• No results found

How to Create, Setup, and Configure an Ubuntu Router with a Transparent Proxy.

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "How to Create, Setup, and Configure an Ubuntu Router with a Transparent Proxy."

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

In this tutorial I am going to explain how to setup a home router with transparent proxy using Linux Ubuntu and Virtualbox.

Before we begin to delve into the heart of installing software and typing in code; you will need to have virtualbox downloaded and installed. You can download the latest version of virtualbox from here at http://www.virtualbox.org/wiki/Downloads.

Once you have VBox downloaded you will need to download an .ISO of Linux Ubuntu which you can get here http://www.ubuntu.com/download/ubuntu/download. You will need this .ISO image when we go to setup the router.

Once you have virtualbox installed click on the NEW button. The “create new VM wizard” will open up. Click on the next button. The wizard will ask what to name your new VM (I named mine router1)and what type of OS you want to install afterwards. Now click on the next button. Keep the memory at 512MB, and click next. For the next couple of settings until you arrive at the finish to where it says create, keep every setting at the default settings. Once you have done this click the create button and your VM is created, but we are not done yet. Now do the same thing again this time naming your second VM something like workstation1. What we are doing is creating a virtual router and a virtual workstation to connect to the router.

Once you have created your two VMs it is time to install Ubuntu. Before we do this click on your router VM, for me it was router1. After I clicked on router1, lets go into the settings and adjust the network adapters. Go into the Network settings. Adapter 1 is default settings of NAT, we need to change this to Bridged Adapter. Now we need a second virtual NIC, so click on adapter 2. Check the Enabled Network Adapter and set the Attached to Internal. Click on Okay and you are done with the router. For you workstation do the same thing, but this time under its Network settings make sure there is only one adapter and its attached to settings is set to Internal. This way the workstation sends its queries through the internal network to get is IP address from the router and also gets out into the internet through the router.

It is now time to install Ubuntu since we have all our settings done. We first will click on the router VM and click on start. It will open the screen that will ask where you want to boot from, click on the icon that looks like a folder, go find the .ISO of Ubuntu you downloaded. Select it and click on Okay. Once you have done that it will go right into installing Ubuntu for you as if you at an actual computer. Ubuntu is pretty simple to install, just pick your location, time, and country. You will also be asked to name your computer which we will call it “router”. Make up your password and click on continue. Keep everything in its default settings and click install. It will take a few minutes to install, but once done click on the restart button to restart your VM.

(2)

Setup Network Cards

For this part of the setup we will focus on the two NICs of the VM router. We are going to use one of text editors to adjust the network interfaces of the router. You have some different options to choose form vi, vim, nano, gedit, and etc. For me I choose nano. So while we are logged in as root all you need to type in

nano /etc/network/interfaces

In this example my eth0 represents the network interface that connects to the internet and the eth1 interface the internal network. I added the following code into the /etc/network/interfaces file: auto lo

iface lo inet loopback auto eth1

iface eth1 inet static address 192.168.10.1 netmask 255.255.255.0 network 192.168.10.0 broadcast 192.168.10.255 auto eth0

iface eth0 inet dhcp

Once you have typed in those figures click on ctrl+x, then y, then Enter. Now type in /etc/init.d/networking restart

This will bring down the network and restart it up again with the adjustments we made. Now for you eth0 might be eth1 or eth2, it just depends on which one your PC recognizes first. Your internal card could be recognized as eth2, eth3, eth4, and so on. So be sure to adjust accordingly. For me we are working with eth0 and eth1.

(3)

Enable packet forwarding

Once all those are installed type in your terminal nano /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1

echo 1 > /proc/sys/net/ipv4/ip_forward

Install Webmin

Webmin is a good program to use to help configure your gateway and other server programs that you might use, such as the dhcp and bind9 we downloaded. If you use webmin, you will be able to easily configure your server, using any web browser you choose.

First we need to change into the /opt directory and create a directory called webmin. To do this type in the terminal these commands

cd /opt mkdir webmin cd /opt/webmin wget http://prdownloads.sourceforge.net/webadmin/webmin-1.430.tar.gz tar xzvf webmin-1.430.tar.gz cd webmin-1.430/ ./setup.sh

During the installation you will be asked a couple questions, just press enter. The only thing that you want to change is the port number, user name and password and also say yes to SSL. It will tell you a website to go to, write it down or copy and paste it onto one of your text editors and save it for we will be going there in a min.

Firewall Script for Forwarding

We need to create a script for the firewall. In this script you can copy and paste this script and use it as your own. Remember to correct the EXTIF and INTIF to your needs. For mine I had to use eth0 and eth1, but yours maybe different. The text may seem long but it is for learning purposes.

(4)

echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n"

# The location of the iptables and kernel module programs #

# If your Linux distribution came with a copy of iptables, # most likely all the programs will be located in /sbin. If # you manually compiled iptables, the default location will # be in /usr/local/sbin

#

# ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPTABLES=/sbin/iptables #IPTABLES=/usr/local/sbin/iptables DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe

#Setting the EXTERNAL and INTERNAL interfaces for the network #

# Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the natting will occur and the internal network

# should preferably be addressed with a RFC1918 private address # scheme.

# #

# NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: #

# If you are a PPPoE or analog modem user: # # EXTIF="ppp0" # # EXTIF="eth0" INTIF="eth1"

echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" #EXTIP="192.168.1.1"

#echo " External IP: $EXTIP"

(5)

echo " loading modules: "

# Need to verify that all modules have all required dependencies #

echo " - Verifying that all kernel modules are ok" $DEPMOD -a

# With the new IPTABLES code, the core MASQ functionality is now either # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES # options as MODULES. If your kernel is compiled correctly, there is # NO need to load the kernel modules manually.

#

# NOTE: The following items are listed ONLY for informational reasons. # There is no reason to manual load these modules unless your # kernel is either mis-configured or you intentionally disabled # the kernel module autoloader.

#

# Upon the commands of starting up IP Masq on the server, the # following kernel modules will be automatically loaded:

#

# NOTE: Only load the IP MASQ modules you need. All current IP MASQ # modules are shown below but are commented out from loading.

# =============================================================== echo "---"

#Load the main body of the IPTABLES module - "iptable"

# - Loaded automatically when the "iptables" command is invoked #

# - Loaded manually to clean up kernel auto-loading timing issues #

echo "ip_tables, " $MODPROBE ip_tables

#Load the IPTABLES filtering module - "iptable_filter" # - Loaded automatically when filter policies are activated

#Load the stateful connection tracking framework - "ip_conntrack" #

# The conntrack module in itself does nothing without other specific

# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" # module

#

(6)

# enabled #

# - Loaded manually to clean up kernel auto-loading timing issues #

echo "ip_conntrack, " $MODPROBE ip_conntrack

#Load the FTP tracking mechanism for full FTP tracking #

# Enabled by default -- insert a "#" on the next line to deactivate #

echo "ip_conntrack_ftp, " $MODPROBE ip_conntrack_ftp

#Load the IRC tracking mechanism for full IRC tracking #

# Enabled by default -- insert a "#" on the next line to deactivate #

echo "ip_conntrack_irc, " $MODPROBE ip_conntrack_irc

#Load the general IPTABLES NAT code - "iptable_nat"

# - Loaded automatically when MASQ functionality is turned on #

# - Loaded manually to clean up kernel auto-loading timing issues #

echo "iptable_nat, " $MODPROBE iptable_nat

#Loads the FTP NAT functionality into the core IPTABLES code # Required to support non-PASV FTP.

#

# Enabled by default -- insert a "#" on the next line to deactivate #

echo "ip_nat_ftp, " $MODPROBE ip_nat_ftp

#Loads the IRC NAT functionality into the core IPTABLES code # Required to support NAT of IRC DCC requests

#

# Disabled by default -- remove the "#" on the next line to activate #

(7)

#$MODPROBE ip_nat_irc

echo "---" # Just to be complete, here is a partial list of some of the other # IPTABLES kernel modules and their function. Please note that most # of these modules (the ipt ones) are automatically loaded by the # master kernel module for proper operation and don't need to be # manually loaded.

# --- #

echo " Done loading modules.\n"

#CRITICAL: Enable IP forwarding since it is disabled by default since #

# Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true #

echo " Enabling forwarding.."

echo "1" > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users: #

# If you get your IP address dynamically from SLIP, PPP, or DHCP, # enable this following option. This enables dynamic-address hacking # which makes the life with Diald and similar programs much easier. #

echo " Enabling DynamicAddr.."

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Enable simple IP forwarding and Masquerading #

# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. #

(8)

# #

# ** Please change the above network numbers, subnet mask, and your # *** Internet connection interface name to match your setup

#

#Clearing any previous configuration #

# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is DROP (REJECT is not a valid policy) #

# Isn't ACCEPT insecure? To some degree, YES, but this is our testing # phase. Once we know that IPMASQ is working well, I recommend you run # the rc.firewall-*-stronger rulesets which set the defaults to DROP but # also include the critical additional rulesets to still let you connect to # the IPMASQ server, etc.

#

echo " Clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT

$IPTABLES -F INPUT

$IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT

$IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F

echo " FWD: Allow all connections OUT and only existing and related ones IN"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -j LOG

#$IPTABLES -A FORWARD -i $INTIF2 -o $INTIF -m state --state ESTABLISHED,RELATED \-j ACCEPT #$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT

#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo "\nrc.firewall-iptables v$FWVER done.\n"

(9)

Type in the terminal:

cp 'scriptname' /etc/init.d/'scriptname'

This copies the script to the init.d directory where other scripts are run at bootup. Now that this is out of the way, we need to make a symbolic link in the rc2.d directory pointing to the script we stored in the init.d directory. In your terminal type:

ln -s /etc/init.d/'scriptname' /etc/rc2.d/S95masquradescript

Restart your computer and test to see if you still have the same functionality. If so then congratulations! If not then make sure you followed the above correctly so the script is bootable.

Setting up the DHCP for your Router

In your Webmin directory on your left hand side click on the SERVERS tab. Now click on where is says DHCP. Click on ADD NEW SUBNET and add the following address to their respective places.

Network address – 192.168.10.0 Netmask – 255.255.255.0

Address ranges -192.168.10.100 – 192.168.10.200

After you have entered the above click on the create button. You should now see an icon that reads 192.168.10.0, click on this new icon and then click on the Edit Client Options button.

Subnet mask – 255.255.255.0 Default routers – 192.168.10.1 Broadcast address – 192.168.10.255 DNS servers – 192.168.10.1

After you have the above into the client options windows click the save button twice, which should return you to the main DHCP server window. Inside the DHCP server screen, you see a button called Edit Network Interface, click this button and select eth1 then click save. Now click on the Start Sever button to start your DHCP server.

A good way to find out if your DHCP server is working with your workstations click on the List Active Leases button at the botton of the DHCP screen.

Configure firewall

(10)

Input:

Accept if input interface is lo and state of connection is ESTABLISHED, RELATED Accept if input interface is eth0 and state of connection is ESTABLISHED, RELATED Accept if input interface is eth1 and state of connection is ESTABLISHED, RELATED

Click on Apply Configurations when you are done.

Transparent Proxy Setup

To set up the rules for a transparent proxy, you will need to know two things, the interface that the proxied requests are coming in on (I'll use eth0 as my example) and the port squid is running on which on default is port 3128.

Now, time to see the magic iptables request for transparent proxying, add this to your script that we made earlier using whatever text editor you wish:

# Enabling Transparent Proxy functionality on $EXTIF

$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Once you have added this line of code to your script, type in this command in your terminal: cp 'scriptname' /etc/init.d/'scriptname'

then execute it again by typing command: sh /etc/init.d/’scriptname’

Make sure now that you remake the link in the rc2.d directory by typing again the terminal: ln -s /etc/init.d/'scriptname' /etc/rc2.d/S95masquradescript

References

Download now ( PDF - 10 Page - 280.75 KB )

Related documents

Click this button to place your order.

When you enroll in Medicare, you are automatically in the Original Medicare Plan unless you choose to join a Medicare Advantage plan (page 26).. Original Medicare is a

Complete. PCB Design Using. NI Multisim, NI Ultiboard, LPKF CircuitCAM and BoardMaster. pg. 1. Wei Siang Pee

Click the All+ button to select all of your design and then click the Start button to begin the Milling Bottom phase. The S100 begins the process and notifies you

Using Nero Cloud Backup Storage with Nero BackItUp

If you want to change the settings, just click the Nero Online Backup entry link in the start screen area.. Click the Edit button to change

Lightning Velo Online Discussion Forum User Guide

If you would like to edit your post, click on it and then click on the “Edit” button in the upper right corner, make your changes and click on the “Save” button.. You can only

If the button is not displayed, then click the More button, and then click DOMTrader.

A trailing limit order tracks the market automatically adjusting its price level position in the exchange’s order book.. For a buy order, as the best bid/offer/trade (depending on

UAccess FINANCIALS Arizona BuyWays & Requisitions

Click the CSV (Comma delimited) list item. Click the Save button. Click the Yes button. Click the Minimize button. Now that your template file is set up, let's take a look at how

BBVA Compass charts a new course for talent development with ecornell

To support the business, leadership development needed to align its work with BBVA’s corporate competency model and global talent management process.. But significant

Non-Retail BTMG Enhancements in Capacity Exchange

PJM © 2020 www.pjm.com | Public Performance Area Expected Performance • View expected performance level of NRBTMG units Event Performance • View performance compliance event