Setting up Linux Proxy server w/ Squid & IPtables Vmware

Posted on 2008-01-29
Medium Priority
Last Modified: 2012-05-05
I need detailed directions for how to setup a proxy server on a linux machine (Ubuntu preferably) that will allow me to take multiple IP addresses in my subnet to re-route them simultaneously back to a windows machine. If you linux experts can help me (I'm a linux newbie) in any of the steps below that would be great!.

The setup will need to be as follow:
1) Help in setting up my NIC's for eth0 & eth1 (I don't even know where to begin here)
eth0 will need to be setup with multiple public ips. (your public ones)
eth1 will need to have a internal ip for instance
2)Directions for how to setup IPTables for NAT & Packetfiltering
I recommend setting up 1 proxy server for each browser you need.

3) Iinstructions for how to source NAT the proxys w/ Following logic:
i.e. You must Source NAT the proxys. The rules follow this logic:
If source IP = and Outgoing interface = eth0 then set source IP = "public ip here".

4) step-by-step instructions for gettin VMware server & squid up and running.
Question by:snowtime
LVL 19

Accepted Solution

Gabriel Orozco earned 1000 total points
ID: 20784066
Well these are many points. I will try to help.

1) http://www.cyberciti.biz/tips/ubuntu-linux-creating-ethernet-alias-for-eth0-network-device.html

2) I attached a firewall script that can help. you need to make it start adding it at /etc/init.d/rc.local (included a line example in the code snippet) or following instructions from http://ubuntu.wordpress.com/2005/09/07/adding-a-startup-script-to-be-run-at-bootup/

3) to do this, you will need to modify the nat part of the firewall. this way:
   - replace this line:
     $ipt -t nat -A POSTROUTING -o $INET -j MASQUERADE
   - with as many lines as needed of
     $ipt -t nat -A POSTROUTING -s internal.ip.address.1 -o $INET -j SNAT --to external.ip.1
     $ipt -t nat -A POSTROUTING -s internal.ip.address.2 -o $INET -j SNAT --to external.ip.2
     $ipt -t nat -A POSTROUTING -s internal.ip.address.3 -o $INET -j SNAT --to external.ip.3
     $ipt -t nat -A POSTROUTING -s -o $INET -j SNAT --to 399.399.399.399 (replace with your public ip address)

4) http://tonyseno.blogspot.com/2008/01/configuring-squid-on-ubuntu.html
   and for the squid.conf file maybe this help:

you need to read a lot and try many times until you are satisfied with your configurations.

Good luck

/etc/init.d/rc.firewall start
# Start/stop/restart the Firewall.
# This is an init script for the Iptables Scripts by Gabriel Orozco.
# Written by Gabriel Orozco <redimido@glo.org.mx>.
# V. 0.0.6 Included excelent rules from JLevie Firewall script.
ipt=`which iptables`
firewall_start() {
 echo "Configuring policys"
 # Turn on IP forwarding
 echo 1 > /proc/sys/net/ipv4/ip_forward
 echo "Creating Custom Chains"
 # silent       - Just dop the packet
 # tcpflags     - Log packets with bad flags, most likely an attack
 # logdrop      - Log packets that that we refuse, possibly from an attack
 $ipt -N silent
 $ipt -A silent -j DROP 
 $ipt -N tcpflags
 $ipt -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
 $ipt -A tcpflags -j DROP
 $ipt -N logdrop
 $ipt -A logdrop -m limit --limit 15/minute -j LOG --log-prefix "Firewalled:"
 $ipt -A logdrop -j DROP
 echo "Starting Firewall Services:"
 # These are all TCP flag combinations that should never, ever, occur in the
 # wild. All of these are illegal combinations that are used to attack a box
 # in various ways.
 $ipt -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH         -j tcpflags
 $ipt -A INPUT -p tcp --tcp-flags ALL ALL                 -j tcpflags
 $ipt -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
 $ipt -A INPUT -p tcp --tcp-flags ALL NONE                -j tcpflags
 $ipt -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST         -j tcpflags
 $ipt -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN         -j tcpflags
 # Logs / drop invalid packets: delayed packets and/or port scans:
 $ipt -A INPUT -p tcp -m state --state INVALID            -j tcpflags
 # Allow selected ICMP types and drop the rest.
 $ipt -A INPUT -p icmp --icmp-type 0 -j ACCEPT
 $ipt -A INPUT -p icmp --icmp-type 3 -j ACCEPT
 $ipt -A INPUT -p icmp --icmp-type 11 -j ACCEPT
 $ipt -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
 $ipt -A INPUT -p icmp -j logdrop
 # Block packets from internal networks COMING FROM INET (if this happend, it's
 #      surely an attack):
 $ipt -t nat -A PREROUTING -i $INET -s      -j logdrop
 $ipt -t nat -A PREROUTING -i $INET -s   -j logdrop
 $ipt -t nat -A PREROUTING -i $INET -s  -j logdrop
 # allow localhost to always connect
 $ipt -A INPUT -i lo -s -j ACCEPT
 $ipt -A INPUT -p tcp --dport  22 -j ACCEPT # permit ssh from everywhere to allow administration.
 # Stateful Firewall ENABLED: 
 $ipt -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
 # uncomment what you need open. assumess open internal and external.
 # if you want to open only from inside, add -i $LAN after the word INPUT:
 # if you want to open only from outside, add -i $INET after the word INPUT:
 #$ipt -A INPUT -p tcp --dport  21 -j ACCEPT   # ftp
 #$ipt -A INPUT -p tcp --dport  53 -j ACCEPT   # dns tcp (some dns clients require tcp)
 #$ipt -A INPUT -p udp --dport  53 -j ACCEPT   # dns udp (most of dns is udp)
 #$ipt -A INPUT -p tcp --dport  80 -j ACCEPT   # web
 #$ipt -A INPUT -p tcp --dport  25 -j ACCEPT   # smtp
 #$ipt -A INPUT -p tcp --dport 110 -j ACCEPT   # pop3
 #$ipt -A INPUT -p tcp --dport 143 -j ACCEPT   # imap
 # If you are running a DHCP server on the firewall uncomment the next line
 #$ipt -A INPUT -i $LAN -d --sport 67 --dport 68 -j ACCEPT   # Listen for DHCP Queries
 # Restrict internal Windows servers to announce themselves on the 'NET (Dangerous)
 $ipt -A FORWARD -p udp -m multiport --dport 137,138,139,445 -j silent
 # All internal users can go to INET
 # If you want to restrict, you must add the restricting
 #    rules before this one:
 $ipt -A FORWARD -i $LAN -o $INET -j ACCEPT
 echo "Starting NAT for the local network"
firewall_stop() {
 $ipt -F
 $ipt -F INPUT
 $ipt -F OUTPUT
 $ipt -F FORWARD
 $ipt -F -t mangle
 $ipt -F -t nat
 $ipt -X
firewall_restart() {
 sleep 1
firewall_status() {
 echo "===================================================" >  $fw_status_file
 chmod 700 $fw_status_file
 echo "iptables.mangling:"                                  >> $fw_status_file
 $ipt -t mangle -L -vn --line-numbers                       >> $fw_status_file
 echo " "                                                   >> $fw_status_file
 echo "iptables nat:"                                       >> $fw_status_file
 $ipt -t nat -L -vn --line-numbers                          >> $fw_status_file
 echo " "                                                   >> $fw_status_file
 echo "iptables filter:"                                    >> $fw_status_file
 $ipt -L -vn --line-numbers                                 >> $fw_status_file
 echo "===================================================" >> $fw_status_file
 echo " "                                                   >> $fw_status_file
 less $fw_status_file
 rm $fw_status_file
case "$1" in
 vi $0
 echo "usage $0 { start | stop | conf | status | restart }"

Open in new window

LVL 27

Assisted Solution

Nopius earned 1000 total points
ID: 20808525
snowtime, hi.
You have so many questions, so I guess, you probably it would be better to buy a professional support from Ubuntu: http://www.ubuntu.com/support

Ubuntu is a desktop system, not designed to be a router, NAT or proxy (of course it _can_ be). Even Ububtu is well documented for desktop usage (https://help.ubuntu.com/), it lacks documentation for setup it for server tasks. But I'll also try to give you some directions.

1, 2, 3) https://help.ubuntu.com/community/Router

4) I don't know what VmWare product and on what OS you are trying to install, but here are some links for installing it on Ubuntu or installing Ubuntu in a VMWare.
What about Squid Proxy there is a good documentation here: http://www.squid-cache.org/

And I agree with Redimido, you should read a lot.

Expert Comment

ID: 21160122
Forced accept.

EE Admin

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Resolve DNS query failed errors for Exchange
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question