How to Create, Setup, and Configure an Ubuntu Router with a Transparent Proxy.

Transcription

1 In this tutorial I am going to explain how to setup a home router with transparent proxy using Linux Ubuntu and Virtualbox. Before we begin to delve into the heart of installing software and typing in code; you will need to have virtualbox downloaded and installed. You can download the latest version of virtualbox from here at Once you have VBox downloaded you will need to download an.iso of Linux Ubuntu which you can get here You will need this.iso image when we go to setup the router. Once you have virtualbox installed click on the NEW button. The create new VM wizard will open up. Click on the next button. The wizard will ask what to name your new VM (I named mine router1)and what type of OS you want to install afterwards. Now click on the next button. Keep the memory at 512MB, and click next. For the next couple of settings until you arrive at the finish to where it says create, keep every setting at the default settings. Once you have done this click the create button and your VM is created, but we are not done yet. Now do the same thing again this time naming your second VM something like workstation1. What we are doing is creating a virtual router and a virtual workstation to connect to the router. Once you have created your two VMs it is time to install Ubuntu. Before we do this click on your router VM, for me it was router1. After I clicked on router1, lets go into the settings and adjust the network adapters. Go into the Network settings. Adapter 1 is default settings of NAT, we need to change this to Bridged Adapter. Now we need a second virtual NIC, so click on adapter 2. Check the Enabled Network Adapter and set the Attached to Internal. Click on Okay and you are done with the router. For you workstation do the same thing, but this time under its Network settings make sure there is only one adapter and its attached to settings is set to Internal. This way the workstation sends its queries through the internal network to get is IP address from the router and also gets out into the internet through the router. It is now time to install Ubuntu since we have all our settings done. We first will click on the router VM and click on start. It will open the screen that will ask where you want to boot from, click on the icon that looks like a folder, go find the.iso of Ubuntu you downloaded. Select it and click on Okay. Once you have done that it will go right into installing Ubuntu for you as if you at an actual computer. Ubuntu is pretty simple to install, just pick your location, time, and country. You will also be asked to name your computer which we will call it router. Make up your password and click on continue. Keep everything in its default settings and click install. It will take a few minutes to install, but once done click on the restart button to restart your VM. Once your VM has restarted and is at the desktop screen go into the terminal. Applications > Terminal. We will need to set the root password so we do not have to type sudo all the time. Type in sudo passwd root. It will prompt you to enter the new password three times. Type in whatever password is easy for you to remember. Great we got that done.

2 Setup Network Cards For this part of the setup we will focus on the two NICs of the VM router. We are going to use one of text editors to adjust the network interfaces of the router. You have some different options to choose form vi, vim, nano, gedit, and etc. For me I choose nano. So while we are logged in as root all you need to type in nano /etc/network/interfaces In this example my eth0 represents the network interface that connects to the internet and the eth1 interface the internal network. I added the following code into the /etc/network/interfaces file: auto lo iface lo inet loopback auto eth1 iface eth1 inet static address netmask network broadcast auto eth0 iface eth0 inet dhcp Once you have typed in those figures click on ctrl+x, then y, then Enter. Now type in /etc/init.d/networking restart This will bring down the network and restart it up again with the adjustments we made. Now for you eth0 might be eth1 or eth2, it just depends on which one your PC recognizes first. Your internal card could be recognized as eth2, eth3, eth4, and so on. So be sure to adjust accordingly. For me we are working with eth0 and eth1. Once your network has restarted we are going to install a few programs to will help us in the long run. In your terminal type in apt-get install. You can do this in one long string, or individually. The choice is yours. You will need these programs; dhcp3-server, bind9, perl, libnet-ssleay-perl, openssl, libauthenpam-perl, libpam-runtime, and libio-pty-perl.

3 Enable packet forwarding Once all those are installed type in your terminal nano /etc/sysctl.conf Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 echo 1 > /proc/sys/net/ipv4/ip_forward Install Webmin Webmin is a good program to use to help configure your gateway and other server programs that you might use, such as the dhcp and bind9 we downloaded. If you use webmin, you will be able to easily configure your server, using any web browser you choose. First we need to change into the /opt directory and create a directory called webmin. To do this type in the terminal these commands cd /opt mkdir webmin cd /opt/webmin wget tar xzvf webmin tar.gz cd webmin-1.430/./setup.sh During the installation you will be asked a couple questions, just press enter. The only thing that you want to change is the port number, user name and password and also say yes to SSL. It will tell you a website to go to, write it down or copy and paste it onto one of your text editors and save it for we will be going there in a min. Firewall Script for Forwarding We need to create a script for the firewall. In this script you can copy and paste this script and use it as your own. Remember to correct the EXTIF and INTIF to your needs. For mine I had to use eth0 and eth1, but yours maybe different. The text may seem long but it is for learning purposes.!/bin/sh firewall-iptables FWVER= 0.76

4 echo -e "\n\nloading simple rc.firewall-iptables version $FWVER..\n" The location of the iptables and kernel module programs If your Linux distribution came with a copy of iptables, most likely all the programs will be located in /sbin. If you manually compiled iptables, the default location will be in /usr/local/sbin ** Please use the "whereis iptables" command to figure out ** where your copy is and change the path below to reflect ** your setup IPTABLES=/sbin/iptables IPTABLES=/usr/local/sbin/iptables DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe Setting the EXTERNAL and INTERNAL interfaces for the network Each IP Masquerade network needs to have at least one external and one internal network. The external network is where the natting will occur and the internal network should preferably be addressed with a RFC1918 private address scheme. NOTE: If this doesnt EXACTLY fit your configuration, you must change the EXTIF or INTIF variables above. For example: If you are a PPPoE or analog modem user: EXTIF="ppp0" EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" EXTIP=" " echo " External IP: $EXTIP" ====================================================================== == No editing beyond this line is required for initial MASQ testing ==

5 echo " loading modules: " Need to verify that all modules have all required dependencies echo " - Verifying that all kernel modules are ok" $DEPMOD -a With the new IPTABLES code, the core MASQ functionality is now either modular or compiled into the kernel. This HOWTO shows ALL IPTABLES options as MODULES. If your kernel is compiled correctly, there is NO need to load the kernel modules manually. NOTE: The following items are listed ONLY for informational reasons. There is no reason to manual load these modules unless your kernel is either mis-configured or you intentionally disabled the kernel module autoloader. Upon the commands of starting up IP Masq on the server, the following kernel modules will be automatically loaded: NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules are shown below but are commented out from loading. =============================================================== echo " " Load the main body of the IPTABLES module - "iptable" - Loaded automatically when the "iptables" command is invoked - Loaded manually to clean up kernel auto-loading timing issues echo "ip_tables, " $MODPROBE ip_tables Load the IPTABLES filtering module - "iptable_filter" - Loaded automatically when filter policies are activated Load the stateful connection tracking framework - "ip_conntrack" The conntrack module in itself does nothing without other specific conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" module - This module is loaded automatically when MASQ functionality is

6 enabled - Loaded manually to clean up kernel auto-loading timing issues echo "ip_conntrack, " $MODPROBE ip_conntrack Load the FTP tracking mechanism for full FTP tracking Enabled by default -- insert a "" on the next line to deactivate echo "ip_conntrack_ftp, " $MODPROBE ip_conntrack_ftp Load the IRC tracking mechanism for full IRC tracking Enabled by default -- insert a "" on the next line to deactivate echo "ip_conntrack_irc, " $MODPROBE ip_conntrack_irc Load the general IPTABLES NAT code - "iptable_nat" - Loaded automatically when MASQ functionality is turned on - Loaded manually to clean up kernel auto-loading timing issues echo "iptable_nat, " $MODPROBE iptable_nat Loads the FTP NAT functionality into the core IPTABLES code Required to support non-pasv FTP. Enabled by default -- insert a "" on the next line to deactivate echo "ip_nat_ftp, " $MODPROBE ip_nat_ftp Loads the IRC NAT functionality into the core IPTABLES code Required to support NAT of IRC DCC requests Disabled by default -- remove the "" on the next line to activate echo -e "ip_nat_irc"

