Forefront IT Services Ltd

So here's the scenario;  I want to create a few hot-spots around the site where customers/users can come along with their laptop, pda, etc and get online.  I don't want to issue people with a key or anything, but I do want to filter the traffic.  The other problem is that I don't want these "visitors" to have access to anything else on the network except internet access.  So here's the solution:

I've installed Ubuntu 8.10 on a machine with two network cards.  One network card is plugged in to the general network and the other is plugged in to a seperate VLAN.  I've configured eth0 with an ip address on the general network using the router and configured dns servers etc.  eth1 is configured with 192.168.0.1 / 255.255.255.0 (i.e. first address of a 192.168.0.0/24 network).  I've run all the updates (apt-get upgrade) and all is working well.

I now need to install squid. (apt-get install squid).  Modify squid.conf so you allowing the localhost address and I've added the 192.168.0.0/24 network.  This is done in the acl section of /etc/squid/squid.conf

Now at this point I'm going to do something a bit specific, and it may not apply to all.  Because I want to traffic to be filtered, I'm going to configure squid to use an upstream proxy server.  This server is already onsite and is being used on the rest of the network.  So I'm going to add a few lines that can be found in another article I've written here.

I also need to install dnsmasq. (apt-get install dnsmasq) I need to do this becuase I'm not routing any traffic from the hot-spots and therefore I need a dns forwarder. dnsmasq also doubles up as a dhcp server.  Once this is installed you want to ensure that the dhcp server only works on eth1.  This is done in /etc/dnsmasq.conf

Once dnsmasq's dhcp server is bound to eth1 you may at this stage want to configure your scope.  This is also done in /etc/dnsmasq.conf 

Now here's the clever bit.  You need to forward all the port 80 requests to eth1 directly to squid.  Assuming eth0 is 10.0.0.50 and your using port 3128 for squid, here's the command:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 10.0.0.50:3128

Now, all of the workstations that are on the 192.168.0.0/24 network that have 192.168.0.1 as their gateway and primary dns will go online without having to configure a proxy server.

As with all the technical tips I have written, if you need assistance (wherever you are in the World), please don't hesitate to get in touch, This e-mail address is being protected from spambots. You need JavaScript enabled to view it