My last few post were ’bout Linux firewall and Network address translation using iptables. For me iptables is a very dynamic tool to configure things with Linux box, like free Linux firewall, transparent proxy and Linux router to share internet connection. So this post is ’bout configuring Linux box as a secure and safe internet gateway using iptables and squid.
You don’t need a hi-fi machine for the task, any low end machine could do good enough with two Network Interface Card installed on it. I’m always comfortable with fedora core so i used it again however any destro could do but then the steps here might need same changes, anyways i’ve used fedora core 6 i.e. latest kernel with iptables support. Once installed you are ready to configure Linux router on the system.
With Static IP (connected via DSL, Cable, T1): Put the external link into eth0 and configure it with static ip given to you by your ISP, put your private network link at eth1 and configure it, with one of your free private ip. Let’s say the external ip of this box is 1.2.3.4 and internal ip is 192.168.0.1, now follow steps given below.
- Delete all default rules of iptables
iptables -F
iptbales -t nat -F
ipatbles – -delete-chain
ipatbles -t nat – -delete-chain - Setup IP FORWARDing and Masquerading
iptables -t nat -A POSTROUTING – -out-interface eth0 -j MASQUERADE
iptables -A FORWARD – -in-interface eth1 -j ACCEPT - Enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Dynamic IP (connected via PPP) : The Linux box must be configured for the private internal network and PPP for the dial-up connection.
- Delete all default rules of iptables
iptables -F
iptbales -t nat -F
ipatbles – -delete-chain
ipatbles -t nat – -delete-chain - Setup IP FORWARDing and Masquerading
iptables -t nat -A POSTROUTING – -out-interface pppo -j MASQUERADE
iptables -A FORWARD – -in-interface eth0 -j ACCEPT - Enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
You can put these commands in a file named lets say configrouter and then place it as a system startup script, to do so
cp configrouter /etc/rc.d/
chmod 755 /etc/rc.d/configrouter
ln -s /etc/rc.d/routerconfig /etc/rc5.d/S98routerconfig
So your Linux box is configured as Ineternet gateway, now it’s time to make it secure with iptables firewall rule, add following line into your routerconfig script you have created above.
- iptables -P INPUT DROP
- iptables -P OUTPUT DROP
- iptables -A INPUT -m state – -state ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A OUTPUT -o lo -j ACCEPT
- iptables -A INPUT -p tcp -s 192.168.0.2 – -dport 22 -j ACCPET
- iptables -A INPUT -p tcp -s 192.168.0.2 – -dport 80 -j ACCEPT
Where 192.168.0.2 would be the Machine from which you are going to monitor the router machine.
Install and configure squid transparent proxy server on your router, edit squid configuration file and configure it to work as transparent proxy server tweak/add following lines in /etc/squid/squid.conf.
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl MyNetwork src 192.168.0.0/24 192.168.1.1/24
http_access allow localhost
http_access allow MyNetwork
View the squid config file output without any comments by the command
- cat /etc/squid/squid.conf | sed ‘/ *#/d; /^ *$/d’
Now the iptables configuration for transparent proxy setup
- iptables -t nat -A PREROUTING -i eth0 -p tcp – -dport 80 -j DNAT – -to 192.168.0.1:3128
- iptables -t nat -A PREROUTING -i eth0 -p tcp – -dport 80 -j REDIRECT – -to-port 3128
Now restart squid and your Linux box is configured to act as safe and secure Linux internet gateway.
My router works as gateway but none the less this article is interesting, thank you.
Pete
Comment by Peter — September 18, 2007 @ 8:01 pm |
thank you , it was really useful for me…..
Comment by hasanen — September 14, 2008 @ 10:48 pm |