squid konfigurasi lumayan banter
http_port 3128 transparent
icp_port 3130
acl youtube dstdomain -i .youtube.com
acl striming url_regex -i get_video\?video_id videodownload\?
cache allow youtube
cache allow striming
#redirect_program /usr/local/adzap/scripts/wrapzap
#auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#cache_peer proxies.telkom.net.id parent 8080 3130
#cache_peer proxy-sby.telkom.net.id sibling 8080 3130
#============================================================$
hierarchy_stoplist cgi-bin ? .js .jsp localhost kambing.ui.edu buaya.klas.or.id
acl QUERY urlpath_regex cgi-bin \? .js .jsp localhost kambing.ui.edu buaya.klas.or.id
no_cache deny QUERY
#============================================================$
#============================================================$
# OPTIONS WHICH AFFECT THE CACHE SIZE
#============================================================$
cache_mem 6 MB
maximum_object_size 64 MB
maximum_object_size_in_memory 16 KB
cache_swap_low 98
cache_swap_high 99
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
high_memory_warning 70 MB
ipcache_size 8192
ipcache_low 98
ipcache_high 99
fqdncache_size 8192
#============================================================$
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
#============================================================$
#cache_dir aufs /cache1 4500 18 256
cache_dir aufs /cache 7000 17 256
#cache_dir aufs /cache2 3200 8 256
cache_access_log /var/log/squid/access.log
cache_store_log /var/log/squid/store.log
log_fqdn off
log_icp_queries off
log_mime_hdrs off
log_ip_on_direct off
debug_options ALL,1
emulate_httpd_log off
#============================================================$
# FTP section
#============================================================$
ftp_user anonymous@
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
#============================================================$
# DNS resolution section
#============================================================$
#cache_dns_program /usr/sbin/dnsserver
dns_nameservers 192.168.0.254 202.154.1.2 208.67.202.202 202.134.2.5 202.134.0.155
#============================================================$
# Refresh Rate
#============================================================$
#refresh_pattern ^ftp: 20160 95% 241920 reload-into-ims override-lastmod override-expire reload-into-ims ignore-no-cache ignore-private ignore-auth
#refresh_pattern . 1440 95% 120960 reload-into-ims override-lastmod override-expire reload-into-ims ignore-no-cache ignore-private ignore-auth
refresh_pattern ^ftp: 20160 95% 241920 reload-into-ims override-lastmod override-expire reload-into-ims ignore-no-cache
refresh_pattern . 1440 95% 120960 reload-into-ims override-lastmod override-expire reload-into-ims ignore-no-cache
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 98
negative_ttl 2 minutes
half_closed_clients off
read_timeout 15 minutes
client_lifetime 2 hours
pconn_timeout 60 seconds
request_timeout 1 minutes
shutdown_lifetime 10 seconds
positive_dns_ttl 60 seconds
negative_dns_ttl 30 seconds
#============================================================$
# ACL section
#============================================================$
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.252
acl butiti src 192.168.0.3
acl pecenx src 192.168.0.2
acl kost src 192.168.0.4-192.168.0.10
acl outsider src 192.168.0.11-192.168.0.252
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_access allow butiti
http_access allow kost
http_access allow pecenx
http_access deny outsider
http_reply_access allow all
icp_access allow all
cache_mgr poerwo2211@yahoo.com
#cache_effective_user _squid
#cache_effective_group _squid
visible_hostname poerwo2211@gmail.com
#============================================================$
# MISCELLANEOUS
#============================================================$
offline_mode off
forwarded_for on
#ssl_unclean_shutdown on
memory_pools off
header_access From deny all
logfile_rotate 7
reload_into_ims on
shutdown_lifetime 10 seconds
cachemgr_passwd disable shutdown
cachemgr_passwd all
buffered_logs off
icp_hit_stale on
log_icp_queries off
strip_query_terms off
query_icmp on
ignore_unknown_nameservers on
acl hotmail dstdomain .hotmail.com .msn.com .passport.net .msn.co.id .passport.com
header_access Accept-Encoding deny hotmail
reload_into_ims on
pipeline_prefetch on
ie_refresh on
vary_ignore_expire on
client_db on
#============================================================$
# DELAY POOLS
#============================================================$
acl download url_regex -i ftp \.exe$ \.mp3$ \.mp4$ \.tar.gz$ \.gz$ \.tar.bz2$ \.rpm$ \.zip$ \.rar$
acl download url_regex -i \.avi$ \.mpg$ \.mpeg$ \.rm$ \.iso$ \.wav$ \.mov$ \.dat$ \.mpe$ \.mid$
acl download url_regex -i \.midi$ \.rmi$ \.wma$ \.wmv$ \.ogg$ \.ogm$ \.m1v$ \.mp2$ \.mpa$ \.wax$
acl download url_regex -i \.m3u$ \.asx$ \.wpl$ \.wmx$ \.dvr-ms$ \.snd$ \.au$ \.aif$ \.asf$ \.m2v$
acl download url_regex -i \.m2p$ \.ts$ \.tp$ \.trp$ \.div$ \.divx$ \.mod$ \.vob$ \.aob$ \.dts$ \.bin$
acl download url_regex -i \.ac3$ \.cda$ \.vro$
acl akses_donlot url_regex -i ftp .exe .dll .zip .rar .rpm .tgz
acl akses_donlot url_regex -i ftp .tar.gz .tar.bz2 .iso .avi .mov .wmv .3gp .bin
acl akses_donlot url_regex -i ftp .mpg .mpeg .mp3 .ram .rm .flv
acl akses_donlot url_regex -i .exe .dll .zip .rar .rpm .tgz
acl akses_donlot url_regex -i .tar.gz .tar.bz2 .iso .avi .mov
acl akses_donlot url_regex -i .mpg .mpeg .mp3 .ram .rm .flv
acl kenadelay url_regex -i .jpg .gif .doc .xls .zip .rar
acl aplot method POST
delay_pools 3
delay_class 1 2
delay_parameters 1 4000/8000 4000/4000
delay_access 1 allow download
delay_access 1 allow pecenx akses_donlot
delay_access 1 allow striming
delay_access 1 allow aplot kenadelay
delay_access 1 deny all
delay_class 2 2
delay_parameters 2 64000/128000 10000/64000
delay_access 2 allow pecenx
delay_access 2 deny all
delay_class 3 2
delay_parameters 3 5000/6000 3000/5000
delay_access 3 allow kost
delay_access 3 deny all
iptables transparent proxy
#!/bin/sh
# Setting IPTABLES paling sederhana untuk masquerading
######################################################
# Konstanta
$IPT=”iptables”
$LOAD=”/sbin/modprobe”
# Interface
# Kalau pakai modem, ganti RED=ppp0
RED=”eth0″
RED_NET=192.168.1.2
#BLUE=ra0
#BLUE_NET=192.168.2.0/24
GREEN=”eth1″
GREEN_NET=192.168.0.0/24
PORT=”3128″
#——————————–
# Inisialisasi IPTABLES
$LOAD ip_tables
$LOAD iptable_filter
$LOAD iptable_nat
$LOAD ip_conntrack
$LOAD ip_conntrack_ftp
$LOAD ip_nat_ftp
$LOAD ip_conntrack_irc
$LOAD ip_nat_irc
#——————————–
# Kosongkan rumus-rumus IPTABLES
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
#——————————–
# Rumus default
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
#——————————–
#ip route add default scope global nexthop via 192.168.100.101 dev $RED weight 1 nexthop via 10.64.64.65 dev $BLUE weight 1
# Rumus masquerading, IP statik
#$IPT -t nat -A POSTROUTING -o $RED -j SNAT –to -source $RED_IP
# Rumus masquerading, lebih komplit
#$IPT -t nat -A POSTROUTING -s $GREEN_NET -o $RED -j SNAT –to -source $RED_NET
# Kalau RED anda IP dinamik (ppp0), gunakan
$IPT -t nat -A POSTROUTING -o $RED -j MASQUERADE
# $IPT -t nat -A POSTROUTING -o $BLUE -j MASQUERADE
$IPT -t nat -A PREROUTING -i $GREEN -p tcp –dport 80 -j REDIRECT –to-port $PORT
#$IPT -t nat -A PREROUTING -i $BLUE -p tcp –dport 80 -j REDIRECT –to-port 3128
# $IPT -t nat -A OUTPUT -p tcp –dport 80 -j DNAT –to-destination 192.168.0.254:3128
#$IPT -t nat -A PREROUTING -i $BLUE -p tcp –dport 80 -j DNAT –to-destination 192.168.0.254:3128
#iptables -t nat -A OUTPUT -p tcp –dport 80 -j DNAT –to-destination 192.168.0.1:3128 iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to- destination 192.168.0.254:3128
#$IPT -A INPUT -i $BLUE -p tcp -d 192.168.0.254 -s 192.168.1.1 –dport 9333 -m state –state NEW,ESTABLISHED -j ACCEPT
#$IPT -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT –to 192.168.0.254
#$IPT -t nat -A PREROUTING -p tcp -m tcp –dport 80 -j REDIRECT –to-port 3128
#$IPT -t filter -A INPUT -p tcp –dport 9333 -j ACCEPT
#——————————–
# Rumus forward, hanya dari dalam atau luar related
#$IPT -t mangle -A PREROUTING -d 10.1.2.10 -j DROP
$IPT -A FORWARD -i $GREEN -o $RED -j ACCEPT
#$IPT -A FORWARD -i $BLUE -o $RED -j ACCEPT
$IPT -A FORWARD -i $RED -o $GREEN -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A FORWARD -i $RED -o $BLUE -m state –state ESTABLISHED,RELATED -j ACCEPT
#——————————–
# Rumus INPUT, hanya terima dari dalam atau luar yang related
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i $GREEN -j ACCEPT
#$IPT -A INPUT -i $BLUE -j ACCEPT
$IPT -A INPUT -i $RED -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A INPUT -p icmp -m icmp –icmp-type echo-request -j REJECT
#$IPT -A OUTPUT -p icmp -m icmp –icmp-type echo-reply -j REJECT
#$IPT -A FORWARD -p ICMP -i $GREEN –icmp-type 24 -j REJECT
#$IPT -A FORWARD -p ICMP -i $BLUE –icmp-type 24 -j REJECT
#$IPT -A INPUT -i $BLUE -m state –state ESTABLISHED,RELATED -j ACCEPT
#——————————–
## Allow some ports
if [ "$PORT_IN" != "ALL" ]; then
for PORT in $PORT_IN ; do
$IPT -A INPUT -p udp –dport $PORT -j ACCEPT
$IPT -A INPUT -p tcp –dport $PORT -j ACCEPT
done
else
$IPT -A INPUT -p udp -j ACCEPT
$IPT -A INPUT -p tcp -j ACCEPT
fi
# Hidupkan forwarding
echo “1″ > /proc/sys/net/ipv4/ip_forward
