be used for a direct connection?
If it is possible, then how could I route the web traffic from my proxy server, to one of those open ports and gain access?
I may not be thinking clearly, and I am freezing my butt off as I write this so that might be distracting me.
It's a crazy idea I had, I just wondered if it would work.. What are your thoughts?
Have questions? Ask and I'll answer as best as possible.
Comments
-Kirk
Yeah I've tried tracerouting, it gets through about 3 routers as far as I can tell.
-Q
PS. Kentucky seems to like blocking things.
My school district in particular, takes it way to far. The district admin is corrupt with power.
He refuses to unblock sites USED FOR CLASS even when presented a lesson plan that justifies unblocking the website.
So thats it, enough is enough, I have had it with these motherfucking webfilters (Ok I didn't mean that to sound like a Snakes on a Plane parody line)
If Limewire can somehow direct connect to the internet, then somehow my proxy server should be able to.
I just need to find out how!
Anyway, I know alot of them do it, but the fact that it's Kentucky is ironic.
-Q
To try and re-explain what I want to do.
You know how you can forward external traffic to an internal IP and port number?
Like say you're running a webserver and you direct port 80 traffic to 192.168.1.2 on port 8000 (just to name one, though I don't know why you'd do that )
Well I want to do that in reverse, if possible.
direct the outgoing web traffic from 192.168.1.2 (again just naming an address) to an external port of say 3178
Is this just crazy talk or is it possible?
-Q
They are blocking port 80 webtraffic, I think they're blocking a few other ports as well.
But routing through a proxy that was on port 3124 I was able to connect to the internet
The only problem is that this proxy server sucks! It denies me access to some sites because my IP isn't allowed or something. So I get limited access with that proxy. So limited in fact that I couldn't visit this site because it wouldn't let me use a non-standard port. so I was forced to switch back to the school proxy.
If any one knows of a good proxy server on a non-standard port, in other words not port 80 or 8080 etc. Please share!
And if you know how I could redirect my port 80 webtraffic to port 3124 (if it's even possible) share that too.
I found a solution!
You see, all of the servers at school have port 80 unblocked. So they can directly connect to the internet!
Why is this good? Because one of those servers is in the IT room and under our control!
Now the district admins log into it all the time to run updates and stuff. So installing a proxy server on it would get noticed.
So instead, we're going to install a second NIC and enable ICS or RRAS turning the webserver into a router!
Then all we have to do is connect it to the lab network switch and bingo! I have direct access to the internet!
-Q
I just re-read my above posts, and noticed the over usage of exclaimations.
Anywho, we haven't done anything about it yet, my IT teacher wants us to consider it carefully and make sure we're not caught.
If they found out, they'd be pissed off, they might even try to get my IT teacher fired, and if they found out I had something to do with it, they might go as far as expelling me.
Believe me, these assholes are that strict. A friend of mine was almost expelled for using NetSupport to control other computers on the network.
It wasn't his fault that the admins are so incompetent that won't password-protect the client machines.
And thats after I even showed them how to deploy a password to all clients. They wouldn't have to get up out of their chair!
God! thier stupidity knows no bounds.
Anyways, I was thinking it might be possible to use a router instead. Like set the router's WAN interface to a static IP, and make that IP the same as the webservers.
Then, stick the webserver in a DMZ so that the website and NetSupport and whatever the fuck else is running on it, will still work.
The server's current IP must be in some sort of exception range or something in order for it have port 80 unblocked. So setting the router to the same IP should mean its access is unrestricted as well.
But now there is something I just thought of, what if they've assigned a range of IP addresses that are unblocked, and use those for new servers. If I could find an IP in that range that wasn't being used, and set the router to that IP, I wonder, wouldn't it gain unrestricted access?
I suppose the only problem with that would be one day down the road when they add a new server, and find that they get an IP conflict when trying to use that IP.
But I could be long gone before that happens :P
I found the server IP range that has port 80 webtraffic unblocked. I found an IP that wasn't in use and set my router to that IP.
Now I have unblocked internet access :-)