User:Log Linden/Socks5Viewer/TestPlan/ProxyGateway
Introduction
These instructions will help you set up a simple Ubuntu gateway machine that will allow you to control access to the outside network for computers that are operating behind the gateway. This setup was created for testing the SOCKS 5 proxy. With some modification, the same setup could be used for testing various other network conditions, including throttling the connection speed down to something closer to residential DSL speeds. The instructions are intended for someone with a reasonable familiarity with Ubuntu Linux and will only discuss the customisations needed to set up the gateway.
Requirements
Hardware
- A standard off-the-shelf PC with two Ethernet NICs
- 1 Ethernet switch for the "internal" network
- Network cables
- Other computers to actually run the viewer on.
Software
- Ubuntu Linux 11.04 (Natty) install media (Other flavors of Ubuntu, including Ubuntu server should work with these instructions as well.)
Instructions
Connect network hardware
- Connect one network card to the outside network.
- Connect the other network card to the internal ethernet switch.
- Connect testing computers to the internal network switch.
Install Ubuntu and Packages
- Install Ubuntu on the gateway machine. Consult the official Ubuntu install instructions for more information.
- Reboot into the installed system.
- Update the packages on the system.
<bash> sudo apt-get update sudo apt-get upgrade </bash>
- Install some additional useful packages that we will need.
<bash> sudo apt-get install dnsmasq dante-server openssh </bash>
Configure Network Interfaces
- IMPORTANT NOTE: For the purpose of this document, eth0 is the device that is connecting to the outside network, and eth1 is connecting to the internal network. Verify which is which on your setup.
<bash>ifconfig</bash> Chances are, only one of the ethX devices will have been assigned an IP address by your network, this is the one connected to the external network. If this is not eth0 you need to either switch the network cables connected to the computer or remember to swap the interface names everywhere in the rest of this document. We are going to be assigning eth1 with a static IP address, which can cause problems if it conflicts with the rest of your network.
- Edit, with sudo, '/etc/network/interfaces' and replace its contents with the following
<bash> auto lo eth0 eth1
iface lo inet loopback
- External network
iface eth0 inet dhcp
- Internal network
iface eth1 inet static
address 192.168.1.1 network 192.168.1.0 netmask 255.255.255.0 broadcast 192.168.1.255
</bash>
- This configuration makes eth0 continue to get its configuration through DHCP, and statically configures eth1. Listing both interfaces on the auto line will mean that they will automatically connect on startup.
- Because we are setting up the interfaces in this config file, we should probably prevent networkmanager from trying to do it as well.
<bash> sudo update-rc.d NetworkManager remove</bash>
- Restart the network
<bash> sudo /etc/init.d/networking stop sudo /etc/init.d/networking start </bash>
- Verify the network configuration by looking for the correct IP addresses for eth0 and eth1.
<bash> ifconfig</bash>
Set up DNS and DHCP
- dnsmasq is a lightweight combination DNS/DHCP server. For the anticipated number of clients for this network, it should be sufficient.
- Replace /etc/dnsmasq.conf with the following:
<bash> interface=eth1
dhcp-range=192.168.1.50,192.168.1.150,12h dhcp-authoritative dhcp-script=/bin/echo </bash>
- Restart dnsmasq
<bash> sudo /etc/init.d/dnsmasq restart </bash>
Set up the Firewall
- Save the following two scripts to ~/scripts
nat_forward_all.sh
<bash> echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n" DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe
EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF"
- ======================================================================
- == No editing beyond this line is required for initial MASQ testing ==
echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo "----------------------------------------------------------------------" echo -en "ip_tables, " $MODPROBE ip_tables echo -en "nf_conntrack, " $MODPROBE nf_conntrack echo -en "nf_conntrack_ftp, " $MODPROBE nf_conntrack_ftp echo -en "nf_conntrack_irc, " $MODPROBE nf_conntrack_irc echo -en "iptable_nat, " $MODPROBE iptable_nat echo -en "nf_nat_ftp, " $MODPROBE nf_nat_ftp echo "----------------------------------------------------------------------" echo -e " Done loading modules.\n" echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " Clearing any existing rules and setting default policy.."
iptables-restore <<-EOF
- nat
-A POSTROUTING -o "$EXTIF" -j MASQUERADE COMMIT
- filter
- INPUT ACCEPT [0:0]
- FORWARD DROP [0:0]
- OUTPUT ACCEPT [0:0]
-A FORWARD -i "$EXTIF" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i "$INTIF" -o "$EXTIF" -j ACCEPT -A FORWARD -j LOG COMMIT EOF
echo -e "\nrc.firewall-iptables v$FWVER done.\n" </bash>
nat_block_all.sh
<bash> echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n" DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe
EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF"
- ======================================================================
- == No editing beyond this line is required for initial MASQ testing ==
echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo "----------------------------------------------------------------------" echo -en "ip_tables, " $MODPROBE ip_tables echo -en "nf_conntrack, " $MODPROBE nf_conntrack echo -en "nf_conntrack_ftp, " $MODPROBE nf_conntrack_ftp echo -en "iptable_nat, " $MODPROBE iptable_nat echo -en "nf_nat_ftp, " $MODPROBE nf_nat_ftp echo "----------------------------------------------------------------------" echo -e " Done loading modules.\n" echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " Clearing any existing rules and setting default policy.."
iptables-restore <<-EOF
- nat
-A POSTROUTING -o "$EXTIF" -j MASQUERADE COMMIT
- filter
- INPUT ACCEPT [0:0]
- FORWARD DROP [0:0]
- OUTPUT ACCEPT [0:0]
-A FORWARD -i "$INTIF" -j LOG -A FORWARD -i "$INTIF" -j REJECT COMMIT EOF
echo -e "\nrc.firewall-iptables v$FWVER done.\n" </bash>
- Make both scripts executable
<bash> chmod a+x ~/scripts/nat_block_all.sh chmod a+x ~/scripts/nat_forward_all.sh </bash>
- Test the wide-open script. Inspect the output for errors indicating something is wrong.
<bash> sudo ~/scripts/nat_forward_all.sh </bash>
- If the previous command was successful and you got dns and dhcp configured before, you should be able to connect through your gateway on computers on the internal network.
- Test this now, by connecting a test computer to the network if you haven't already. Try browsing the web on one of the test machines as a quick test. Use ipconfig /all or ifconfig to see how the test computer is being configured. Expected values are below:
Parameter | Expected Value |
---|---|
IP Address | 192.168.1.50-192.168.1.150 |
Subnet Mask | 255.255.255.0 |
Default Gateway | 192.168.1.1 |
Nameserver (DNS Server) | 192.168.1.1 |