Install Proxy Server dengan Ubuntu Server

February 2009
M	T	W	T	F	S	S
« Sep		Mar »
	1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28

Posted on February 10, 2009 by fsdoei

Berikut ini kita akan men-setup sebuah proxy dengan konfigurasi sebagai berikut:

Nama Host: proxy.ibii.ac.id
IP Eksternal: 192.168.0.1
IP Internal: 192.168.3.1

Install Ubuntu Server seperti biasa

Untuk partisi gunakan LVM
Buat user admin

Login user admin
Buat password root

sudo passwd

Login user root
Disable sudo jalankan visudo dan comment akses group admin seperti dibawah ini:

#%admin ALL=(ALL) ALL

edit /etc/apt/sources.list (gunakan repository kambing.vlsm.org dan aktifkan universe dan multiverse)
update

aptitude update
aptitude dist-upgrade

aptitude install screen patch bzr make

cd /etc
bzr init
vi .bzrignore

./adjtime
./ld.so.*
./.pwd.lock
./mtab
./group-
./passwd-
./shadow-
./gshadow-
*/supervise
data.cdb

bzr add .
bzr commit -m START

Tambahkan setting network internal ke /etc/network/interfaces

auto eth1
iface eth1 inet static
       address 192.168.3.1
       netmask 255.255.255.0

Tambahkan nama lengkap hostname kita ke /etc/hosts

192.168.0.1    proxy.ibii.ac.id proxy

Restart Network

/etc/init.d/networking restart

Test Konfigurasi

ifconfig eth1
hostname -f

Simpan di sistem revisi

cd /etc
bzr commit -m "Setting Network"

aptitude install openssh-server
Simpan di sistem revisi

bzr add /etc
bzr commit -m "Install SSH" /etc

Kita perlu mengamankan SSH dengan menolak root login melalui SSH. (Untuk menjadi root harus lewat su).

Edit file /etc/ssh/sshd_config dan ubah baris sehingga menjadi seperti ini

PermitRootLogin no

Simpan di sistem revisi

bzr commit -m "Setup SSH" /etc

Shorewall adalah sebuah software untuk mengkonfigurasikan iptables (fitur firewall kernel linux) dengan mudah. Untuk lengkapnya lihat http://shorewall.net . Ubuntu Dapper menyediakan shorewall versi 3.0.4.

aptitude install shorewall
Simpan di sistem revisi

bzr add /etc
bzr commit -m "Install Shorewall" /etc

Kita akan mensetup shorewall untuk konfigurasi two interfaces. Lihat http://shorewall.net/two-interface.htm untuk lebih detailnya.

cd /etc/shorewall
Salin dari contoh two-interfaces dan beberapa file dari default-config

cp /usr/share/doc/shorewall/examples/two-interfaces/* .
cp /usr/share/doc/shorewall/default-config/{start,blacklist,maclist} .
gunzip *.gz
rm -f README.txt

Edit /etc/shorewall/shorewall.conf ubah baris sehingga seperti ini:

IP_FORWARDING=On

Edit /etc/shorewall/interfaces ubah baris sehingga seperti ini

#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          tcpflags,routefilter,nosmurfs,logmartians
loc     eth1            detect          dhcp,tcpflags,detectnets,nosmurfs

Jika IP external anda adalah IP Publik tambahkan norfc1918 ke bagian OPTIONS.

Edit /etc/shorewall/masq ubah baris sehingga seperti ini

#INTERFACE             SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
eth0                    eth1           192.168.0.1

Edit /etc/shorewall/policy ubah baris sehingga seperti ini

#SOURCE        DEST            POLICY          LOG LEVEL       LIMIT:BURST
loc            net             DROP            debug
fw             net             REJECT          info
fw             loc             ACCEPT
net            all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all            all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Edit /etc/shorewall/rules ubah baris sehingga seperti ini

################################################################################
#ACTION                SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/
#                                      PORT    PORT(S) DEST            LIMIT   GROUP

#= Transparent Proxy ===========================================================
#REDIRECT      loc     3128    tcp     80      -       !192.168.0.1
# Coral CDN
#REDIRECT      loc     3128    tcp     8080    -       !192.168.0.1
#REDIRECT      loc     3128    tcp     8090    -       !192.168.0.1

#= Allow Ping to and from Firewall =============================================
ACCEPT         $FW     loc     icmp
ACCEPT         $FW     net     icmp
Ping/ACCEPT    loc     $FW
# Disable if flooded
Ping/ACCEPT    net     $FW

#= Net to Firewall =============================================================
SSH/ACCEPT     net     $FW

#= Firewall to Net =============================================================
DNS/ACCEPT     $FW     net
SSH/ACCEPT     $FW     net
Web/ACCEPT     $FW     net
FTP/ACCEPT     $FW     net
NTP/ACCEPT     $FW     net
SMTP/ACCEPT    $FW     net
Trcrt/ACCEPT   $FW     net
# Proxy
ACCEPT         $FW     net     tcp     8080,3128
ACCEPT         $FW     net     udp     3130,4827
# Coral CDN
ACCEPT         $FW     net     tcp     8090

#= Local to Firewall ===========================================================
DNS/ACCEPT     loc     $FW
SSH/ACCEPT     loc     $FW
ACCEPT         loc     $FW     tcp     3128

#= Local to Net ================================================================
DNS/ACCEPT     loc     net
Web/ACCEPT     loc     net
FTP/ACCEPT     loc     net
SSH/ACCEPT     loc     net
Telnet/ACCEPT  loc     net
NTP/ACCEPT     loc     net
POP3/ACCEPT    loc     net
IMAP/ACCEPT    loc     net
Trcrt/ACCEPT   loc     net
CVS/ACCEPT     loc     net
# SMTP: Hati-hati virus mengirim banyak email!
ACCEPT:debug   loc     net     tcp     25      -       -       1/sec
# Ping: Hati-hati virus mem-ping keluar!
ACCEPT:debug   loc     net     icmp    8       -       -       10/sec
# Yahoo Messenger
ACCEPT         loc     net     tcp     5000,5001,5050,5100,5101
ACCEPT         loc     net     udp     370
# MSN
ACCEPT         loc     net     tcp     1863
ACCEPT         loc     net     udp     7001
# AIM
ACCEPT         loc     net     tcp     5190
ACCEPT         loc     net     udp     5140
# Jabber/Google Talk
JabberPlain/ACCEPT loc net
JabberSecure/ACCEPT loc        net
# MS Streaming
ACCEPT         loc     net     tcp     1755
ACCEPT         loc     net     udp     1755
# Real
ACCEPT         loc     net     tcp     554
ACCEPT         loc     net     udp     7070

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Edit /etc/shorewall/start dan ubah baris sehingga seperti berikut

###############################################################################
dmesg -n 4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Baris tersebut berguna untuk menghilangkan pesan kernel yang tidak kritikal dari console.

Edit /etc/default/shorewall dan ubah baris bersesuaian sehingga seperti berikut

startup=1

Restart shorewall

/etc/init.d/shorewall restart

Simpan di sistem revisi

bzr add /etc
bzr commit -m "Setup Shorewall" /etc

Test dari client: set gateway ke IP 192.168.3.1 dengan DNS sama dengan DNS server, apakah bisa ke internet atau tidak.

TODO: djbdns-installer
dpkg -i daemontools_0.76-9_i386.deb djbdns_1.05-11_i386.deb
Simpan di sistem revisi

bzr add /etc
bzr commit -m "Install DJBDNS" /etc

dnscache-conf-fhs dnscache dnslog /etc/dnscache 192.168.3.1
echo 1 > /etc/dnscache/env/FORWARDONLY
Edit file /etc/dnscache/root/servers/@ dan tambahkan DNS server (satu IP satu baris) di baris paling atas
touch /etc/dnscache/root/ip/192.168.3
ln -s /etc/dnscache /var/lib/svscan/
svstat /etc/dnscache/

Harus tampil up (pid XXXX) X seconds

Edit file /etc/resolv.conf tambahkan di baris paling atas

nameserver 192.168.3.1

Testing

env DNSCACHEIP=192.168.3.1 dnsqr a google.com

Filed under: Bind, Linux, Network, Squid | Tagged: djbdns, Linux, shorewall, Squid

« Waspada terhadap IT Security Attackers Instalasi Squid Cache di Windows »

#!/Dwi/Nanto’s

Blog Stats

Archives

Categories

Recent Posts

Top Posts

News

Supported By

Subscribe RSS by

Pages

Meta