Last active
October 30, 2020 10:27
-
-
Save jshwi/746a9607d87398a2368d91b88c89607e to your computer and use it in GitHub Desktop.
For transparent proxy server using DD-WRT router
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # IPTables | |
| # squid variables | |
| PROXY_IP=192.168.1.1 # Squid_Proxy_Server_Host | |
| PROXY_PORT=3128 # Proxy_Port | |
| LAN_IP=`nvram get lan_ipaddr` | |
| LAN_NET=$LAN_IP/`nvram get lan_netmask` | |
| # squid transparent proxy | |
| iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT | |
| iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT | |
| iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP | |
| iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #-----------------------------------------------------------------------------# | |
| # SQUID CONF # | |
| #-----------------------------------------------------------------------------# | |
| ### Access Control List | |
| acl SSL_ports port 443 | |
| acl Safe_ports port 80 # http | |
| acl Safe_ports port 21 # ftp | |
| acl Safe_ports port 443 # https | |
| acl Safe_ports port 70 # gopher | |
| acl Safe_ports port 210 # wais | |
| acl Safe_ports port 1025-65535 # unregistered ports | |
| acl Safe_ports port 280 # http-mgmt | |
| acl Safe_ports port 488 # gss-http | |
| acl Safe_ports port 591 # filemaker | |
| acl Safe_ports port 777 # multiling http | |
| acl Safe_ports port 9000 | |
| acl CONNECT method CONNECT | |
| ### HTTP Rules | |
| http_access deny !Safe_ports | |
| http_access deny CONNECT !SSL_ports | |
| http_access allow localhost manager | |
| http_access allow localhost | |
| http_access allow all | |
| http_access deny manager | |
| http_port 3128 accel vhost allow-direct | |
| http_port 192.168.132.118:3128 | |
| http_port 192.168.132.118:3129 intercept | |
| ### Cache Rules | |
| cache_dir ufs /var/spool/squid 81920 16 256 | |
| coredump_dir /var/spool/squid | |
| ### Refresh Pattern | |
| refresh_pattern ^ftp: 1440 20% 10080 | |
| refresh_pattern ^gopher: 1440 0% 1440 | |
| refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | |
| refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 | |
| refresh_pattern . 0 20% 4320 | |
| ### Effective Users | |
| cache_effective_user proxy | |
| cache_effective_group proxy | |
| ### Lynis Hardening | |
| httpd_suppress_version_string on | |
| # Prevent Squid from trying to reach apt repos over IPv6 | |
| # dns_v4_first on | |
| # ignore_expect_100 on |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment