Trace: » projects » ubuntu_transparent_proxy

Login

You are currently not logged in! Enter your authentication credentials below to log in. You need to have cookies enabled to log in.

Login

Ubuntu Transparent Proxy

First up set up a box with 2 network cards installed, install Ubuntu Server onto it, and assign the network cards with static IP address.

Install squid sudo apt-get install squid and edit the /etc/squid/squid.conf file to your taste. Once you have squid working just how you like it, make sure the following directives are included: 

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Now create a file called proxy.sh - I got this script from an excellent Red Hat Linux tutorial

You just need to edit the top bits labelled SQUID_SERVER, INTERNET, LAN_IN and SQUID_PORT. 

#!/bin/sh
# squid server IP
SQUID_SERVER=“192.168.1.1″
# Interface connected to Internet
INTERNET=“eth0″
# Interface connected to LAN
LAN_IN=“eth1″
# Squid port
SQUID_PORT=“3128″
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Move script to /etc/init.d - Make it executable sudo chmod a+x proxy.sh and test it /etc/init.d/proxy.sh by setting the internet facing port as the gateway on a client machine.

Visit a few websites on the client machine, and see if they’re appearing in your squid access log tail /var/log/squid/access.log

To make sure your firewall rules work after a reboot, set your script to run during the startup process by making a symbolic link to the rc2.d directory ln -s /etc/init.d/proxy.sh /etc/rc2.d/S95proxy

Now if you change the gateway address the DHCP server gives to wireless clients (the config file here if you're setting up WiFiDog using the tutorial here), to the interface assigned to your LAN on the proxy, all traffic to port 80 will pass through your squid box thus being logged.

 

Back to top