Wednesday, 29 October 2008

Tranparent Proxy Menggunakan Ubuntu 5.10 dengan koneksi ADSL

Saya menulis panduan ini diilhami oleh banyaknya pertanyaan di milist dan forum oleh rekan-rekan pengguna Linux (newbie khususnya) yang pada bingung mau share koneksi internet. Disini akan saya coba jelaskan tahapan setting proxy server menggunakan Squid beserta penggunaan delay pool untuk pembatasan bandwith. Panduan ini sudah diuji coba dan proxy server tersebut masih digunakan sampai dengan sekarang untuk melayani sekitar 60 klien pada saat yang bersamaan. Semoga panduan ini bermanfaat bagi yang membaca dan saya sendiri barangkali ada lupa suatu saat nanti. Segala koreksi, kritik dan saran, diskusi bisa dikirim ke email diatas.


Ada 3 macam proxy :
1. Manual Proxy
Dimana setiap klien harus mengisikan proxy server ip pada browser yang digunakan agar dapat menggunakan koneksi internet.
2. Transparent Proxy
Disisi klien bisa mengisi/tidak proxy server ip pada browser, dengan catatan ip gatewat klien dan dns server diset ke ip proxy server
3. NAT Proxy Server
Menggunakan MASQUERADE. Saya gak begitu faham, silahkan cari infonya di internet

Persiapan :
1. PC
Pada tutorial ini saya menggunakan spesifiaksi
• P4 1.8GHz
• RAM 1Gb
• HD 40 Gb
• 2 NIC

2. Ubuntu Linux 5.10 (bisa juga distro yang lain, sesuai selera deh)
3. ADSL Telepon Line
4. Modem ADSL (lupa merk tapi memiliki 4 port RJ45)
5. Software (Squid dan Bind9)


Topologi

(line-telepon)---(modem-adsl)---|eth0|(proxy-server)|eth1|---(switch)---(klien)

Modem
IP : 10.27.10.1
Subnet : 255.255.255.0
DNS server 1 : 202.134.0.155
DNS server 2 : 202.137.1.10

Proxy Server
iface eth0 inet static // eth0
address 10.27.10.3
netmask 255.255.255.0
network 10.27.10.0
broadcast 10.27.10.255
gateway 10.27.10.1

iface eth1 inet static // eth1, ip klien (LAN)
address 10.25.10.3
netmask 255.255.255.0
network 10.25.10.0
broadcast 10.25.10.255

DNS server (terletak di /etc/resolv.conf)
nameserver 202.134.1.10
nameserver 202.134.0.155

Untuk klien set ip address menggunakan kelas A/C terserah konfigurasi masing-masing. Tapi ingat ip klien harus sama kelasnya dengan kelas ip eth1 pada proxy server (khusus untuk topologi ini).


Tahapan
1. Instalasi Ubuntu Linux 5.10
Tidak akan dijelaskan karena terlalu panjang, silahkan referensi ke http://howtoforge.net/perfect_setup_ubuntu_5.10 ato situs yang lain. Saya menggunakan standard install dan auto partition pada saat instalasi.

2. Setting ip address
root@proxy:~# vi /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
mapping hotplug
script grep
map eth0
map eth1

# The primary network interface
iface eth0 inet static
address 10.27.10.3
netmask 255.255.255.0
network 10.27.10.0
broadcast 10.27.10.255
gateway 10.27.10.1
# dns-* options are implemented by the resolvconf package, if installed
#dns-nameservers 202.134.0.115

iface eth1 inet static
address 10.25.10.3
netmask 255.255.255.0
network 10.25.10.0
broadcast 10.25.10.255

Restart network interfaces
root@proxy:~# /etc/init.d/networking restart

Cek routing tabel apakah sudah benar
root@proxy:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.25.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.27.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 10.27.10.1 0.0.0.0 UG 0 0 0 eth0

Patikan pada kolom gateway terdapat ip 10.27.10.1 dan pada interfaces eth0. Jika ip tersebut belum muncul maka tambahkan secara manual menggunakan :
root@proxy:~# route add default gw 10.27.10.1

Cek kembali routing table menggunakan perintah route –n.

