This summary is not available. Please
click here to view the post.
HIGH ANONYMOUS (ELITE) SQUID PROXY
./configure \
--prefix=/usr \
--exec-prefix=/usr/ \
--bindir=/usr/sbin \
--sysconfdir=/etc/squid \
--enable-delay-pools \
--enable-cache-diggests \
--enable-poll \
--disable-ident-lookups \
--enable-async-io \
--enable-auth-modules \
--enable-removal-policies \
--enable-snmp \
--disable-ident-lookups \
--disable-hostname-checks \
--enable-storeio=diskd,aufs \
--disable-wccpv2 \
--enable-kill-parent-hack \
--enable-default-err-languages=English --enable-err-languages=English \
--enable-linux-netfilter
make; make install
useradd squid -g squid -d /dev/null -s /nonexistent
chown squid:squid cache/
chown squid:squid /var/log/squid/access.logs
#####################################
# HIGH ANONYMOUS (ELITE) SQUID PROXY #
# Server: squid/3.1.0.17 #
# Last-Modified: 15 Apr 2010 #
# Status : Under Construction #
# Admin : gobed balagadona #
#####################################
# NETWORK OPTIONS
# -------------------------------------------------
http_port 8080
icp_port 0
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------
#cache_peer proxy.wetasem.com parent 8080 0 no-digest no-query proxy-only
#cache_peer 125.160.17.23 sibling 8080 0 no-digest no-query proxy-only
hierarchy_stoplist cgi-bin ? .js .jsp
acl QUERY urlpath_regex cgi-bin \? .js .jsp
cache deny QUERY
#cache allow all
# OPTIONS WHICH AFFECT THE CACHE SIZE
# -----------------------------------------------------------------------------
cache_mem 6 MB
cache_swap_low 98%
cache_swap_high 99%
half_closed_clients off
#maximum_object_size 1024 KB
maximum_object_size 16 MB
minimum_object_size 512 bytes
maximum_object_size_in_memory 1 MB
store_avg_object_size 15 KB
ipcache_size 512
ipcache_low 98
ipcache_high 99
#cache_replacement_policy lru
#memory_replacement_policy lru
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# -----------------------------------------------------------------------------
#cache_dir aufs /cache 12000 12 256
cache_dir diskd /cache 12000 12 256 Q1=72 Q2=64
#store_dir_select_algorithm round-robin
cache_access_log /var/log/squid/access.log
#cache_access_log /dev/null
#cache_log /var/log/squid/cache.log
cache_log /dev/null
cache_store_log /dev/null
emulate_httpd_log on
pid_filename /var/log/squid/squid.pid
# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
# -----------------------------------------------------------------------------
ftp_user proxyadmin@comast.com
ftp_list_width 64
ftp_passive on
redirect_rewrites_host_header on
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
authenticate_ttl 1 hour
authenticate_ip_ttl 60 seconds
# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------
#request_body_max_size 10 MB
#reply_body_max_size 700 MB allow all
refresh_pattern -i .(class|css|js|gif|jpg)$ 10080 100% 43200
refresh_pattern -i .(jpe|jpeg|png|bmp|tif)$ 10080 100% 43200
refresh_pattern -i .(tiff|mov|avi|qt|mpeg)$ 10080 100% 43200
refresh_pattern -i .(mpg|mpe|wav|au|mid)$ 10080 100% 43200
refresh_pattern -i .(zip|gz|arj|lha|lzh)$ 10080 100% 43200
refresh_pattern -i .(rar|tgz|tar|exe|bin)$ 10080 100% 43200
refresh_pattern -i .(hqx|pdf|rtf|doc|swf)$ 10080 100% 43200
refresh_pattern -i .(inc|cab|ad|txt|dll)$ 10080 100% 43200
refresh_pattern -i .(asp|acgi|pl|shtml|php3|php)$ 2 20% 43200
refresh_pattern ^http://*.facebook.*/.* 720 100% 10080
refresh_pattern ^http://*.friendster.*/.* 720 100% 10080
refresh_pattern ^http://*.google.*/.* 720 100% 10080
refresh_pattern ^http://*.akamai.*/.* 720 100% 10080
refresh_pattern ^http://*.ytimg.*/.* 720 100% 10080
refresh_pattern ^http://*.fbcdn.net/.* 720 100% 10080
refresh_pattern ^http://mail.yahoo.com/.* 720 100% 10080
refresh_pattern ^http://*.yahoo.*/.* 720 100% 7200
refresh_pattern ^http://*.google-analytics.*/.* 720 100% 10080
refresh_pattern ^http://*.googlesyndication.*/.* 720 100% 10080
refresh_pattern ^http://*.wordpress.com/.* 720 80% 10080
refresh_pattern ^http://*.twitter.com/.* 720 80% 10080
refresh_pattern -i .google.co.id$ 1440 100% 10080
refresh_pattern -i \.flv$ 10080 90% 999999
refresh_pattern -i .co.id$ 1440 100% 10080
refresh_pattern -i .mail.yahoo$ 1440 100% 3500
refresh_pattern ^http://i(.*/?%29.photobucket.com%2Falbums%2F%28.%2A%3F%29%2F%28.%2A%3F%29%2F%28.%2A%3F%29\? 43200 90% 999999
refresh_pattern ^http://vid(.*/?%29.photobucket.com%2Falbums%2F%28.%2A%3F%29%2F%28.%2A%3F%29\? 43200 90% 999999
refresh_pattern ^http://*.indowebster.com.*/.* 720 100% 10080
refresh_pattern ^http://*.blogsome.com/.* 720 80% 10080
refresh_pattern ^http://*.gmail.*/.* 720 100% 4320
refresh_pattern ^http://*.blogspot.com/.* 720 100% 4320
refresh_pattern ^http://*.detik.com/.* 720 100% 4320
refresh_pattern ^http://*.detik.*/.* 720 100% 4320
refresh_pattern ^http://*.kompas.com/.* 720 100% 4320
refresh_pattern ^http://*.metrotvnews.com/.* 720 100% 4320
refresh_pattern ^http://*.multiply.*/.* 720 100% 7200
refresh_pattern ^http://*.wikipedia.*/.* 720 80% 10080
refresh_pattern ^http://*.kaskus.*/.* 720 100% 28800
refresh_pattern ^http://*.imperiaonline.org/.* 720 100% 28800
refresh_pattern ^http://*.telkom.*/.* 720 90% 10080
refresh_pattern ^http://*.astaga.*/.* 720 90% 10080
refresh_pattern ^http://*.okezone.*/.* 720 90% 2880
refresh_pattern ^http://*.kapanlagi.*/.* 720 90% 2880
refresh_pattern ^http://*.tvone.*/.* 720 90% 10080
refresh_pattern ^http://*.tribunjabar.*/.* 720 90% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern ^ftp: 10080 95% 241920
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# TIMEOUTS
# -----------------------------------------------------------------------------
pipeline_prefetch on
vary_ignore_expire on
reload_into_ims on
icp_hit_stale on
query_icmp on
quick_abort_min -1 KB
quick_abort_max 0
quick_abort_pct 98
memory_pools off
connect_timeout 5 minutes
peer_connect_timeout 30 seconds
dead_peer_timeout 30 seconds
read_timeout 5 minutes
request_timeout 30 seconds
persistent_request_timeout 1 minute
half_closed_clients off
pconn_timeout 120 seconds
positive_dns_ttl 6 hours
negative_dns_ttl 10 minutes
dns_defnames on
dns_retransmit_interval 5 seconds
dns_timeout 5 minutes
ignore_unknown_nameservers on
shutdown_lifetime 10 seconds
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#acl client src 125.166.239.80/255.255.255.255
acl comast src 192.168.1.0/24
acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
http_access deny numeric_IPs all
acl block dstdomain .trafficmp.com .hotbar.com .bonzi.com .gator.com .gohip.com .ezula.com .epilot.com
acl dialer urlpath_regex -i \.Fre_Sex_Download.exe$ \StripSetup.exe \.vbs$ \.bat$ \.dialer.exe$
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl ircports port 6666-7000 # irc port
acl CONNECT method CONNECT
#acl erase method PURGE
http_access deny ircports
http_access deny !Safe_ports
http_access allow manager localhost
http_access deny block
http_access deny dialer
#http_access allow client
http_access allow comast
http_access allow localhost
http_access deny manager
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny all
http_reply_access allow localhost
#http_reply_access allow client
http_reply_access allow comast
http_reply_access deny all
#icp_access allow client
icp_access deny all
miss_access allow all
#always_direct allow client
always_direct allow comast
always_direct deny all
# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
cache_mgr ast@comast.com
cache_effective_user squid
cache_effective_group squid
visible_hostname proxy@comast.com
# MISCELLANEOUS
# -----------------------------------------------------------------------------
logfile_rotate 5
log_icp_queries off
store_objects_per_bucket 50
buffered_logs on
# DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
# -----------------------------------------------------------------------------
prefer_direct off
coredump_dir none
ie_refresh off
# squid clamav antivirus
# url_rewrite_program /usr/local/bin/squidclamav
# -------------------------------------------------------------------------------
###### High Anonymous (elite) Proxy
# -------------------------------------------------------------------------------
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
