Skip to content

Instantly share code, notes, and snippets.

@riipandi

riipandi/squid-plus-mikrotik.txt

Created March 11, 2012 11:03
Show Gist options
  • Save riipandi/2016006 to your computer and use it in GitHub Desktop.
Save riipandi/2016006 to your computer and use it in GitHub Desktop.
Download ZIP
Squid Proxy & Mikrotik Setup Script
Raw
squid-plus-mikrotik.txt
http://ictsentani.org/?p=258
http://opensource.telkomspeedy.com/forum/viewtopic.php?pid=122506
#-------------------------------------------------------------------------------
E1 Modem1 : 192.168.77.1 -> IP Modem1 : 192.168.77.2
E2 Server : 192.168.88.1 -> IP Server : 192.168.88.2
E3 Hotspot : 192.168.99.1 -> IP Hotspot : 192.168.99.10 - 192.168.99.250
E4 Labkom : 10.10.10.254 -> IP Labkom : 10.10.10.1 - 10.10.10.20
#-------------------------------------------------------------------------------
------------------------
[ mikrotik routerboard ]
------------------------
E1 E2 E3 E4
| | | |
192.168.77.2 | | | | 10.10.10.x
-------------- | | | | ------------
[ modem adsl ]------| | | |------[ labkom ]
-------------- | | ------------
| |
-------------- | | -------------
[ hub/switch ]---------| |---------[ hotspot ]
-------------- -------------
| 192.168.99.x
--------------
[ edp server ]
--------------
192.168.88.2
--------------------------------------------------------------------------------
# Setting Interface
--------------------------------------------------------------------------------
/interface
set ether1 name=Modem1
set ether2 name=Server
set ether3 name=Hotspot
set ether4 name=Labkom
print
/ip address
add disabled=no interface=Modem1 address=192.168.77.1/24 network=192.168.77.0 broadcast=192.168.77.255
add disabled=no interface=Server address=192.168.88.1/24 network=192.168.88.0 broadcast=192.168.88.255
add disabled=no interface=Hotspot address=192.168.99.1/24 network=192.168.99.0 broadcast=192.168.99.255
add disabled=no interface=Labkom address=10.10.10.254/24 network=10.10.10.0 broadcast=10.10.10.255
print
--------------------------------------------------------------------------------
# Setting Route & DHCP
--------------------------------------------------------------------------------
/ip dns set servers=192.168.88.2,208.67.222.222 allow-remote-requests=yes
/ip route add dst-address=0.0.0.0/0 gateway=192.168.77.2
/ip firewall nat add chain=srcnat action=masquerade out-interface=Modem1
/ip dhcp-server print
/ip dhcp-server enable 0
--------------------------------------------------------------------------------
# Setting Hotspot
--------------------------------------------------------------------------------
/ip hotspot setup
hotspot interface : Hotspot
local address of network : 192.168.99.1/24
masquerade network : yes
address pool of network : 192.168.99.10-192.168.99.250
select certificate : none
ip address of smtp server : 119.235.250.172
dns servers : 192.168.88.2,208.67.222.222
dns name : hotspot.pasim
name of local hotspot : admhotspot
password for the user : naonwemoaldibejaan
/ip hotspot user
profile add name="EDP" shared-users=2 rate-limit="96k/768k" address-pool=none session-timeout=0s idle-timeout=none keepalive-timeout=00:15:00 open-status-page=always transparent-proxy=yes advertise=no
profile add name="KDM" shared-users=2 rate-limit="64k/200k" address-pool=none session-timeout=0s idle-timeout=none keepalive-timeout=00:15:00 open-status-page=always transparent-proxy=yes advertise=no
--------------------------------------------------------------------------------
# Setting Sistem & Security
--------------------------------------------------------------------------------
/system ntp client set primary-ntp=203.160.128.178 secondary-ntp=203.89.24.34 mode=unicast enabled=yes
/ip service set www port=9090
/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
--------------------------------------------------------------------------------
# Setting Transparent Proxy
--------------------------------------------------------------------------------
/ip proxy
set enabled=yes
set src-address=0.0.0.0
set port=8080
set parent-proxy=0.0.0.0
set parent-proxy-port=0
set cache-administrator="webmaster@stmikpasim.ac.id"
set max-cache-size=unlimited
set cache-on-disk=yes
set max-client-connections=600
set max-server-connections=600
set max-fresh-time=3d
set serialize-connections=no
set always-from-cache=no
set cache-hit-dscp=4
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080
add chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=8080
add chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=8080
--------------------------------------------------------------------------------
# Blok Akses Tertentu
--------------------------------------------------------------------------------
/ip proxy access
#------[Blok Situs]------------------------
add dst-host="*porn*.com" action=deny
add dst-host="*sex*.com" action=deny
add dst-host=twitter.com action=deny
add dst-host=facebook.com action=deny
#------[Blok File]------------------------
add path=*.rar action=deny
add path=*.zip action=deny
add path=*.mov action=deny
add path=*.exe action=deny
add path=*.msi action=deny
add path=*.dat action=deny
add path=*.mkv action=deny
add path=*.mp4 action=deny
add path=*.3gp action=deny
add path=*.avi action=deny
add path=*.mp3 action=deny
#------[Blok Keyword]--------------------
add dst-host=:sex action=deny
add dst-host=:nude action=deny
add dst-host=:porn action=deny
add dst-host=:adult action=deny
--------------------------------------------------------------------------------
# Batasi Speed Download
--------------------------------------------------------------------------------
/ip firewall filter
add chain=forward address-list-timeout=00:05:00 content=.mp3 src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.mp4 src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.3gp src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.avi src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.mkv src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.mov src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.exe src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.msi src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.iso src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.zip src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.rar src-address=0.0.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
/ip firewall mangle add chain=forward protocol=tcp src-address-list=downloads action=mark-packet new-packet-mark=downloads-paket
/queue simple add name=downloads-files max-limit=128000/128000 packet-marks=downloads-paket
--------------------------------------------------------------------------------
# Setting Simple Queue
--------------------------------------------------------------------------------
/queue simple
add name=LABKOM-01 target-addresses=10.10.10.1 max-limit=64k/128k interface=Labkom
add name=LABKOM-02 target-addresses=10.10.10.2 max-limit=64k/128k interface=Labkom
add name=LABKOM-03 target-addresses=10.10.10.3 max-limit=64k/128k interface=Labkom
add name=LABKOM-04 target-addresses=10.10.10.4 max-limit=64k/128k interface=Labkom
add name=LABKOM-05 target-addresses=10.10.10.5 max-limit=64k/128k interface=Labkom
add name=LABKOM-06 target-addresses=10.10.10.6 max-limit=64k/128k interface=Labkom
add name=LABKOM-07 target-addresses=10.10.10.7 max-limit=64k/128k interface=Labkom
add name=LABKOM-08 target-addresses=10.10.10.8 max-limit=64k/128k interface=Labkom
add name=LABKOM-09 target-addresses=10.10.10.9 max-limit=64k/128k interface=Labkom
add name=LABKOM-10 target-addresses=10.10.10.10 max-limit=64k/128k interface=Labkom
add name=LABKOM-11 target-addresses=10.10.10.11 max-limit=64k/128k interface=Labkom
add name=LABKOM-12 target-addresses=10.10.10.12 max-limit=64k/128k interface=Labkom
add name=LABKOM-13 target-addresses=10.10.10.13 max-limit=64k/128k interface=Labkom
add name=LABKOM-14 target-addresses=10.10.10.14 max-limit=64k/128k interface=Labkom
add name=LABKOM-15 target-addresses=10.10.10.15 max-limit=64k/128k interface=Labkom
add name=LABKOM-16 target-addresses=10.10.10.16 max-limit=64k/128k interface=Labkom
add name=LABKOM-17 target-addresses=10.10.10.17 max-limit=64k/128k interface=Labkom
add name=LABKOM-18 target-addresses=10.10.10.18 max-limit=64k/128k interface=Labkom
add name=LABKOM-19 target-addresses=10.10.10.19 max-limit=64k/128k interface=Labkom
add name=LABKOM-20 target-addresses=10.10.10.20 max-limit=64k/128k interface=Labkom
--------------------------------------------------------------------------------
# Instalasi & Setting Proxy
--------------------------------------------------------------------------------
# Partisi
/ ext4 40GB primary
/boot ext4 100mb
/cache reiserfs 20GB
swap ---- 2GB
/home ext4 ~~~~
# Catatan
btrFs : untuk OS 64bit
reiserFs : untuk OS 32bit
# Ganti Repo & Install paket dasar
mv /etc/apt/sources.list /etc/apt/sources.list.asli
