DD-WRT firewall settings for external Squid proxy server

My home network setup starts off with an Asus RT-N16 which has DD-WRT installed on it to get a little more than what the stock firmware can provide to me. I also have my home fileserver which also acts as a Squid Caching server to help speed up my browsing.

In order to have all network traffic pushed through my Squid server this is these are the firewall settings I had to use on the Asus RT-N16 router. (I am not going to provide setup details for the Squid server in this post)

#!/bin/sh
INTERNAL_NETWORK="10.0.1.0/24"
ROUTER_IP="10.0.1.1"
PROXY_SERVER="10.0.1.100"
PROXY_PORT="3128"

echo 0 > /proc/sys/net/ipv4/tcp_westwood
echo 1 > /proc/sys/net/ipv4/tcp_vegas_cong_avoid
echo 3 > /proc/sys/net/ipv4/tcp_vegas_alpha
echo 3 > /proc/sys/net/ipv4/tcp_vegas_beta

if [ -z $TRANSPARENT_PROXY ]; then
/usr/sbin/iptables -t nat -A PREROUTING -i br0 -s $INTERNAL_NETWORK -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp --dport 80 -j DNAT --to $PROXY_SERVER:$PROXY_PORT
/usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s $INTERNAL_NETWORK -p tcp -d $PROXY_SERVER -j SNAT --to $ROUTER_IP
/usr/sbin/iptables -t filter -I FORWARD -s $INTERNAL_NETWORK -d $PROXY_SERVER -i br0 -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT

# Causes slow loading but shows true IP.
#iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s $PROXY_SERVER
#iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
#ip rule add fwmark 3 table 2
#ip route add default via $PROXY_SERVER dev br0 table 2

/usr/sbin/iptables -t nat -I POSTROUTING -o br0 -s 10.0.1.0/24 -d 10.0.1.0/24 -j MASQUERADE
export TRANSPARENT_PROXY="1"
else
echo "This script has already run!"
echo "If it hasn't, unset \$TRANSPARENT_PROXY manually via the shell."
fi

# nvram commit

#!/bin/sh

INTERNAL_NETWORK="10.0.1.0/24"

ROUTER_IP="10.0.1.1"

PROXY_SERVER="10.0.1.100"

PROXY_PORT="3128"

echo 0 > /proc/sys/net/ipv4/tcp_westwood

echo 1 > /proc/sys/net/ipv4/tcp_vegas_cong_avoid

echo 3 > /proc/sys/net/ipv4/tcp_vegas_alpha

echo 3 > /proc/sys/net/ipv4/tcp_vegas_beta

if [ -z $TRANSPARENT_PROXY ]; then

/usr/sbin/iptables -t nat -A PREROUTING -i br0 -s $INTERNAL_NETWORK -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT

/usr/sbin/iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp --dport 80 -j DNAT --to $PROXY_SERVER:$PROXY_PORT

/usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s $INTERNAL_NETWORK -p tcp -d $PROXY_SERVER -j SNAT --to $ROUTER_IP

/usr/sbin/iptables -t filter -I FORWARD -s $INTERNAL_NETWORK -d $PROXY_SERVER -i br0 -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT

# Causes slow loading but shows true IP.

#iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s $PROXY_SERVER

#iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80

#ip rule add fwmark 3 table 2

#ip route add default via $PROXY_SERVER dev br0 table 2

/usr/sbin/iptables -t nat -I POSTROUTING -o br0 -s 10.0.1.0/24 -d 10.0.1.0/24 -j MASQUERADE

export TRANSPARENT_PROXY="1"

else

echo "This script has already run!"

echo "If it hasn't, unset \$TRANSPARENT_PROXY manually via the shell."

# nvram commit

The nice thing about this setup is that I do not have to specify a proxy server for each device on my network, and the server is configured to block ads as well.

Share this:

Like this: