Transparent Proxy Server with One NIC

diagramBasically this is the situation:
I have an ADSL Connection which can give me public IP. I have an old PC which I want to make use of it as a router.

The problem is, the old PC has only One NIC (Network Interface Card) and I’m too lazy to buy a new one. But I want to make it to become a router as a solution for other PCs, so they can also connect to the Internet.

Here are the list of what I want:

1. Create a router
2. Make it as a proxy server
3. Make the proxy transparent

I already setup my SQUID proxy to work on port 3128.

I’m using SQUID proxy server with the version > 2.6, and to make it transparent I add these lines on the /etc/squid/squid.conf :

http_port 3128 transparent
icp_port 3130

As I only have one NIC, I need to create a virtual ethernet, so it can have two different IP address (which of course, can have two different subnet). I’m using Ubuntu Server, so I change it on /etc/network/interfaces

# The primary network interface
auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
        name Ethernet Public IP
        address 2xx.19x.1xx.52
        netmask 255.255.255.248
        broadcast 2xx.19x.1xx.63
        gateway 2xx.19x.1xx.49

auto eth0:0
iface eth0:0 inet static
        name Ethernet alias LAN card
        address 192.168.168.25
        netmask 255.255.255.0
        broadcast 192.168.168.255
        network 192.168.168.0

Here’s the complete script of my Proxy Server, so it can work with only one network card, and work as a transparent proxy for the client. I give it a name /root/makemetransparent.sh

#!/bin/sh

# Squid server IP
SQUID_SERVER=”192.168.168.25″

# Interface connected to Internet
INTERNET=”eth0″

# Address connected to LAN
LOCAL=”192.168.168.0/24″

# Squid port
SQUID_PORT=”3128″

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -s $LOCAL -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -s $LOCAL -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

 

Voila ! Now, all PCs under the 192.168.168.0/24 network can connect to the Internet without having to put the proxy server in the browser setting.

– end of story –

The script is modified version from what I read here.

  1. Donnyreza says:

    Aaaaaa, ajarin…ajarin…ajarin..!! 😀

  2. yanuar says:

    pak, saya udah berhasil setting squid dengan satu NIC di windows XP.
    yang pengen saya tanya, bisa ngga dibikin jadi transparan???caranya gimana pak???
    thx b4 :)

  3. DIDIT says:

    Mas mo tny nih….server warnet saya pake Mandriva2006 utk Proxy server aq pake SQUID 2.5 Stable10….aq installnya dr CPanel-nya mandriva.yg jd mslh…kok di folder cache-nya tdk mencatat smua situs yg di buka client,hny tertentu aja….yahoo,google,bekas.com,friendster,gak ke simpan di cache.gmn dong….smua browser udah aq arahkan ke server proxy dg port 3128,trus di setting LAN pd DEFAULT GATEWAY udah aq isi dg IP server proxy jg.apakah krn Default Gatewaynya aq isi IP server yaa,khan itu lwt jalur NAT bukan proxy…jd gak tercatat di cache-ya…apa bnr begitu….klo Default Gateway di client tdk di isi maka MIRC n YM gak jln,klo diarahkan lwt proxy jg gak jln tuh YM n MIRC.
    Jdnya SQUID-ku tdk PowerFull….aq compare dg CCPROXY masih kalah jauh speednya.mgkn krn CCProxy bekerja sempurna.gmn niihhh tolongin dong….SQUID-ku blm aq rubah2…aq pake standart config/bawaan asli settingan dr mandriva aja….khan itu dah cukup mumpunin utk sebuah Proxy.mohon pencerahannya.

  4. Inu says:

    >>I give it a name /root/makemetransparent.sh
    filenya ditempatkan dlm direktori /root y?
    terus file iptables-confignya ga diapa2ain
    gimane tuh akuw masih bingung… terlalu singkat
    mohon diperjelas ampe detail
    Dakuw masih jauh duibawah newbie.. thank`s

  5. @inu:
    file bisa diletakkan dimana aja, yang penting dipanggil saat pertama kali boot, panggil script melalui /etc/rc.local

  6. kalenteha says:

    Mas, Bgmn cara buat script di /etc/rc.local atau mohon scriptnya untuk rc.local?

    Mohon maaf, newbie.

    TIA

  7. rayme says:

    Just want to ask how about in centos can you help me in this tutorial in centos. TQ

  8. Andri Setiawan says:

    @rayme: basically it’s just the same :)
    what you need to change just the IP addresses configuration, usually located here

    /etc/sysconfig/network-scripts/ifcfg-eth0

  9. rayme says:

    DEVICE=eth0
    BOOTPROTO=none
    BROADCAST=192.168.1.255
    HWADDR=00:B0:D0:35:70:3A
    IPADDR=192.168.1.17
    NETMASK=255.255.255.0
    NETWORK=192.168.1.0
    ONBOOT=yes
    USERCTL=no
    IPV6INIT=no
    PEERDNS=yes
    MTU=1500
    GATEWAY=192.168.1.254
    TYPE=Ethernet

  10. rayme says:

    here my networks interface how i change it.still newbie .thanks for your help
    DEVICE=eth0
    BOOTPROTO=none
    BROADCAST=192.168.1.255
    HWADDR=00:B0:D0:35:70:3A
    IPADDR=192.168.1.17
    NETMASK=255.255.255.0
    NETWORK=192.168.1.0
    ONBOOT=yes
    USERCTL=no
    IPV6INIT=no
    PEERDNS=yes
    MTU=1500
    GATEWAY=192.168.1.254
    TYPE=Ethernet

Leave a Reply

Your email address will not be published.

Switch to our mobile site