Transparent Proxy Server with One NIC

Written by Andri Setiawan

Basically this is the situation:
I have an ADSL Connection which can give me public IP. I have an old PC which I want to make use of it as a router.

The problem is, the old PC has only One NIC (Network Interface Card) and I’m too lazy to buy a new one. But I want to make it to become a router as a solution for other PCs, so they can also connect to the Internet.

Here are the list of what I want:

1. Create a router
2. Make it as a proxy server
3. Make the proxy transparent

I already setup my SQUID proxy to work on port 3128.

I’m using SQUID proxy server with the version > 2.6, and to make it transparent I add these lines on the /etc/squid/squid.conf :

http_port 3128 transparent
icp_port 3130

As I only have one NIC, I need to create a virtual ethernet, so it can have two different IP address (which of course, can have two different subnet). I’m using Ubuntu Server, so I change it on /etc/network/interfaces

# The primary network interface
auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
        name Ethernet Public IP
        address 2xx.19x.1xx.52
        netmask 255.255.255.248
        broadcast 2xx.19x.1xx.63
        gateway 2xx.19x.1xx.49

auto eth0:0
iface eth0:0 inet static
        name Ethernet alias LAN card
        address 192.168.168.25
        netmask 255.255.255.0
        broadcast 192.168.168.255
        network 192.168.168.0

Here’s the complete script of my Proxy Server, so it can work with only one network card, and work as a transparent proxy for the client. I give it a name /root/makemetransparent.sh

#!/bin/sh 
# Squid server IP
SQUID_SERVER=”192.168.168.25″ 
# Interface connected to Internet
INTERNET=”eth0″ 
# Address connected to LAN
LOCAL=”192.168.168.0/24″ 
# Squid port
SQUID_PORT=”3128″ 
# Clean old firewall 
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X 
# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward 
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT 
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT 
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT 
# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -s $LOCAL -j ACCEPT 
# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT 
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -s $LOCAL -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT 
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT 
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Voila ! Now, all PCs under the 192.168.168.0/24 network can connect to the Internet without having to put the proxy server in the browser setting.

- end of story -

_{The script is modified version from what I read here.}

Extra Space

Bookmark and Share

Posted on 5 December 2007

About the Author

Born in Yogyakarta, Indonesia. I have a passion in Information Technology. A gadget freak I must say, using Android and IOS both at the same time for his daily use.

10 comments 0 people listening

Comment help
Get Livefyre

Sort: Newest | Oldest

rayme

here my networks interface how i change it.still newbie .thanks for your help DEVICE=eth0 BOOTPROTO=none BROADCAST=192.168.1.255 HWADDR=00:B0:D0:35:70:3A IPADDR=192.168.1.17 NETMASK=255.255.255.0 NETWORK=192.168.1.0 ONBOOT=yes USERCTL=no IPV6INIT=no PEERDNS=yes MTU=1500 GATEWAY=192.168.1.254 TYPE=Ethernet

share flag

spam
offensive
disagree
off topic

DEVICE=eth0 BOOTPROTO=none BROADCAST=192.168.1.255 HWADDR=00:B0:D0:35:70:3A IPADDR=192.168.1.17 NETMASK=255.255.255.0 NETWORK=192.168.1.0 ONBOOT=yes USERCTL=no IPV6INIT=no PEERDNS=yes MTU=1500 GATEWAY=192.168.1.254 TYPE=Ethernet

Andri Setiawan

@rayme: basically it's just the same :) what you need to change just the IP addresses configuration, usually located here /etc/sysconfig/network-scripts/ifcfg-eth0

Just want to ask how about in centos can you help me in this tutorial in centos. TQ

kalenteha

Mas, Bgmn cara buat script di /etc/rc.local atau mohon scriptnya untuk rc.local? Mohon maaf, newbie. TIA

@inu: file bisa diletakkan dimana aja, yang penting dipanggil saat pertama kali boot, panggil script melalui /etc/rc.local

Inu

>>I give it a name /root/makemetransparent.sh filenya ditempatkan dlm direktori /root y? terus file iptables-confignya ga diapa2ain gimane tuh akuw masih bingung... terlalu singkat mohon diperjelas ampe detail Dakuw masih jauh duibawah newbie.. thank`s

DIDIT

Mas mo tny nih….server warnet saya pake Mandriva2006 utk Proxy server aq pake SQUID 2.5 Stable10….aq installnya dr CPanel-nya mandriva.yg jd mslh…kok di folder cache-nya tdk mencatat smua situs yg di buka client,hny tertentu aja….yahoo,google,bekas.com,friendster,gak ke simpan di cache.gmn dong….smua browser udah aq arahkan ke server proxy dg port 3128,trus di setting LAN pd DEFAULT GATEWAY udah aq isi dg IP server proxy jg.apakah krn Default Gatewaynya aq isi IP server yaa,khan itu lwt jalur NAT bukan proxy…jd gak tercatat di cache-ya…apa bnr begitu….klo Default Gateway di client tdk di isi maka MIRC n YM gak jln,klo diarahkan lwt proxy jg gak jln tuh YM n MIRC. Jdnya SQUID-ku tdk PowerFull….aq compare dg CCPROXY masih kalah jauh speednya.mgkn krn CCProxy bekerja sempurna.gmn niihhh tolongin dong….SQUID-ku blm aq rubah2…aq pake standart config/bawaan asli settingan dr mandriva aja….khan itu dah cukup mumpunin utk sebuah Proxy.mohon pencerahannya.

yanuar

pak, saya udah berhasil setting squid dengan satu NIC di windows XP. yang pengen saya tanya, bisa ngga dibikin jadi transparan???caranya gimana pak??? thx b4 :)

Donnyreza

Aaaaaa, ajarin...ajarin...ajarin..!! :D

Thoughts