Easyhotspot dan transparent squid proxy dalam satu mesin…..(hemat hardware)

September 11, 2008 at 2:55 pm (Linux,....pecas ndahe)

install easyhotspot distro seperti biasanya, selanjutnya install squid proxy…dan konfigurasikan agar squid transparent, easyhotspot disini digunakan untuk server proxy yang melayani user biasa di class ip 192.168.0.0 dan hotspot prepaid di class ip 192.168.182.0, selanjutnya kita bikin script firewall buat user biasa agar setiap permintaan ke port 80 di redirect ke port 3128 (squid)

#!/bin/sh

# squid server IP
SQUID_SERVER=”192.168.0.254″
# Interface connected to Internet
INTERNET=”eth4″
# Interface connected to LAN
LAN_IN=”eth3″
# Squid port
SQUID_PORT=”3128″

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT

iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
iptables -t nat -A PREROUTING -p tcp -m tcp -s 192.168.0.0/24 –dport 80 -j DNAT –to-destination 192.168.0.254:3128

# DROP everything and Log it
iptables -A INPUT -j LOG

#iptables -t mangle -A POSTROUTING -d 192.168.0.14 -j MARK –set-mark 101
#iptables -A INPUT -j DROP
##############################
save dan letakkan di /etc/init.d/sharing, setelah itu chmod a+x /etc/init.d/sharing agar bisa di eksekusi

agar user hotspot prepaid setelah login bisa akses internet dan diredirect ke port squid (melalui transparent proxy squid) edit file /etc/init.d/chillispot.firewall menjadi seperti ini

#!/bin/sh
#
# Firewall script for ChilliSpot
# A Wireless LAN Access Point Controller
#
# Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
# $INTIF (eth1) as the internal interface (access points).
#
#
# SUMMARY
# * All connections originating from chilli are allowed.
# * Only ssh is allowed in on external interface.
# * Nothing is allowed in on internal interface.
# * Forwarding is allowed to and from the external interface, but disallowed
# to and from the internal interface.
# * NAT is enabled on the external interface.

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

IPTABLES=”/sbin/iptables”
EXTIF=”eth4″
INTIF=”eth3″

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp –dport 22 –syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP

#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp –dport 80 –syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp –dport 443 –syn -j ACCEPT

#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp –dport 3990 –syn -j ACCEPT

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
#$IPTABLES -A FORWARD -i $INTIF -j DROP
#$IPTABLES -A FORWARD -o $INTIF -j DROP

#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
iptables –append FORWARD –in-interface $INTIF -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i 192.168.0.0/24 -p tcp –dport 80 -j DNAT –to 192.168.0.254:3128

###########################################################

agar setiap booting bisa dieksekusi otomatis edit file /etc/rc.local menjadi seperti ini

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will “exit 0″ on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh /etc/init.d/sharing
sh /etc/init.d/chillispot.firewall

exit 0

reboot easyhotpsot dan kalo gak ada kesalahan maka user biasa dan user hotspot prepaid bisa internetan melalui squid proxy, lumayan ngirit pc..he..he

6 Tanggapan

  1. bananatehpisang berkata,

    November 4, 2008 pada 6:44 pm

    kalo saya suda pnya 1 server proxy squid dan tapi di server hotspot jga pengen pake squid.itu gmana tu mas

    Balas

  2. linux berkata,

    Desember 4, 2008 pada 8:16 am

    apa saya bisa minta file squid.conf yg jalan di easyhotspotnya.saya coba belum berhasil.Thanx..

    Balas

  3. jaenuri berkata,

    Desember 25, 2008 pada 5:21 pm

    mohon bantuan mas, saya kesulitan tuk edit cilli.firewall nya. klo tak tambahin iptables yang redireck seperti script yang diberikan mas diatas
    yaitu:
    $IPTABLES -t nat -A PREROUTING -i 192.168.0.0/24 -p tcp –dport 80 -j DNAT –to 192.168.0.254:3128

    selalu eror name interface must be shorter than IFNAMSIZ (15) begitu terus kira kira apanya ya

    klo yang setelah masquired ini depan ip tables harus pakai $ tidak ya?
    iptables –append FORWARD –in-interface $INTIF -j ACCEPT

    Balas

  4. poerwo2211 berkata,

    Januari 4, 2009 pada 4:22 am

    @bananatehpisang
    buat apa proxy double mas, kalo koneksinya cuman satu, nanti malah bikin lemot lho

    @linux
    squid.conf hampir sama dengan yag ada di blog ini mas, cuman saya compile squid sendiri pake squid 2.7, biar bisa caching youtube

    @jaenuri
    mungkin kesalahan ketik aja mas, coba di cek ulang, biasanya tanda –dport, kalo kopi paste dari web, tulis ulang aja mas bagian yang ada –

    pake
    iptables –append FORWARD –in-interface $INTIF -j ACCEPT
    atau
    &IPTABLES –append FORWARD –in-interface $INTIF -j ACCEPT

    sama saja

    Balas

  5. jaenuri berkata,

    Januari 15, 2009 pada 3:06 pm

    udah tak coba ketik tangan pelan pelan
    $IPTABLES -t nat -A PREROUTING -i192.168.0.0/24 -p tcp –dport 80 -j DNAT –to 192.168.0.254:3128
    eror name interface must be shorter than IFNAMSIZ (15)
    masih tetep aja tu mas erornya

    Balas

    • poerwo2211 berkata,

      Januari 22, 2009 pada 4:22 pm

      coba cek lagi kayaknya ada yang salah tuh…..setelah PREROUTING -i harusnya ada spasi….
      $IPTABLES -t nat -A PREROUTING -i 192.168.0.0/24 -p tcp –dport 80 -j DNAT –to 192.168.0.254:3128

      Balas

Tulis sebuah Komentar