Setting up Linux Proxy server w/ Squid & IPtables Vmware

I need detailed directions for how to setup a proxy server on a linux machine (Ubuntu preferably) that will allow me to take multiple IP addresses in my subnet to re-route them simultaneously back to a windows machine. If you linux experts can help me (I'm a linux newbie) in any of the steps below that would be great!.



The setup will need to be as follow:
1) Help in setting up my NIC's for eth0 & eth1 (I don't even know where to begin here)
eth0 will need to be setup with multiple public ips. (your public ones)
eth1 will need to have a internal ip for instance 10.0.0.1
 
2)Directions for how to setup IPTables for NAT & Packetfiltering
I recommend setting up 1 proxy server for each browser you need.

3) Iinstructions for how to source NAT the proxys w/ Following logic:
i.e. You must Source NAT the proxys. The rules follow this logic:
If source IP = 10.0.0.2 and Outgoing interface = eth0 then set source IP = "public ip here".

4) step-by-step instructions for gettin VMware server & squid up and running.
snowtimeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gabriel OrozcoSolution ArchitectCommented:
Well these are many points. I will try to help.

1) http://www.cyberciti.biz/tips/ubuntu-linux-creating-ethernet-alias-for-eth0-network-device.html

2) I attached a firewall script that can help. you need to make it start adding it at /etc/init.d/rc.local (included a line example in the code snippet) or following instructions from http://ubuntu.wordpress.com/2005/09/07/adding-a-startup-script-to-be-run-at-bootup/

3) to do this, you will need to modify the nat part of the firewall. this way:
   - replace this line:
     $ipt -t nat -A POSTROUTING -o $INET -j MASQUERADE
   - with as many lines as needed of
     $ipt -t nat -A POSTROUTING -s internal.ip.address.1 -o $INET -j SNAT --to external.ip.1
     $ipt -t nat -A POSTROUTING -s internal.ip.address.2 -o $INET -j SNAT --to external.ip.2
     $ipt -t nat -A POSTROUTING -s internal.ip.address.3 -o $INET -j SNAT --to external.ip.3
   -i.e.
     $ipt -t nat -A POSTROUTING -s 10.0.0.2 -o $INET -j SNAT --to 399.399.399.399 (replace with your public ip address)

4) http://tonyseno.blogspot.com/2008/01/configuring-squid-on-ubuntu.html
   and for the squid.conf file maybe this help:
   http://www.visolve.com/squid/sqguide.php

you need to read a lot and try many times until you are satisfied with your configurations.

Good luck

/etc/rc.local
=============
/etc/init.d/rc.firewall start
 
 
/etc/init.d/rc.firewall
#!/bin/sh
# Start/stop/restart the Firewall.
#
# This is an init script for the Iptables Scripts by Gabriel Orozco.
#
# Written by Gabriel Orozco <redimido@glo.org.mx>.
#
# V. 0.0.6 Included excelent rules from JLevie Firewall script.
#
 
#Variables
ipt=`which iptables`
LAN=eth1
INET=eth0
fw_status_file="/tmp/firewall.status"
 
firewall_start() {
 
 echo "Configuring policys"
 $ipt -P INPUT DROP
 $ipt -P FORWARD DROP
 $ipt -P OUTPUT ACCEPT
 
 # Turn on IP forwarding
 echo 1 > /proc/sys/net/ipv4/ip_forward
 
 echo "Creating Custom Chains"
 # silent       - Just dop the packet
 # tcpflags     - Log packets with bad flags, most likely an attack
 # logdrop      - Log packets that that we refuse, possibly from an attack
 #
 $ipt -N silent
 $ipt -A silent -j DROP 
 
 $ipt -N tcpflags
 $ipt -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
 $ipt -A tcpflags -j DROP
 
 $ipt -N logdrop
 $ipt -A logdrop -m limit --limit 15/minute -j LOG --log-prefix "Firewalled:"
 $ipt -A logdrop -j DROP
 
 echo "Starting Firewall Services:"
 
 #FIREWALL RULES
 #
 # These are all TCP flag combinations that should never, ever, occur in the
 # wild. All of these are illegal combinations that are used to attack a box
 # in various ways.
 #
 $ipt -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH         -j tcpflags
 $ipt -A INPUT -p tcp --tcp-flags ALL ALL                 -j tcpflags
 $ipt -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
 $ipt -A INPUT -p tcp --tcp-flags ALL NONE                -j tcpflags
 $ipt -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST         -j tcpflags
 $ipt -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN         -j tcpflags
 
 # Logs / drop invalid packets: delayed packets and/or port scans:
 $ipt -A INPUT -p tcp -m state --state INVALID            -j tcpflags
 #
 # Allow selected ICMP types and drop the rest.
 #
 $ipt -A INPUT -p icmp --icmp-type 0 -j ACCEPT
 $ipt -A INPUT -p icmp --icmp-type 3 -j ACCEPT
 $ipt -A INPUT -p icmp --icmp-type 11 -j ACCEPT
 $ipt -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
 $ipt -A INPUT -p icmp -j logdrop
 
 
 # Block packets from internal networks COMING FROM INET (if this happend, it's
 #      surely an attack):
 $ipt -t nat -A PREROUTING -i $INET -s 10.0.0.0/8      -j logdrop
 $ipt -t nat -A PREROUTING -i $INET -s 172.16.0.0/12   -j logdrop
 $ipt -t nat -A PREROUTING -i $INET -s 192.168.0.0/16  -j logdrop
 
 # allow localhost to always connect
 $ipt -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
 $ipt -A INPUT -p tcp --dport  22 -j ACCEPT # permit ssh from everywhere to allow administration.
 
 # Stateful Firewall ENABLED: 
 $ipt -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
 $ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 # uncomment what you need open. assumess open internal and external.
 # if you want to open only from inside, add -i $LAN after the word INPUT:
 # if you want to open only from outside, add -i $INET after the word INPUT:
 #$ipt -A INPUT -p tcp --dport  21 -j ACCEPT   # ftp
 #$ipt -A INPUT -p tcp --dport  53 -j ACCEPT   # dns tcp (some dns clients require tcp)
 #$ipt -A INPUT -p udp --dport  53 -j ACCEPT   # dns udp (most of dns is udp)
 #$ipt -A INPUT -p tcp --dport  80 -j ACCEPT   # web
 #$ipt -A INPUT -p tcp --dport  25 -j ACCEPT   # smtp
 #$ipt -A INPUT -p tcp --dport 110 -j ACCEPT   # pop3
 #$ipt -A INPUT -p tcp --dport 143 -j ACCEPT   # imap
 # If you are running a DHCP server on the firewall uncomment the next line
 #$ipt -A INPUT -i $LAN -d 255.255.255.255 --sport 67 --dport 68 -j ACCEPT   # Listen for DHCP Queries
 
 # Restrict internal Windows servers to announce themselves on the 'NET (Dangerous)
 $ipt -A FORWARD -p udp -m multiport --dport 137,138,139,445 -j silent
 
 # All internal users can go to INET
 # If you want to restrict, you must add the restricting
 #    rules before this one:
 $ipt -A FORWARD -i $LAN -o $INET -j ACCEPT
 
 #NAT FOR LOCAL NETWORK
 echo "Starting NAT for the local network"
 $ipt -t nat -A POSTROUTING -o $INET -j MASQUERADE
}
 
firewall_stop() {
 $ipt -P INPUT   ACCEPT
 $ipt -P FORWARD ACCEPT
 $ipt -P OUTPUT  ACCEPT
 $ipt -F
 $ipt -F INPUT
 $ipt -F OUTPUT
 $ipt -F FORWARD
 $ipt -F -t mangle
 $ipt -F -t nat
 $ipt -X
}
 
firewall_restart() {
 firewall_stop
 sleep 1
 firewall_start
}
 
firewall_status() {
 echo "===================================================" >  $fw_status_file
 chmod 700 $fw_status_file
 echo "iptables.mangling:"                                  >> $fw_status_file
 $ipt -t mangle -L -vn --line-numbers                       >> $fw_status_file
 echo " "                                                   >> $fw_status_file
 echo "iptables nat:"                                       >> $fw_status_file
 $ipt -t nat -L -vn --line-numbers                          >> $fw_status_file
 echo " "                                                   >> $fw_status_file
 echo "iptables filter:"                                    >> $fw_status_file
 $ipt -L -vn --line-numbers                                 >> $fw_status_file
 echo "===================================================" >> $fw_status_file
 echo " "                                                   >> $fw_status_file
 less $fw_status_file
 rm $fw_status_file
}
 
case "$1" in
'start')
 firewall_start
 ;;
'stop')
 firewall_stop
 ;;
'conf')
 vi $0
 exit
 ;;
'status'|'stat'|'-status'|'-stat'|'STATUS')
 firewall_status
 ;;
'restart')
 firewall_restart
 ;;
*)
 echo "usage $0 { start | stop | conf | status | restart }"
esac
 

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NopiusCommented:
snowtime, hi.
You have so many questions, so I guess, you probably it would be better to buy a professional support from Ubuntu: http://www.ubuntu.com/support

Ubuntu is a desktop system, not designed to be a router, NAT or proxy (of course it _can_ be). Even Ububtu is well documented for desktop usage (https://help.ubuntu.com/), it lacks documentation for setup it for server tasks. But I'll also try to give you some directions.

1, 2, 3) https://help.ubuntu.com/community/Router

4) I don't know what VmWare product and on what OS you are trying to install, but here are some links for installing it on Ubuntu or installing Ubuntu in a VMWare.
https://help.ubuntu.com/community/VMware/Server
https://help.ubuntu.com/community/VMware/Workstation
https://help.ubuntu.com/community/VMware?action=show&redirect=InstallingVMWare
What about Squid Proxy there is a good documentation here: http://www.squid-cache.org/

And I agree with Redimido, you should read a lot.
0
Computer101Commented:
Forced accept.

Computer101
EE Admin
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.