3. Setting ip address DNS Server
root@proxy:~# vi /etc/resolv.conf
nameserver 202.134.1.10
nameserver 202.134.0.155

4. Testing koneksi
Setelah kongfigurasi ip lakukan testing terlebih dahulu untuk memastikan koneksi pada pc proxy server dapat berjalan dengan baik. Cobalah melakukan ping ke beberapa situs dan mendapatkan reply, tapi klo tidak ulangi step-step sebelumnya.
root@proxy:~# ping its.ac.id
PING its.ac.id (202.46.129.13) 56(84) bytes of data.
From 203.130.255.209 icmp_seq=1 Packet filtered
From 203.130.255.209 icmp_seq=2 Packet filtered
From 203.130.255.209 icmp_seq=3 Packet filtered
From 203.130.255.209 icmp_seq=4 Packet filtered

--- its.ac.id ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3002ms

root@proxy:~# ping iii.ac.id
PING iii.ac.id (72.232.21.250) 56(84) bytes of data.
From 203.130.255.209 icmp_seq=1 Packet filtered
From 203.130.255.209 icmp_seq=2 Packet filtered
From 203.130.255.209 icmp_seq=3 Packet filtered
From 203.130.255.209 icmp_seq=4 Packet filtered

--- iii.ac.id ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3001ms

root@proxy:~# ping google.com
PING google.com (64.233.187.99) 56(84) bytes of data.
From 203.130.255.209 icmp_seq=1 Packet filtered
From 203.130.255.209 icmp_seq=2 Packet filtered
From 203.130.255.209 icmp_seq=3 Packet filtered
From 203.130.255.209 icmp_seq=4 Packet filtered

--- google.com ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3003ms

5. Konfigurasi source list aptitude
Saya menambahkan beberapa mirror disini namun gak banyak saya gunakan, saya kira dari cdrom sudah ada peket squid.
root@proxy:~# vi /etc/apt/sources.list
deb cdrom:[Ubuntu 5.10 _Breezy Badger_ - Release i386 (20051012)]/ breezy main
restricted

deb http://kambing.vlsm.org/ubuntu breezy universe
deb-src http://kambing.vlsm.org/ubuntu breezy universe

deb http://kambing.vlsm.org/ubuntu breezy-security main restricted
deb-src http://kambing.vlsm.org/ubuntu breezy-security main restricted

deb http://kambing.vlsm.org/ubuntu breezy-security universe
deb-src http://kambing.vlsm.org/ubuntu breezy-security universe

deb http://kambing.vlsm.org/ubuntu breezy multiverse
deb-src http://kambing.vlsm.org/ubuntu breezy multiverse

deb http://id.archive.ubuntu.com/ubuntu breezy main restricted
deb-src http://id.archive.ubuntu.com/ubuntu breezy main restricted

deb http://id.archive.ubuntu.com/ubuntu breezy-updates main restricted
deb-src http://id.archive.ubuntu.com/ubuntu breezy-updates main restricted

deb http://id.archive.ubuntu.com/ubuntu breezy universe
deb-src http://id.archive.ubuntu.com/ubuntu breezy universe

deb http://id.archive.ubuntu.com/ubuntu breezy-backports main restricted univer
se multiverse
deb-src http://id.archive.ubuntu.com/ubuntu breezy-backports main restricted un
iverse multiverse

deb http://security.ubuntu.com/ubuntu breezy-security main restricted
deb-src http://security.ubuntu.com/ubuntu breezy-security main restricted

deb http://security.ubuntu.com/ubuntu breezy-security universe
deb-src http://security.ubuntu.com/ubuntu breezy-security universe
Setelah konfigurasi sorce list pastikan menjalankan update hingga selesai
root@proxy:~# apt-get update

6. Alokasi bandwith
Untuk pembatasan banwith saya menggunakan metode pembatasan tiap host/ip address dimana setiap komputer/host/ip address dibatasi kecepatan maksimal downloadnya, hal untuk mencegah agar koneksi terbagi rata meski klien menggunakan downloader. Asumsi kecepatan internet dalam keadaan stabil.

Komputer Server : Unlimited download rate
Komputer Staf : Maksimal 12kB download rate
Komputer Lab : Maksimal 10kB download rate
Komputer Admi : Maksimal 20kB download rate

7. Instalasi Squid
root@proxy:~# apt-get install squid

8. Konfigurasi Squid
Konfigurasi ini saya ambil dari situsnya walecha dan konfigurasinya miliknya Dani (Dani Firmansyah bukan ya ???), hanya saya rubah sedikit dan menambahkan delay pools. Yang berhuruf tebal adalah perubahan yang saya buat dan tambahkan.
root@proxy:~# vi /etc/squid/squid.conf
#============================================================$
# WELCOME TO SQUID 2 HIGH PERFORMANCES
#============================================================$

http_port 3128
#http_port 80
icp_port 3130

#============================================================$
# TAG: hierarchy_stoplist
# A list of words which, if found in a URL, cause the object to
# be handled directly by this cache. In other words, use this
# to not query neighbor caches for certain objects. You may
# list this option multiple times.
#
#We recommend you to use at least the following line.
#============================================================$
hierarchy_stoplist cgi-bin ? .js .jsp .g .do .php .asp .cgi localhost indosat.net.id
acl QUERY urlpath_regex cgi-bin \? .js .jsp .g .do .php .asp .cgi localhost indosat.net.id
no_cache deny QUERY
#============================================================$

#============================================================$
# OPTIONS WHICH AFFECT THE CACHE SIZE
#============================================================$
cache_mem 4 MB
maximum_object_size 10 MB
maximum_object_size_in_memory 32 KB
cache_swap_low 98%
cache_swap_high 99%
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
high_memory_warning 70 MB
ipcache_size 4096
ipcache_low 98
ipcache_high 99
#============================================================$
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
#============================================================$
cache_dir diskd /var/spool/squid 2000 8 256
cache_access_log /var/log/squid/access.log
cache_log /dev/null
cache_store_log /dev/null
mime_table /usr/share/squid/mime.conf
pid_filename /var/run/squid.pid
log_fqdn off
log_icp_queries off
buffered_logs off
emulate_httpd_log off

#============================================================$
# FTP section
#============================================================$
ftp_passive on
ftp_sanitycheck on

#============================================================$
# DNS resolution section
#============================================================$
dns_nameservers 127.0.0.1 202.134.1.10 202.134.0.155

#============================================================$
# Filesystem section
#============================================================$
diskd_program /usr/lib/squid/diskd

#============================================================$
# AUTH section
#============================================================$
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off

#============================================================$
# Refresh Rate
#============================================================$
refresh_pattern \.gif 4320 50% 43200
refresh_pattern \.jpg 4320 50% 43200
refresh_pattern \.tif 4320 50% 43200
refresh_pattern \.png 4320 50% 43200
refresh_pattern \.jpeg 4320 50% 43200
refresh_pattern ^http://www.friendster.com/.* 720 100% 4320
refresh_pattern ^http://mail.yahoo.com/.* 720 100% 4320
refresh_pattern ^http://*.yahoo.*/.* 720 100% 4320
refresh_pattern ^http://*.yimg.*/.* 720 100% 4320
refresh_pattern ^http://*.gmail.*/.* 720 100% 4320
refresh_pattern ^http://*.google.*/.* 720 100% 4320
refresh_pattern ^http://*korea.*/.* 720 100% 4320
refresh_pattern ^http://*.akamai.*/.* 720 100% 4320
refresh_pattern ^http://*.windowsmedia.*/.* 720 100% 4320
refresh_pattern ^http://*.googlesyndication.*/.* 720 100% 4320
refresh_pattern ^http://*.plasa.*/.* 720 100% 4320
refresh_pattern ^http://*.telkom.*/.* 720 100% 4320
refresh_pattern ^ftp: 10080 95% 40320 reload-into-ims override-lastmod
refresh_pattern . 0 20% 4320 reload-into-ims override-lastmod

quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100%

#============================================================$
# ACL section
#============================================================$
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563 2083 # https, snews, 2083 untuk mengakses cpanel webhosting
#acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
#acl Safe_ports port 280 # http-mgmt
#acl Safe_ports port 488 # gss-http
#acl Safe_ports port 591 # filemaker
#acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

# nama kota adalah nama ruangan di tempat saya
acl server src 10.25.10.1-10.25.10.10/255.255.255.255
acl staf src 10.25.10.11-10.25.10.40/255.255.255.255
acl lab src 10.25.10.100-10.25.10.150/255.255.255.255
acl admin src 10.25.10.26-10.25.10.28/255.255.255.255
acl swiss src 10.25.10.75/255.255.255.255

always_direct allow localhost server staf lab admin swiss
always_direct deny all

http_access allow manager all
http_access deny !Safe_ports
http_access allow purge localhost
http_access deny purge
http_access deny CONNECT !SSL_ports
http_access allow localhost

http_access allow server
http_access allow lab
http_access allow staf
http_access allow admin
http_access allow swiss

http_access deny all
http_reply_access allow all

icp_access allow all
reply_body_max_size 0 allow all
cache_mgr noc@abc.com
visible_hostname www.abc.com
header_access Accept-Encoding deny all

#============================================================$
# Transparent proxy setting
#============================================================$
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
httpd_accel_no_pmtu_disc on
httpd_accel_single_host off
half_closed_clients off
#forwarded_for on

#============================================================$
# MISCELLANEOUS
#============================================================$
logfile_rotate 3
negative_ttl 2 minutes
#digest_rebuild_period 30 minute
#digest_rewrite_period 30 minute
#digest_swapout_chunk_size 4096 bytes
client_persistent_connections on
server_persistent_connections on
pipeline_prefetch on
vary_ignore_expire on
reload_into_ims on
store_dir_select_algorithm round-robin
nonhierarchical_direct off
prefer_direct off
memory_pools off
shutdown_lifetime 10 seconds
cachemgr_passwd proxy all
ie_refresh on
cache_effective_user proxy
cache_effective_group proxy

#pembatasan banwith mulai disini
#menggunakan class 2, dimana kecepatan network unlimited tapi perhost limited
delay_pools 5

delay_class 1 2
delay_class 2 2
delay_class 3 2
delay_class 4 2
delay_class 5 2

delay_access 1 allow staf
delay_access 2 allow lab
delay_access 3 allow admin
delay_access 4 allow server
delay_access 5 allow swiss

delay_parameters 1 -1/-1 12000/15000
delay_parameters 2 -1/-1 10000/11000
delay_parameters 3 -1/-1 20000/30000
delay_parameters 4 -1/-1 -1/-1
delay_parameters 5 -1/-1 10000/11000
#pembatasan banwith berakhir disini

9. Instalasi bind9 (dns server)
root@proxy:~# apt-get install bind9

Setelah instalasi bind, bind gak perlu diedit sama sekali kecuali anda memiliki domain fiktif untuk kepentingan intranet (seperti contoh di http://linux.or.id/node/1095).

Kenapa diperlukan bind ? Jika tidak maka di pc klien dns server harus diisi dengan ip dns server yang telah disebut diatas, tapi jika kita gunakan dns server sendiri maka di pc klien dns server diisi dengan ip address pc proxy server, jelas hal ini akan mempercepat request.

10. Chain iptables untuk membikin transparent.
root@proxy:~# iptables -t nat -A PREROUTING -s 10.25.10.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128


Cek hasil konfigurasi iptables
root@proxy:~# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- 10.25.10.0/24 0.0.0.0/0 tcp dpt:80 redir ports 3128

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain ini tidak bisa bertahan lama dalam arti setiap komputer reboot maka chain ini akan hilang. Untuk menghindari hal ini lakukan tahapan berikut :
• Simpan konfigurasi iptabales kedalam file
root@proxy:~# iptables-save > /etc/squid/proxy.rule

• Bikin file untuk load chains iptables
root@proxy:~# vi /etc/squid/proxyup
iptables-restore < /etc/squid/proxy.rule
echo 1 > /proc/sys/net/ipv4/ip_forward

• Buat symbolic link di rc pada semua runlevel
root@proxy:~# ln -s /etc/squid/proxyup /etc/rc1.d/S77proxyup
root@proxy:~# ln -s /etc/squid/proxyup /etc/rc2.d/S77proxyup
root@proxy:~# ln -s /etc/squid/proxyup /etc/rc3.d/S77proxyup
root@proxy:~# ln -s /etc/squid/proxyup /etc/rc4.d/S77proxyup
root@proxy:~# ln -s /etc/squid/proxyup /etc/rc5.d/S77proxyup
root@proxy:~# ln -s /etc/squid/proxyup /etc/rc6.d/S77proxyup
root@proxy:~# ln -s /etc/squid/proxyup /etc/rcS.d/S77proxyup

11. Untuk memastikan konfigurasi anda sudah benar, restartlah komputer proxy server. Kemudian ulangi tahapan 2, 3, 4.

Cek konfigurasi ip address, pastikan hasilnya sama dengan tahapan 2
root@proxy:~# cat /etc/network/interfaces

Cek routing table, pastikan hasilnya sama dengan tahapan 2
root@proxy:~# route -n

Cek ip dns server, pastikan hasilnya sama dengan tahapan 3
root@proxy:~# cat /etc/resolv.conf

Ulangi tahapan 4 dengan melakukan ping ke beberapa situs.

12. Setting disisi klien
Karena ini transparent proxy maka :
10.25.10.3• Set ip gateway klien ke ip proxy server (eth1)
10.25.10.3• Set ip dns server klien sama dengan diatas


Demikian panduan ini, semoga dapat bermanfaat bagi anda pengguna Linux pada khususnya. Seperti telah saya sampaikan diatas, barangkali ada step yang ketinggalan, koreksi, kritik, saran agar tidak segan-segan untuk mengirimkan email ke saya. Karena saya sendiri juga masih newbie dalam penggunaan Linux.

Jadilah orang yang pertama berkomentar pada artikel “Tranparent Proxy Menggunakan Ubuntu 5.10 dengan koneksi ADSL”

Bila artikel ini bermanfaat untuk anda, silahkan berikan komentar anda...