Monday, December 31, 2012

Making Scientific Linux 6.2 a Router with Squid Proxy


My internet facing server has 2 nic,the nic connected to the internal network has

ip address 10.10.0.1/24 

So at first type at terminal

sysctl -w net.ipv4.ip_forward=1

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

see current iptables configuration by

iptables -L -t nat (to see the nat table)or iptables -L(to see the generel iptables setting)


we will remove the 2 reject statement in the input section and the forwarding section

iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited

iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited

yum install squid

nano /etc/squid/squid.conf

go to this line

http_port 3128

make this line

http_port 3128 intercept

to use a transparent proxy

save the file

service squid restart


to make sure all client's traffic(the intercepted traffic) from port 80 use port 3128 on the squid server

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 10.10.0.1:3128


Now we need to make sure clients can only use port 3128 to access net

iptables -t filter -A INPUT -p tcp --dport 3128 -j ACCEPT

iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

By default there is a line in iptables in the INPUT section which accepts anything from anywhere

you can see this by

iptables -L

In my case it is the third line

I had to delete it to make sure the clients use 3128 port

iptables -t filter -D INPUT 3

so at the end the input section of my iptables configuration looks like this

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:squid
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

at the client at the browser set the proxy with port 3128

Save this configuration by

 iptables-save > iptables.conf

This will create iptables.conf(in whatever directory you are in) which have the current iptables configuration

make a backup of the original iptables

cp /etc/sysconfig/iptables /etc/sysconfig/iptables_back

now replace the original iptables with our custom iptable configuration

mv /etc/iptables.conf /etc/sysconfig/iptables

now

service restart iptables

to load a iptables configuration temporarily

iptables-restore < iptables.conf


No comments:

Post a Comment