?
Solved

Setting up Linux Proxy server w/ Squid & IPtables Vmware

Posted on 2008-01-29
4
Medium Priority
?
2,042 Views
Last Modified: 2012-05-05
I need detailed directions for how to setup a proxy server on a linux machine (Ubuntu preferably) that will allow me to take multiple IP addresses in my subnet to re-route them simultaneously back to a windows machine. If you linux experts can help me (I'm a linux newbie) in any of the steps below that would be great!.



The setup will need to be as follow:
1) Help in setting up my NIC's for eth0 & eth1 (I don't even know where to begin here)
eth0 will need to be setup with multiple public ips. (your public ones)
eth1 will need to have a internal ip for instance 10.0.0.1
 
2)Directions for how to setup IPTables for NAT & Packetfiltering
I recommend setting up 1 proxy server for each browser you need.

3) Iinstructions for how to source NAT the proxys w/ Following logic:
i.e. You must Source NAT the proxys. The rules follow this logic:
If source IP = 10.0.0.2 and Outgoing interface = eth0 then set source IP = "public ip here".

4) step-by-step instructions for gettin VMware server & squid up and running.
0
Comment
Question by:snowtime
3 Comments
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 1000 total points
ID: 20784066
Well these are many points. I will try to help.

1) http://www.cyberciti.biz/tips/ubuntu-linux-creating-ethernet-alias-for-eth0-network-device.html

2) I attached a firewall script that can help. you need to make it start adding it at /etc/init.d/rc.local (included a line example in the code snippet) or following instructions from http://ubuntu.wordpress.com/2005/09/07/adding-a-startup-script-to-be-run-at-bootup/

3) to do this, you will need to modify the nat part of the firewall. this way:
   - replace this line:
     $ipt -t nat -A POSTROUTING -o $INET -j MASQUERADE
   - with as many lines as needed of
     $ipt -t nat -A POSTROUTING -s internal.ip.address.1 -o $INET -j SNAT --to external.ip.1
     $ipt -t nat -A POSTROUTING -s internal.ip.address.2 -o $INET -j SNAT --to external.ip.2
     $ipt -t nat -A POSTROUTING -s internal.ip.address.3 -o $INET -j SNAT --to external.ip.3
   -i.e.
     $ipt -t nat -A POSTROUTING -s 10.0.0.2 -o $INET -j SNAT --to 399.399.399.399 (replace with your public ip address)

4) http://tonyseno.blogspot.com/2008/01/configuring-squid-on-ubuntu.html
   and for the squid.conf file maybe this help:
   http://www.visolve.com/squid/sqguide.php

you need to read a lot and try many times until you are satisfied with your configurations.

Good luck

/etc/rc.local
=============
/etc/init.d/rc.firewall start
 
 
/etc/init.d/rc.firewall
#!/bin/sh
# Start/stop/restart the Firewall.
#
# This is an init script for the Iptables Scripts by Gabriel Orozco.
#
# Written by Gabriel Orozco <redimido@glo.org.mx>.
#
# V. 0.0.6 Included excelent rules from JLevie Firewall script.
#
 
#Variables
ipt=`which iptables`
LAN=eth1
INET=eth0
fw_status_file="/tmp/firewall.status"
 
firewall_start() {
 
 echo "Configuring policys"
 $ipt -P INPUT DROP
 $ipt -P FORWARD DROP
 $ipt -P OUTPUT ACCEPT
 
 # Turn on IP forwarding
 echo 1 > /proc/sys/net/ipv4/ip_forward
 
 echo "Creating Custom Chains"
 # silent       - Just dop the packet
 # tcpflags     - Log packets with bad flags, most likely an attack
 # logdrop      - Log packets that that we refuse, possibly from an attack
 #
 $ipt -N silent
 $ipt -A silent -j DROP 
 
 $ipt -N tcpflags
 $ipt -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
 $ipt -A tcpflags -j DROP
 
 $ipt -N logdrop
 $ipt -A logdrop -m limit --limit 15/minute -j LOG --log-prefix "Firewalled:"
 $ipt -A logdrop -j DROP
 
 echo "Starting Firewall Services:"
 
 #FIREWALL RULES
 #
 # These are all TCP flag combinations that should never, ever, occur in the
 # wild. All of these are illegal combinations that are used to attack a box
 # in various ways.
 #
 $ipt -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH         -j tcpflags
 $ipt -A INPUT -p tcp --tcp-flags ALL ALL                 -j tcpflags
 $ipt -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
 $ipt -A INPUT -p tcp --tcp-flags ALL NONE                -j tcpflags
 $ipt -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST         -j tcpflags
 $ipt -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN         -j tcpflags
 
 # Logs / drop invalid packets: delayed packets and/or port scans:
 $ipt -A INPUT -p tcp -m state --state INVALID            -j tcpflags
 #
 # Allow selected ICMP types and drop the rest.
 #
 $ipt -A INPUT -p icmp --icmp-type 0 -j ACCEPT
 $ipt -A INPUT -p icmp --icmp-type 3 -j ACCEPT
 $ipt -A INPUT -p icmp --icmp-type 11 -j ACCEPT
 $ipt -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
 $ipt -A INPUT -p icmp -j logdrop
 
 
 # Block packets from internal networks COMING FROM INET (if this happend, it's
 #      surely an attack):
 $ipt -t nat -A PREROUTING -i $INET -s 10.0.0.0/8      -j logdrop
 $ipt -t nat -A PREROUTING -i $INET -s 172.16.0.0/12   -j logdrop
 $ipt -t nat -A PREROUTING -i $INET -s 192.168.0.0/16  -j logdrop
 
 # allow localhost to always connect
 $ipt -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
 $ipt -A INPUT -p tcp --dport  22 -j ACCEPT # permit ssh from everywhere to allow administration.
 
 # Stateful Firewall ENABLED: 
 $ipt -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
 $ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 # uncomment what you need open. assumess open internal and external.
 # if you want to open only from inside, add -i $LAN after the word INPUT:
 # if you want to open only from outside, add -i $INET after the word INPUT:
 #$ipt -A INPUT -p tcp --dport  21 -j ACCEPT   # ftp
 #$ipt -A INPUT -p tcp --dport  53 -j ACCEPT   # dns tcp (some dns clients require tcp)
 #$ipt -A INPUT -p udp --dport  53 -j ACCEPT   # dns udp (most of dns is udp)
 #$ipt -A INPUT -p tcp --dport  80 -j ACCEPT   # web
 #$ipt -A INPUT -p tcp --dport  25 -j ACCEPT   # smtp
 #$ipt -A INPUT -p tcp --dport 110 -j ACCEPT   # pop3
 #$ipt -A INPUT -p tcp --dport 143 -j ACCEPT   # imap
 # If you are running a DHCP server on the firewall uncomment the next line
 #$ipt -A INPUT -i $LAN -d 255.255.255.255 --sport 67 --dport 68 -j ACCEPT   # Listen for DHCP Queries
 
 # Restrict internal Windows servers to announce themselves on the 'NET (Dangerous)
 $ipt -A FORWARD -p udp -m multiport --dport 137,138,139,445 -j silent
 
 # All internal users can go to INET
 # If you want to restrict, you must add the restricting
 #    rules before this one:
 $ipt -A FORWARD -i $LAN -o $INET -j ACCEPT
 
 #NAT FOR LOCAL NETWORK
 echo "Starting NAT for the local network"
 $ipt -t nat -A POSTROUTING -o $INET -j MASQUERADE
}
 
firewall_stop() {
 $ipt -P INPUT   ACCEPT
 $ipt -P FORWARD ACCEPT
 $ipt -P OUTPUT  ACCEPT
 $ipt -F
 $ipt -F INPUT
 $ipt -F OUTPUT
 $ipt -F FORWARD
 $ipt -F -t mangle
 $ipt -F -t nat
 $ipt -X
}
 
firewall_restart() {
 firewall_stop
 sleep 1
 firewall_start
}
 
firewall_status() {
 echo "===================================================" >  $fw_status_file
 chmod 700 $fw_status_file
 echo "iptables.mangling:"                                  >> $fw_status_file
 $ipt -t mangle -L -vn --line-numbers                       >> $fw_status_file
 echo " "                                                   >> $fw_status_file
 echo "iptables nat:"                                       >> $fw_status_file
 $ipt -t nat -L -vn --line-numbers                          >> $fw_status_file
 echo " "                                                   >> $fw_status_file
 echo "iptables filter:"                                    >> $fw_status_file
 $ipt -L -vn --line-numbers                                 >> $fw_status_file
 echo "===================================================" >> $fw_status_file
 echo " "                                                   >> $fw_status_file
 less $fw_status_file
 rm $fw_status_file
}
 
case "$1" in
'start')
 firewall_start
 ;;
'stop')
 firewall_stop
 ;;
'conf')
 vi $0
 exit
 ;;
'status'|'stat'|'-status'|'-stat'|'STATUS')
 firewall_status
 ;;
'restart')
 firewall_restart
 ;;
*)
 echo "usage $0 { start | stop | conf | status | restart }"
esac
 

Open in new window

0
 
LVL 27

Assisted Solution

by:Nopius
Nopius earned 1000 total points
ID: 20808525
snowtime, hi.
You have so many questions, so I guess, you probably it would be better to buy a professional support from Ubuntu: http://www.ubuntu.com/support

Ubuntu is a desktop system, not designed to be a router, NAT or proxy (of course it _can_ be). Even Ububtu is well documented for desktop usage (https://help.ubuntu.com/), it lacks documentation for setup it for server tasks. But I'll also try to give you some directions.

1, 2, 3) https://help.ubuntu.com/community/Router

4) I don't know what VmWare product and on what OS you are trying to install, but here are some links for installing it on Ubuntu or installing Ubuntu in a VMWare.
https://help.ubuntu.com/community/VMware/Server
https://help.ubuntu.com/community/VMware/Workstation
https://help.ubuntu.com/community/VMware?action=show&redirect=InstallingVMWare
What about Squid Proxy there is a good documentation here: http://www.squid-cache.org/

And I agree with Redimido, you should read a lot.
0
 
LVL 1

Expert Comment

by:Computer101
ID: 21160122
Forced accept.

Computer101
EE Admin
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Resolve DNS query failed errors for Exchange
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question