install easyhotspot distro seperti biasanya, selanjutnya install squid proxy…dan konfigurasikan agar squid transparent, easyhotspot disini digunakan untuk server proxy yang melayani user biasa di class ip 192.168.0.0 dan hotspot prepaid di class ip 192.168.182.0, selanjutnya kita bikin script firewall buat user biasa agar setiap permintaan ke port 80 di redirect ke port 3128 (squid)

#!/bin/sh

# squid server IP
SQUID_SERVER=”192.168.0.254″
# Interface connected to Internet
INTERNET=”eth4″
# Interface connected to LAN
LAN_IN=”eth3″
# Squid port
SQUID_PORT=”3128″

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT

iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
iptables -t nat -A PREROUTING -p tcp -m tcp -s 192.168.0.0/24 –dport 80 -j DNAT –to-destination 192.168.0.254:3128

# DROP everything and Log it
iptables -A INPUT -j LOG

#iptables -t mangle -A POSTROUTING -d 192.168.0.14 -j MARK –set-mark 101
#iptables -A INPUT -j DROP
##############################
save dan letakkan di /etc/init.d/sharing, setelah itu chmod a+x /etc/init.d/sharing agar bisa di eksekusi

agar user hotspot prepaid setelah login bisa akses internet dan diredirect ke port squid (melalui transparent proxy squid) edit file /etc/init.d/chillispot.firewall menjadi seperti ini

#!/bin/sh
#
# Firewall script for ChilliSpot
# A Wireless LAN Access Point Controller
#
# Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
# $INTIF (eth1) as the internal interface (access points).
#
#
# SUMMARY
# * All connections originating from chilli are allowed.
# * Only ssh is allowed in on external interface.
# * Nothing is allowed in on internal interface.
# * Forwarding is allowed to and from the external interface, but disallowed
# to and from the internal interface.
# * NAT is enabled on the external interface.

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

IPTABLES=”/sbin/iptables”
EXTIF=”eth4″
INTIF=”eth3″

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp –dport 22 –syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP

#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp –dport 80 –syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp –dport 443 –syn -j ACCEPT

#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp –dport 3990 –syn -j ACCEPT

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
#$IPTABLES -A FORWARD -i $INTIF -j DROP
#$IPTABLES -A FORWARD -o $INTIF -j DROP

#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
iptables –append FORWARD –in-interface $INTIF -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i 192.168.0.0/24 -p tcp –dport 80 -j DNAT –to 192.168.0.254:3128

###########################################################

agar setiap booting bisa dieksekusi otomatis edit file /etc/rc.local menjadi seperti ini

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will “exit 0” on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh /etc/init.d/sharing
sh /etc/init.d/chillispot.firewall

exit 0

reboot easyhotpsot dan kalo gak ada kesalahan maka user biasa dan user hotspot prepaid bisa internetan melalui squid proxy, lumayan ngirit pc..he..he