cat > /etc/apt/sources.list <<EOF
deb http://debian.indika.net.id/debian squeeze main non-free contrib
deb http://debian.indika.net.id/debian-security squeeze/updates main non-free contrib
EOF
apt-get update
apt-get install gcc build-essential sharutils libzip-dev automake
# Download paket yang diperlukan
cd /tmp
wget http://lusca-cache.googlecode.com/files/LUSCA_HEAD-r14809.tar.gz
wget http://faisal-sani-project.googlecode.com/files/patch.tar.gz
wget http://faisal-sani-project.googlecode.com/files/storeurl.pl
wget http://xenstack.googlecode.com/files/konfig_squid_lusca.tar.gz
tar xzvf LUSCA_HEAD-r14809.tar.gz
tar xzvf patch.tar.gz
# Copy patch & install patch
cp -r /tmp/patch/* /tmp/LUSCA*/
cd LUSCA*
patch -p0 < luscaVaryrR14697.diff
patch -p0 < 3xx\ loop.diff
patch -p0 < ignore-must-revalidate.diff
patch -p2 < keblux-lusca-gzip.patch
chmod bootstrap.sh
./bootstrap.sh
# Configure & build
./configure --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin --sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid \
--localstatedir=/var/spool/squid --datadir=/usr/share/squid --enable-http-gzip --enable-async-io=24 --with-aufs-threads=24 --with-pthreads \
--enable-storeio=aufs --enable-linux-netfilter --enable-arp-acl --enable-epoll --enable-removal-policies=heap --with-aio --with-dl --enable-snmp \
--enable-delay-pools --enable-htcp --enable-cache-digests --disable-unlinkd --enable-large-cache-files --with-large-files \
--enable-err-languages=English --enable-default-err-language=English --with-maxfd=65536
make && make install
# Setting Squid
mv /etc/squid/squid.conf.asli
mv /tmp/storeurl.pl /etc/squid/
mv /tmp/konfig_squid_lusca/squid.conf /etc/squid/
mv /tmp/konfig_squid_lusca/squid.conf.pl /etc/squid/
# Buat cache & jalankan squid
squid -f /etc/squid/squid.conf -z
squid -N -d 1 -D
# --------------------------------------------------------------------------
# Konfigurasi Firewall di Mikrotik
# --------------------------------------------------------------------------
/ip firewall mangle
add chain=forward protocol=tcp src-address-list=downloads action=mark-packet new-packet-mark=downloads-paket
add disabled=no chain=prerouting action=mark-packet dscp=12 new-packet-mark=proxy-hit passthrough=no
add disabled=no chain=prerouting action=mark-connection dst-port=80 new-connection-mark=http-conn passthrough=no protocol=tcp
add disabled=no chain=prerouting action=mark-packet connection-mark=http-conn new-packet-mark=http passthrough=yes
add disabled=no chain=prerouting action=mark-connection connection-state=new dst-port=443 new-connection-mark=https-conn passthrough=yes protocol=tcp
add disabled=no chain=prerouting action=mark-routing connection-mark=https-conn new-routing-mark=https passthrough=no
add disabled=no chain=prerouting action=mark-connection dst-port=53 new-connection-mark=DNS passthrough=yes protocol=tcp
add disabled=no chain=prerouting action=mark-connection dst-port=53 new-connection-mark=DNS passthrough=yes protocol=udp
add disabled=no chain=prerouting action=change-dscp connection-mark=DNS new-dscp=12
add disabled=no chain=prerouting action=mark-packet connection-mark=DNS new-packet-mark=DNS_PACKET passthrough=no
add disabled=no chain=prerouting action=mark-packet new-packet-mark=DNS_PACKET passthrough=yes
add disabled=no chain=forward action=mark-connection dst-port=5050,5100,5051 new-connection-mark=YM passthrough=no protocol=tcp
add disabled=no chain=forward action=mark-connection connection-mark=YM disabled=no new-connection-mark=YM passthrough=yes
add disabled=no chain=forward action=mark-connection dst-port=843,9339,39100,39110,39220,39190,49100,19101,19000,4300 new-connection-mark=POKER passthrough=no protocol=tcp
add disabled=no chain=forward action=mark-connection connection-mark=POKER new-connection-mark=POKER passthrough=yes
add disabled=no chain=forward action=change-mss comment=”CHANGE MMS” disabled=no in-interface=ether1 new-mss=1440 protocol=tcp tcp-flags=syn tcp-mss=1441-65535
add disabled=no chain=forward action=change-mss new-mss=1440 out-interface=ether1 protocol=tcp tcp-flags=syn tcp-mss=1441-65535
add disabled=no chain=forward action=accept comment=”Total Pemakaian” in-interface=ether1
add disabled=no chain=input action=mark-connection comment=Winbox dst-port=8291 new-connection-mark=winbox passthrough=no protocol=tcp
# Cek log squid
tail –f /var/log/squid/access.log |grep HIT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment