Skip to content

Instantly share code, notes, and snippets.

@riipandi

riipandi/squid-plus-mikrotik.txt

Created March 11, 2012 11:02
Show Gist options
  • Star 10 You must be signed in to star a gist
  • Fork 6 You must be signed in to fork a gist
  • Save riipandi/2016002 to your computer and use it in GitHub Desktop.
Save riipandi/2016002 to your computer and use it in GitHub Desktop.
Download ZIP
Squid Proxy & Mikrotik Setup Script
Raw
squid-plus-mikrotik.txt
http://ictsentani.org/?p=258
http://opensource.telkomspeedy.com/forum/viewtopic.php?pid=122506
#-------------------------------------------------------------------------------
E1 Modem1 : 192.168.77.1 -> IP Modem1 : 192.168.77.2
E2 Server : 192.168.88.1 -> IP Server : 192.168.88.2
E3 Hotspot : 192.168.99.1 -> IP Hotspot : 192.168.99.10 - 192.168.99.250
E4 Labkom : 10.10.10.254 -> IP Labkom : 10.10.10.1 - 10.10.10.20
#-------------------------------------------------------------------------------
------------------------
[ mikrotik routerboard ]
------------------------
E1 E2 E3 E4
| | | |
192.168.77.2 | | | | 10.10.10.x
-------------- | | | | ------------
[ modem adsl ]------| | | |------[ labkom ]
-------------- | | ------------
| |
-------------- | | -------------
[ hub/switch ]---------| |---------[ hotspot ]
-------------- -------------
| 192.168.99.x
--------------
[ edp server ]
--------------
192.168.88.2
--------------------------------------------------------------------------------
# Setting Interface
--------------------------------------------------------------------------------
/interface
set ether1 name=Modem1
set ether2 name=Server
set ether3 name=Hotspot
set ether4 name=Labkom
print
/ip address
add disabled=no interface=Modem1 address=192.168.77.1/24 network=192.168.77.0 broadcast=192.168.77.255
add disabled=no interface=Server address=192.168.88.1/24 network=192.168.88.0 broadcast=192.168.88.255
add disabled=no interface=Hotspot address=192.168.99.1/24 network=192.168.99.0 broadcast=192.168.99.255
add disabled=no interface=Labkom address=10.10.10.254/24 network=10.10.10.0 broadcast=10.10.10.255
print
--------------------------------------------------------------------------------
# Setting Route & DHCP
--------------------------------------------------------------------------------
/ip dns set servers=192.168.88.2,208.67.222.222 allow-remote-requests=yes
/ip route add dst-address=0.0.0.0/0 gateway=192.168.77.2
/ip firewall nat add chain=srcnat action=masquerade out-interface=Modem1
/ip dhcp-server print
/ip dhcp-server enable 0
--------------------------------------------------------------------------------
# Setting Hotspot
--------------------------------------------------------------------------------
/ip hotspot setup
hotspot interface : Hotspot
local address of network : 192.168.99.1/24
masquerade network : yes
address pool of network : 192.168.99.10-192.168.99.250
select certificate : none
ip address of smtp server : 119.235.250.172
dns servers : 192.168.88.2,208.67.222.222
dns name : hotspot.pasim
name of local hotspot : admhotspot
password for the user : naonwemoaldibejaan
/ip hotspot user
profile add name="EDP" shared-users=2 rate-limit="96k/768k" address-pool=none session-timeout=0s idle-timeout=none keepalive-timeout=00:15:00 open-status-page=always transparent-proxy=yes advertise=no
profile add name="KDM" shared-users=2 rate-limit="64k/200k" address-pool=none session-timeout=0s idle-timeout=none keepalive-timeout=00:15:00 open-status-page=always transparent-proxy=yes advertise=no
--------------------------------------------------------------------------------
# Setting Sistem & Security
--------------------------------------------------------------------------------
/system ntp client set primary-ntp=203.160.128.178 secondary-ntp=203.89.24.34 mode=unicast enabled=yes
/ip service set www port=9090
/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
--------------------------------------------------------------------------------
# Setting Transparent Proxy
--------------------------------------------------------------------------------
/ip proxy
set enabled=yes
set src-address=0.0.0.0
set port=8080
set parent-proxy=0.0.0.0
set parent-proxy-port=0
set cache-administrator="webmaster@stmikpasim.ac.id"
set max-cache-size=unlimited
set cache-on-disk=yes
set max-client-connections=600
set max-server-connections=600
set max-fresh-time=3d
set serialize-connections=no
set always-from-cache=no
set cache-hit-dscp=4
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080
add chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=8080
add chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=8080
--------------------------------------------------------------------------------
# Blok Akses Tertentu
--------------------------------------------------------------------------------
/ip proxy access
#------[Blok Situs]------------------------
add dst-host="*porn*.com" action=deny
add dst-host="*sex*.com" action=deny
add dst-host=twitter.com action=deny
add dst-host=facebook.com action=deny
#------[Blok File]------------------------
add path=*.rar action=deny
add path=*.zip action=deny
add path=*.mov action=deny
add path=*.exe action=deny
add path=*.msi action=deny
add path=*.dat action=deny
add path=*.mkv action=deny
add path=*.mp4 action=deny
add path=*.3gp action=deny
add path=*.avi action=deny
add path=*.mp3 action=deny
#------[Blok Keyword]--------------------
add dst-host=:sex action=deny
add dst-host=:nude action=deny
add dst-host=:porn action=deny
add dst-host=:adult action=deny
--------------------------------------------------------------------------------
# Batasi Speed Download
--------------------------------------------------------------------------------
/ip firewall filter
add chain=forward address-list-timeout=00:05:00 content=.mp3 src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.mp4 src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.3gp src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.avi src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.mkv src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.mov src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.exe src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.msi src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.iso src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.zip src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.rar src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
/ip firewall mangle add chain=forward protocol=tcp src-address-list=downloads action=mark-packet new-packet-mark=downloads-paket
/queue simple add name=downloads-files max-limit=128000/128000 packet-marks=downloads-paket
--------------------------------------------------------------------------------
# Setting Simple Queue
--------------------------------------------------------------------------------
/queue simple
add name=LABKOM-01 target-addresses=10.10.10.1 max-limit=64k/128k interface=Labkom
add name=LABKOM-02 target-addresses=10.10.10.2 max-limit=64k/128k interface=Labkom
add name=LABKOM-03 target-addresses=10.10.10.3 max-limit=64k/128k interface=Labkom
add name=LABKOM-04 target-addresses=10.10.10.4 max-limit=64k/128k interface=Labkom
add name=LABKOM-05 target-addresses=10.10.10.5 max-limit=64k/128k interface=Labkom
add name=LABKOM-06 target-addresses=10.10.10.6 max-limit=64k/128k interface=Labkom
add name=LABKOM-07 target-addresses=10.10.10.7 max-limit=64k/128k interface=Labkom
add name=LABKOM-08 target-addresses=10.10.10.8 max-limit=64k/128k interface=Labkom
add name=LABKOM-09 target-addresses=10.10.10.9 max-limit=64k/128k interface=Labkom
add name=LABKOM-10 target-addresses=10.10.10.10 max-limit=64k/128k interface=Labkom
add name=LABKOM-11 target-addresses=10.10.10.11 max-limit=64k/128k interface=Labkom
add name=LABKOM-12 target-addresses=10.10.10.12 max-limit=64k/128k interface=Labkom
add name=LABKOM-13 target-addresses=10.10.10.13 max-limit=64k/128k interface=Labkom
add name=LABKOM-14 target-addresses=10.10.10.14 max-limit=64k/128k interface=Labkom
add name=LABKOM-15 target-addresses=10.10.10.15 max-limit=64k/128k interface=Labkom
add name=LABKOM-16 target-addresses=10.10.10.16 max-limit=64k/128k interface=Labkom
add name=LABKOM-17 target-addresses=10.10.10.17 max-limit=64k/128k interface=Labkom
add name=LABKOM-18 target-addresses=10.10.10.18 max-limit=64k/128k interface=Labkom
add name=LABKOM-19 target-addresses=10.10.10.19 max-limit=64k/128k interface=Labkom
add name=LABKOM-20 target-addresses=10.10.10.20 max-limit=64k/128k interface=Labkom
--------------------------------------------------------------------------------
# Instalasi & Setting Proxy
--------------------------------------------------------------------------------
# Partisi
/ ext4 40GB primary
/boot ext4 100mb
/cache reiserfs 20GB
swap ---- 2GB
/home ext4 ~~~~
# Catatan
btrFs : untuk OS 64bit
reiserFs : untuk OS 32bit
# Ganti Repo & Install paket dasar
mv /etc/apt/sources.list /etc/apt/sources.list.asli
cat > /etc/apt/sources.list <<EOF
deb http://debian.indika.net.id/debian squeeze main non-free contrib
deb http://debian.indika.net.id/debian-security squeeze/updates main non-free contrib
EOF
apt-get update
apt-get install gcc build-essential sharutils libzip-dev automake
# Download paket yang diperlukan
cd /tmp
wget http://lusca-cache.googlecode.com/files/LUSCA_HEAD-r14809.tar.gz
wget http://faisal-sani-project.googlecode.com/files/patch.tar.gz
wget http://faisal-sani-project.googlecode.com/files/storeurl.pl
wget http://xenstack.googlecode.com/files/konfig_squid_lusca.tar.gz
tar xzvf LUSCA_HEAD-r14809.tar.gz
tar xzvf patch.tar.gz
# Copy patch & install patch
cp -r /tmp/patch/* /tmp/LUSCA*/
cd LUSCA*
patch -p0 < luscaVaryrR14697.diff
patch -p0 < 3xx\ loop.diff
patch -p0 < ignore-must-revalidate.diff
patch -p2 < keblux-lusca-gzip.patch
chmod bootstrap.sh
./bootstrap.sh
# Configure & build
./configure --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin --sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid \
--localstatedir=/var/spool/squid --datadir=/usr/share/squid --enable-http-gzip --enable-async-io=24 --with-aufs-threads=24 --with-pthreads \
--enable-storeio=aufs --enable-linux-netfilter --enable-arp-acl --enable-epoll --enable-removal-policies=heap --with-aio --with-dl --enable-snmp \
--enable-delay-pools --enable-htcp --enable-cache-digests --disable-unlinkd --enable-large-cache-files --with-large-files \
--enable-err-languages=English --enable-default-err-language=English --with-maxfd=65536
make && make install
# Setting Squid
mv /etc/squid/squid.conf.asli
mv /tmp/storeurl.pl /etc/squid/
mv /tmp/konfig_squid_lusca/squid.conf /etc/squid/
mv /tmp/konfig_squid_lusca/squid.conf.pl /etc/squid/
# Buat cache & jalankan squid
squid -f /etc/squid/squid.conf -z
squid -N -d 1 -D
# --------------------------------------------------------------------------
# Konfigurasi Firewall di Mikrotik
# --------------------------------------------------------------------------
/ip firewall mangle
add chain=forward protocol=tcp src-address-list=downloads action=mark-packet new-packet-mark=downloads-paket
add disabled=no chain=prerouting action=mark-packet dscp=12 new-packet-mark=proxy-hit passthrough=no
add disabled=no chain=prerouting action=mark-connection dst-port=80 new-connection-mark=http-conn passthrough=no protocol=tcp
add disabled=no chain=prerouting action=mark-packet connection-mark=http-conn new-packet-mark=http passthrough=yes
add disabled=no chain=prerouting action=mark-connection connection-state=new dst-port=443 new-connection-mark=https-conn passthrough=yes protocol=tcp
add disabled=no chain=prerouting action=mark-routing connection-mark=https-conn new-routing-mark=https passthrough=no
add disabled=no chain=prerouting action=mark-connection dst-port=53 new-connection-mark=DNS passthrough=yes protocol=tcp
add disabled=no chain=prerouting action=mark-connection dst-port=53 new-connection-mark=DNS passthrough=yes protocol=udp
add disabled=no chain=prerouting action=change-dscp connection-mark=DNS new-dscp=12
add disabled=no chain=prerouting action=mark-packet connection-mark=DNS new-packet-mark=DNS_PACKET passthrough=no
add disabled=no chain=prerouting action=mark-packet new-packet-mark=DNS_PACKET passthrough=yes
add disabled=no chain=forward action=mark-connection dst-port=5050,5100,5051 new-connection-mark=YM passthrough=no protocol=tcp
add disabled=no chain=forward action=mark-connection connection-mark=YM disabled=no new-connection-mark=YM passthrough=yes
add disabled=no chain=forward action=mark-connection dst-port=843,9339,39100,39110,39220,39190,49100,19101,19000,4300 new-connection-mark=POKER passthrough=no protocol=tcp
add disabled=no chain=forward action=mark-connection connection-mark=POKER new-connection-mark=POKER passthrough=yes
add disabled=no chain=forward action=change-mss comment=”CHANGE MMS” disabled=no in-interface=ether1 new-mss=1440 protocol=tcp tcp-flags=syn tcp-mss=1441-65535
add disabled=no chain=forward action=change-mss new-mss=1440 out-interface=ether1 protocol=tcp tcp-flags=syn tcp-mss=1441-65535
add disabled=no chain=forward action=accept comment=”Total Pemakaian” in-interface=ether1
add disabled=no chain=input action=mark-connection comment=Winbox dst-port=8291 new-connection-mark=winbox passthrough=no protocol=tcp
# Cek log squid
tail –f /var/log/squid/access.log |grep HIT
@yayanglodaya
Copy link

sejajar mikrotik ada ga om? yg transparent proxy. terimakasih

@riipandi
Copy link
Author

sejajar mikrotik ada ga om? yg transparent proxy. terimakasih

Sejajar bagaimana maksudnya?

@jemot
Copy link

jemot commented Oct 10, 2022

om mohon pencerahannya dong,, itu login hotspot di client bisa terbuka apa gk ya, soalnya saya coba aktifin nat proxy diatas nat hotspot gk kebuka, kalo saaya taruh di bawah nat hotspot port proxynya gk kena ke proxy...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment