How to create a transparent Proxy server using Linux CentOS

How to create a transparent Proxy server using Linux CentOS

January 2nd, 2013 // 5:14 pm @ Arad Gharagozli

NOTE: THIS TUTORIAL IS FOR EDUCATIONAL PURPOSES ONLY, I AM NOT RESPONSIBLE IN ANY WAY FOR HOW THIS INFORMATION IS USED, USE IT AT YOUR OWN RISK. HIDING YOUR IDENTITY ON INTERNET, INCLUDING IP ADDRESS OR MATERIAL THAT YOU ARE SEEKING TO BROWSE, IS CONSIDERED A FELONY IN SOME COUNTRIES AND MAY SUBJECT TO PROSECUTION.

 

‘Proxing’ is one of the most reliable and secure ways to encrypt and re-direct your traffic on Internet. Proxy connection has many benefits and depending on the network topology, proxy can be a benefit. For instance if you would like to hide the true identity of your mail server behind your firewall, you can use a transparent proxy server, which is on a DMZ (De-Militarized Zone) and translate the incoming and outgoing traffic through that proxy server. In that way the client computer considers the proxy server as the destination, and the mail server does the something. Using this the server/client relationship remains secure and the information are being routed through the server.

 

So let’s talk about Proxy servers a little, how they work, and what they are used for. In the next chapter I’ll explain how to make your own proxy server using any VPS, or dedicated server.

The other use of proxy server is to hide the clients identity, or translating the true meaning of your communication in to one single protocol. This main sound a little confusing but let me break it up a little. For instance there are ISP which ban using some online tools, or browsing some specific websites for any reason, it could be political or social reasons. On the other hand we know that each protocol on web uses a different port, for instance browsing a website usually uses the port 80, 81 or maybe 8080. So lets talk about a scenario that an ISP has blocked browsing websites, on port 81, some websites like Facebook by their domain name, and also a video streaming website on port 655. So in this case if the client request the service on port 81 or specifically buy typing facebook.com or accessing any software who operates on port 655, they will be stopped and will see a message from ISP.

Now, imagine having a translator on web which will do all these transaction for you and will send you the answers through a custom port (Any port between 1 – 65000 ). When you use a server as a proxy ( Refer to online tutorials on how to specify a proxy server on your browser), your computer considers that proxy server as the destination, it packages the requested info, for instance: connect to facebook.com on port 81, sends it to the proxy server on port ####, which is our ‘undercover’ port. Then proxy server receives these info, does the transaction and will stablish a communication route to your destination through it’s network. Proxy server usually sits on  a different network. For example a dedicated server or a VPS (Virtual Private Server) on a hosting company. So if you live in Australia, you can purchase a VPS from a hosting company in US for a very reasonable price ( usually around 10 $/month) and use that as a proxy to the your internet browsing. In this case if you use that server as a proxy server your Public IP Address will change from Australia to US, so any server on internet assumes that you are a visitor from a US state (Depends on where your hosting company, hosts your server).

 

How to setup a proxy server on a VPS or a Dedicated Server

Now it’s time to get our server up and running. First thing first we have to find a VPS, by doing quick VPS query on Google, it shouldn’t be too hard find a suitable proxy server. Again if you are using this server to change he IP address, make sure to your server resides in the right country. Do a quick search and get yourself a VPS, and since this tutorial is on Linux, I highly recommend getting a Linux CentOS. After receiving the info on your VPS (Username/Password) you’ll have to receive at least one Static IP address which is unique to your server. So if you have all this info ready, let’s get started.

 

1- Communication link

Now that we have the VPS up, we need to connect to the console and start the process. The most convient way is using SSH which is a secure telnet connection. Most VPS come with CPanel or Plezk, but some charge for this service. In order to make sure I am not missing anything I’ll go with SSH which everyone can use. I’ll use Putty for SSH. It’s free software and easy to use. DOWNLOAD LINK

Open Putty, in the Host name or IP address type your static IP address provided by your hosting co. Port has to be 22 and make sure connection type is SSH, then click connect.

The SSH window will open (Looks like command line), your username is usually root and the password from hosting.  On successfull login you should see

login as: root

root@112.112.112.112.’s password:

Last login: Wed Jan  2 08:38:15 2013 from 122.72.7.31

[root@LKY12G ~]#

 

The last line indicates you’re in as root account, and console is ready to take commands.

If you like you may change your root password here. do as follow

 

 

[root@999~]# passwd root

Changing password for user root.

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

[root@999~]#

 

2- Installing the Proxy software

One the most famous proxy software is Squid. Squid is free and reliable when it comes to freeware. You can install squid right from CenOS console by typing

[root@999~]# yum install squid -y   // Yum is specific to CenOS. use apt-get for other versions

 

You’ll see the log of the installation files as it’s going forward.

 

3- Configuration of Squid

Go to Squid directory

[root@999G ~]# cd /etc/squid     //Navigates to squid directory

[root@999 squid]# ls                     // command to show you the list of files under a diretcory

cachemgr.conf  mib.txt            msntauth.conf          squid.conf-berrors         mime.conf          msntauth.conf.default

icons               mime.conf.default       squid.conf squid.conf.default         // The list of files under Squid

[root@999 squid]#

As you can see from my comments above middle command shows the list of files, and folders under squid. The file ‘squid.conf’ (Underlined) is the core of the server. It hold all the configuration to squid. Now we need to edit that file

 

 

 

4- Editing squid.conf

Very important thing to do: Back up squid.conf!!!

We simply going to rename the file as below.

[root@999 squid]# mv squid.conf squid.conf-backup  // mv renames the file then the name of the file to be renamed, then

 new name

if you do the ‘ls’ command again, you should see the file squid.conf does not exist, and it’s conf-backup now. Now we are going to create the file and enter our own values to do so use the touch command to create a new file

[root@999 squid]# touch squid.conf // Creates a file called squid.conf

now we have to open the file to edit, using ‘nano’ command. (Copy the green part into your SSH after nano opened the .conf file)

 [root@9999 squid]# nano squid.conf  

GNU nano 1.3.12             

File: squid.conf

http_port 23892  # port number that squid will operate on (it could be anything)

visible_hostname MY.SRVR.NAME.COM  #This is the name that your server will represent as. Try avoid using phrases like proxy in it

cache_effective_user squid squid

acl all src 0.0.0.0/0.0.0.0

acl localnet src 192.168.1.0/255.255.255.0

http_access allow all

header_access Forwarded-For deny all

header_access X-Forwarded-For deny all

auth_param basic children 10

auth_param basic realm THIS IS OPTIONAL # realm name that client will see 

auth_param basic credentialsttl 3600   #TTL before each time out 3600 is default 

hoursauth_param basic casesensitive off

 

 

Now do CTRL+X to exit, you will be prompt to save this info. Type Y or Yes then Enter. you will go back to the root. In order to confirm our settings type ‘nano squid.conf’ to re-open the config file and just make sure everything is saved.

 

5- Firewall and port forwarding

Now that we specified the port in our config file we have to make sure our VPS allows communication on that port. To do so we are using Linux built in proxy service called IPTables. We start by navigating to the IPTables directory

[root@999 squid]# cd /etc/sysconfig/

[root@999 sysconfig]# ls // verify that the file iptables exists. Then back it by copying it to the same directory
[root@999 sysconfig]# cp iptables iptables.BACKUP //cp is copy command, then file to copy, then new name
Now do another ls query make sure the file is backed up. So we have to config the iptables. We do as before, using nano.
[root@999 sysconfig]# nano iptables
 
When IPTables opened add the following two line to your IPtables properly. (Make sure the port numbers matches what you gave to Squid earlier. replace 2012 with your port number in both lines). Preferably copy these line to note pad make changes and paste line by line to SSH and at the very end of the IPtables file. Make sure to not change the spacing or format of the commands below.
-A INPUT -m state –state NEW,ESTABLISHED -p tcp –dport 2012 -j ACCEPT
-A OUTPUT -m state –state ESTABLISHED -p tcp –sport 2012 -j ACCEPT
 
Save the file exit and restart the iptables service
[root@999 sysconfig]# service iptables restart  // service indicates you are targeting a service, then the name of the service, the command to perform. it could be START, STOP, RETSRAT, or STATUS
 
If you haven’t seen any error messages so far, it’s very good. The server should be ready. Now point your browser to the IP address of the server and use the port that you specified, and try browsing few webpages.
 
Using Sub-domains
If you like to have a better looking proxy, you can tight it to a domain. Under your hosting panel of your domain (If you have any) there should be an option for DNS Settings. Just simply create an alias (A record) ie: SecureProxy.mydomain.com and point it the VPS IP Address. Now if you ping that alias you should see the static IP address will respond to you.
You can privatize your VPN by adding authentication system to Squid, that would get more advanced and I’ll try to have a tutorial on that very soon.
I hope this was informative and good luck!
 
 
					
					


					
					
Category : Articles &Linux &Projetcs