Monday, January 26, 2009

IpKungfu NAT + DHCP server + Transparent SquidI

For 2 months and a half, I forced myself to believe that an appliance router would be enough to share our (measly) internet connection within our local area network.

Well, it was actually enough to share the internet connection but not enough to control how it shares the connection and speed it up. Since it was configured as a DHCP server, we are having a hard time monitoring what PC is viewing this and that. We also cannot effectively filter out "undesireable websites" via the appliance router.

So I had to go back to my old setup... NAT + Squid + Built-in Filter and now plus DHCP server. We were using Ubuntu 8.10 and I thought it would be easy after all this time I am configuring such setup. It was actually easy, except for one thing... NETWORK setup on Intrepid.

Okay, here is the setup. I have two NICs, eth0 and eth1. eth1 is connected to the Internet with a dynamic IP while eth0 is connected to the LAN and to be configured with a static IP.

I tried to use the built-in Network Manager but there seems to be a bug on it. It won't save static IP configuration after a reboot. So, eventhough I have configured eth0 with an IP of let's say 192.168.2.1... after a reboot it would still and again ask for a dynamic IP.

Darn!

Perhaps, there could be other better solutions out there for static IP to work on Network Manager but I did it on a way that I am comfortable... get my hands dirty on /etc/network/interfaces. Here it goes!

1. Disable Network Manager
sudo update-rc.d -f NetworkManager remove
1.1 Open and edit /etc/network/interfaces (dynamic eth1, static eth0).
gksu gedit /etc/network/interfaces
My /etc/network/intercafes looks like this:
auto lo eth0 eth1
iface lo inet loopback
iface eth0 inet static
address 192.168.2.1
netmask 255.255.255.0

iface eth1 inet dhcp
Reboot

2. Install and configure DHCP

2.1 Install
sudo apt-get install dhcp3-server
2.2 Configure DHCP to provide reserved IPs to specific computers.

2.2.1 Open DHCP conf file, edit to provide ip range 192.168.2.0/24 plus reserved IPs for specific PCs.
gksu gedit /etc/dhcp3/dhcpd.conf
Copy, paste, and edit the following configuration according to your LAN settings (leave out the comments),
default-lease-time 600;
max-lease-time 7200;

option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.2.1; # This should be your Squid/NAT server
option domain-name-servers 208.67.222.222, 208.67.220.220; # These are OpenDNS settings
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.160 192.168.2.169; # Edit accordingly
}
host linksys {
hardware ethernet 00:21:29:65:7a:66;
fixed-address 192.168.2.170;
}
host ecenter1 {
hardware ethernet 00:07:e9:01:b5:dc;
fixed-address 192.168.2.171;
}
host ecenter2 {
hardware ethernet 00:07:e9:01:bc:be;
fixed-address 192.168.2.172;
}
Of course, we have more PCs but I have to cut it to three. :) To get the MAC address of each PC, issue the ifconfig command (ipconfig /all for Windows PC).

2.2.3 Restart dhcpd for the settings to take effect.
sudo service dhcpd restart
3. Configure NAT via Ipkungfu (transparent redirection will be done later)

3.1 To save space, Please just read my blogspot on this at LINK . Additional info at LINK, which was actually partially based on my blogspot too. :) Don't forget to reboot thereafter.

4. Configure squid with minimal configuration. I just lifted and edited accordingly my previous post on this:

First install squid via apt-get or synaptic:
sudo apt-get install squid
After installation, edit Squid's configuration file:
sudo gedit /etc/squid/squid.conf
In the /etc/squid/squid.conf file, search and edit the following options/tags:

#TAG:http_port
http_port 3128 transparent

#OPTION WHICH AFFECT THE CACHE SIZE
cache_mem (1/4 of the your RAM) MB

(e.g. assuming your RAM is 1Gb then its "cache_mem 250 MB")

#LOGFILE PATHNAMES AND CACHE DIRECTORIES
#cache_dir ufs /var/spool/squid 100 16 256
cache_dir diskd /cache (capacity of your /cache in MB) 16 256

(make sure /cache already exists)

#RECOMENDED MINIMUM CONFIGURATION
acl netxxx src xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx

(specify your network and netmask e.g. "acl mynet src 192.168.0.0/255.255.255.0)

# AND FINALLY DENY ALL OTHER ACCESS TO THE PROXY
http_access allow netxxx

(e.g. "http_access allow mynet")

#TAG:Visible_hostname
visible_hostname (yourserver name)

At the terminal, change the ownership of the existing /cache folder:
sudo chown proxy:proxy /cache
Then create swap directories at /cache:
sudo squid -z
Then fireaway squid!
sudo /etc/init.d/squid start
5. Enable transparent redirection via IpKungfu

5.1 Open and edit /etc/ipkungfu/redirection.conf.
gksu gedit /etc/ipkungfu/redirection.conf
Uncomment the line that has 3128 on it.
tcp:80:3128:internal # transparent squid proxy
5.2 Restart IpKungfu for settings to take effect.
sudo /etc/init.d/ipkungfu restart
My squid configuration was actually configured to filter out undesirable websites and that will be tackled on my next blogpost.

Till then!

No comments: