LINUX NAT GATEWAY, DHCP and SQUID INSTALLATION AND

CONFIGURATION MANUAL

Note:
The system was done with the following setup:
• Ubuntu 10.04 server edition (the latest as of this writing)
• dhcp3-server
• squid3
• iptables
• two (2) networking cards

I. Configuring The Linux Box As A NAT Gateway

This procedure will assume that that WAN is connected to your first NIC (eth0) is connected
to your WAN and the second NIC (eth1) will be your LAN.

1. Configure your configuration setting for your NICs. You should be modifying the
/etc/network/interfaces configuration file.
• eth0 and eth1 should be enable across reboots
• eth0 and eth1 IP addresses will be manually configured
• address of eth0 will be the address given by the ISP
• address of eth1 will be your private network's address and will be the address
of your squid proxy server

vim /etc/network/interfaces

/etc/network/interfaces should contain the following settings. (To edit, press ( i ) or

<Insert> )

auto etho
iface lo inet loopback

#The primary network interface

#This will be the interface connected to WAN
auto eth0
iface eth0 inet static
address 203.167.24.205 #tridel
netmask 255.255.255.240
network 203.167.24.0
broadcast 203.167.24.255
gateway 203.167.24.193
#This will be your private network
# IP of the proxy server
iface eth1 inet static
 address 192.168.110.100
netmask 255.255.255.0
network 192.168.110.0
broadcast 192.168.110.255

To save and exit, press:

<Esc><Shift> :wq!

2. The sysctl is an interface that allows you to make changes to a running Linux kernel.
With /etc/sysctl.conf you can configure various Linux and system settings such as:
• Limit network-transmitted configuration for IPv4
• Limit network-transmitted configuration for Ipv6
• Turn on execshield protection
• Prevent against common 'syn flood attack'
• Turn on source IP address verification
• Prevents a cracker from using a spoofing attack against the IP address of the
server
• Log several types of suspicious packets such as spoofed packets, source-routed
packets and redirects

Modify the /etc/sysctl.conf to enable your Linux box to enable packet forwarding.

vim /etc/sysctl.conf

Locate and uncomment (remove #) the line that says: (To edit, press ( i ) or <Insert>
)

#net.ipv4.ip_forward=1

Save and exit. ( <Esc><Shift> :wq! )

The changes will take effect once you restarted the Linux box. To immediate enable
this function, execute the following command:

sysctl -w net.ipv4.ip_forward=1

Or with this command:

echo 1 > /proc/sys/net/ipv4/ip_forward

3. Finally modify iptables ruleset of NAT and FILTER. Execute the command:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

4. You need to restart the networking service of Linux for the changes to take effect.
 Enter the following command:
/etc/init.d/networking restart

5. Check if the new IP address configurations were applied, enter the command:
ifconfig -a

You should be able to see the IP address you specify for the two NICs.

II. Setting Up and Configuring DHCP Server

1. Install DHCP server and other necessary files on your Ubuntu Linux box.

apt-get install dhcp3-server dhcp3-client dhcp3-common dhcp3-dev

2. Configure your DHCP server. You will need to specify which interface the DCHCP
server will listen to. We use eth1 since this is our interface for our private LAN.
Edit the file, /etc/default/dhcp3-server configuration file.

vim /etc/default/dhcp3-server

(To edit, press ( i ) or <Insert> ). INTERFACES should be set to eth1

INTERFACES=”eth1”

Save and exit. ( <Esc><Shift> :wq! )

3. We must specify the settings that our DHCP server will need to allocate dynamic
addresses. This is done with the /etc/dhcp3/dhcpd.conf file. Edit this file and enter
the necessary changes shown below:

#option definition common to all supported networks....

option domain-name “INES.com”;
option domain-name-servers 192.168.110.100, 203.167.0.16, 203.167.97.66

#this is a very basic subnet declaration

subnet 192.168.110.0 netmask 255.255.255.0 {
range 192.168.110.101 192.168.110.254;
option routers 192.168.110.100;
}

Save and exit. ( <Esc><Shift> :wq! )

3. Restart your DHCP server. Enter the command:

service dhcp3 restart

4. Configure the workstation for dynamic IP address. Make sure that the IP address of
each workstation has its proper address that's within the network you setup on your
Linux box.

III. Squid Installation and Configuration

1. Install squid3. Enter the command:

apt-get install squid3

2. Edit the squid3 configuration file. Squid configuration file is at

/etc/squid3/squid.conf

vi /etc/squid3/squid.conf

Add the necessary modifications for cache, acl and web filtering. (To edit, press ( i )
or <Insert> )
# APPEND THIS AT THE ACL SECTION
acl localnet 192.168.0.0/16
acl badsites dstdomain “/etc/squid3/badsites.acl”

#EXACTLY AT THE TOP OF http_access DIRECTIVE PUT THIS LINE

http_access deny badsites

#AT THE INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#INSERT THIS LINE
http_access allow localnet

#AT THE NETWORK OPTIONS http_port SHOULD BE THIS

http_port 3128 transparent

#CACHE DIRECTORY LIMIT

cache_dir ufs /var/spool/squid3 7000 16 256
# the first number denotes the size of cache in megabytes

Save and exit the file. ( <Esc><Shift> :wq! )

Create your badsites.acl file that will be used to filter web sites.

vim /etc/squid3/badsites.acl

Enter the websites that are probihited. (To edit, press ( i ) or <Insert> ).

.facebook.com
.friendster.com
.youtube.com
 Save and exit the file. ( <Esc><Shift> :wq! )

Create another file that will contain our new iptable rulesets to force all connection
to port 80 to be redirected to the squid proxy server listening on port 3128.

vim /home/sysadmin/fw_policy.sh

And it should contain the following entries (To edit, press ( i ) or <Insert> ).

#!/bin/bash
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp - -dport 80 -j DNAT - -to

-destination 192.168.110.100:3128

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp - -dport 80 -j REDIRECT -

-to-port 3128

echo “iptables executed”

exit

Save and exit the file. ( <Esc><Shift> :wq! )

Make our shell script executable. Enter the command:

chmod 755 /home/sysadmin/fw_policy.sh

Run your script by entering the command

/home/sysadmin/fw_policy.sh

To run your script upon reboot, execute the following commands:

cp /home/sysadmin/fw_policy.sh /etc/init.d/

update-rc.d fw_policy.sh defaults

Or modify the /etc/rc.local. This file contains BASH commands which will be run
after run-level specific commands whenever the system is booted.

vim /etc/rc.local

Add the line:

/home/sysadmin/fw_policy.sh

3. Restart your squid proxy server.

/etc/init.d/squid3 restart