7 $MODPROBE ip_nat_irc echo " " Just to be complete, here is a partial list of some of the other IPTABLES kernel modules and their function. Please note that most of these modules (the ipt ones) are automatically loaded by the master kernel module for proper operation and don't need to be manually loaded echo " Done loading modules.\n" CRITICAL: Enable IP forwarding since it is disabled by default since Redhat Users: you may try changing the options in /etc/sysconfig/network from: FORWARD_IPV4=false to FORWARD_IPV4=true echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward Dynamic IP users: If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following option. This enables dynamic-address hacking which makes the life with Diald and similar programs much easier. echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr Enable simple IP forwarding and Masquerading NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. NOTE 2: The following is an example for an internal LAN address in the x network with a or a "24" bit subnet mask connecting to the Internet on external interface "eth0". This example will MASQ internal traffic out to the Internet but not allow non-initiated traffic into your internal network.

8 ** Please change the above network numbers, subnet mask, and your *** Internet connection interface name to match your setup Clearing any previous configuration Unless specified, the defaults for INPUT and OUTPUT is ACCEPT The default for FORWARD is DROP (REJECT is not a valid policy) Isn't ACCEPT insecure? To some degree, YES, but this is our testing phase. Once we know that IPMASQ is working well, I recommend you run the rc.firewall-*-stronger rulesets which set the defaults to DROP but also include the critical additional rulesets to still let you connect to the IPMASQ server, etc. echo " Clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG $IPTABLES -A FORWARD -i $INTIF2 -o $INTIF -m state --state ESTABLISHED,RELATED \-j ACCEPT $IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo "\nrc.firewall-iptables v$fwver done.\n" Now run the shell script, 'sh scriptname' and your connecting PCs should have Internet access! If not, check out the script and see if everything is configured appropriately (particularly the path to Iptables). Now assuming that everything is in order and working properly, we want to make our new script bootable so we don't have to run the script every time we restart.

9 Type in the terminal: cp 'scriptname' /etc/init.d/'scriptname' This copies the script to the init.d directory where other scripts are run at bootup. Now that this is out of the way, we need to make a symbolic link in the rc2.d directory pointing to the script we stored in the init.d directory. In your terminal type: ln -s /etc/init.d/'scriptname' /etc/rc2.d/s95masquradescript Restart your computer and test to see if you still have the same functionality. If so then congratulations! If not then make sure you followed the above correctly so the script is bootable. Setting up the DHCP for your Router In your Webmin directory on your left hand side click on the SERVERS tab. Now click on where is says DHCP. Click on ADD NEW SUBNET and add the following address to their respective places. Network address Netmask Address ranges After you have entered the above click on the create button. You should now see an icon that reads , click on this new icon and then click on the Edit Client Options button. Subnet mask Default routers Broadcast address DNS servers After you have the above into the client options windows click the save button twice, which should return you to the main DHCP server window. Inside the DHCP server screen, you see a button called Edit Network Interface, click this button and select eth1 then click save. Now click on the Start Sever button to start your DHCP server. A good way to find out if your DHCP server is working with your workstations click on the List Active Leases button at the botton of the DHCP screen. Configure firewall Once you have setup you DHCP server, click on the Networking tab. Click on the Linux Firewall link. Once you are inside the firewall program, change the drop down list from Network Address Translation (NAT) to Packet Filtering (filter).you will now need to add the following rules to your firewall.

10 Input: Accept if input interface is lo and state of connection is ESTABLISHED, RELATED Accept if input interface is eth0 and state of connection is ESTABLISHED, RELATED Accept if input interface is eth1 and state of connection is ESTABLISHED, RELATED Click on Apply Configurations when you are done. Transparent Proxy Setup To set up the rules for a transparent proxy, you will need to know two things, the interface that the proxied requests are coming in on (I'll use eth0 as my example) and the port squid is running on which on default is port Now, time to see the magic iptables request for transparent proxying, add this to your script that we made earlier using whatever text editor you wish: Enabling Transparent Proxy functionality on $EXTIF $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 Once you have added this line of code to your script, type in this command in your terminal: cp 'scriptname' /etc/init.d/'scriptname' then execute it again by typing command: sh /etc/init.d/ scriptname Make sure now that you remake the link in the rc2.d directory by typing again the terminal: ln -s /etc/init.d/'scriptname' /etc/rc2.d/s95masquradescript Congratulations! You are done creating your own home Ubuntu Linux router with Transparent proxying.