--prefix=/usr \
--exec-prefix=/usr/ \
--bindir=/usr/sbin \
--sysconfdir=/etc/squid \
--enable-delay-pools \
--enable-cache-diggests \
--enable-poll \
--disable-ident-lookups \
--enable-async-io \
--enable-auth-modules \
--enable-removal-policies \
--enable-snmp \
--disable-ident-lookups \
--disable-hostname-checks \
--enable-storeio=diskd,aufs \
--disable-wccpv2 \
--enable-kill-parent-hack \
--enable-default-err-languages=English --enable-err-languages=English \
--enable-linux-netfilter
make; make install
useradd squid -g squid -d /dev/null -s /nonexistent
chown squid:squid cache/
chown squid:squid /var/log/squid/access.logs
#####################################
# HIGH ANONYMOUS (ELITE) SQUID PROXY #
# Server: squid/3.1.0.17 #
# Last-Modified: 15 Apr 2010 #
# Status : Under Construction #
# Admin : gobed balagadona #
#####################################
# NETWORK OPTIONS
# -------------------------------------------------
http_port 8080
icp_port 0
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------
#cache_peer proxy.wetasem.com parent 8080 0 no-digest no-query proxy-only
#cache_peer 125.160.17.23 sibling 8080 0 no-digest no-query proxy-only
hierarchy_stoplist cgi-bin ? .js .jsp
acl QUERY urlpath_regex cgi-bin \? .js .jsp
cache deny QUERY
#cache allow all
# OPTIONS WHICH AFFECT THE CACHE SIZE
# -----------------------------------------------------------------------------
cache_mem 6 MB
cache_swap_low 98%
cache_swap_high 99%
half_closed_clients off
#maximum_object_size 1024 KB
maximum_object_size 16 MB
minimum_object_size 512 bytes
maximum_object_size_in_memory 1 MB
store_avg_object_size 15 KB
ipcache_size 512
ipcache_low 98
ipcache_high 99
#cache_replacement_policy lru
#memory_replacement_policy lru
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# -----------------------------------------------------------------------------
#cache_dir aufs /cache 12000 12 256
cache_dir diskd /cache 12000 12 256 Q1=72 Q2=64
#store_dir_select_algorithm round-robin
cache_access_log /var/log/squid/access.log
#cache_access_log /dev/null
#cache_log /var/log/squid/cache.log
cache_log /dev/null
cache_store_log /dev/null
emulate_httpd_log on
pid_filename /var/log/squid/squid.pid
# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
# -----------------------------------------------------------------------------
ftp_user proxyadmin@comast.com
ftp_list_width 64
ftp_passive on
redirect_rewrites_host_header on
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
authenticate_ttl 1 hour
authenticate_ip_ttl 60 seconds
# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------
#request_body_max_size 10 MB
#reply_body_max_size 700 MB allow all
refresh_pattern -i .(class|css|js|gif|jpg)$ 10080 100% 43200
refresh_pattern -i .(jpe|jpeg|png|bmp|tif)$ 10080 100% 43200
refresh_pattern -i .(tiff|mov|avi|qt|mpeg)$ 10080 100% 43200
refresh_pattern -i .(mpg|mpe|wav|au|mid)$ 10080 100% 43200
refresh_pattern -i .(zip|gz|arj|lha|lzh)$ 10080 100% 43200
refresh_pattern -i .(rar|tgz|tar|exe|bin)$ 10080 100% 43200
refresh_pattern -i .(hqx|pdf|rtf|doc|swf)$ 10080 100% 43200
refresh_pattern -i .(inc|cab|ad|txt|dll)$ 10080 100% 43200
refresh_pattern -i .(asp|acgi|pl|shtml|php3|php)$ 2 20% 43200
refresh_pattern ^http://*.facebook.*/.* 720 100% 10080
refresh_pattern ^http://*.friendster.*/.* 720 100% 10080
refresh_pattern ^http://*.google.*/.* 720 100% 10080
refresh_pattern ^http://*.akamai.*/.* 720 100% 10080
refresh_pattern ^http://*.ytimg.*/.* 720 100% 10080
refresh_pattern ^http://*.fbcdn.net/.* 720 100% 10080
refresh_pattern ^http://mail.yahoo.com/.* 720 100% 10080
refresh_pattern ^http://*.yahoo.*/.* 720 100% 7200
refresh_pattern ^http://*.google-analytics.*/.* 720 100% 10080
refresh_pattern ^http://*.googlesyndication.*/.* 720 100% 10080
refresh_pattern ^http://*.wordpress.com/.* 720 80% 10080
refresh_pattern ^http://*.twitter.com/.* 720 80% 10080
refresh_pattern -i .google.co.id$ 1440 100% 10080
refresh_pattern -i \.flv$ 10080 90% 999999
refresh_pattern -i .co.id$ 1440 100% 10080
refresh_pattern -i .mail.yahoo$ 1440 100% 3500
refresh_pattern ^http://i(.*/?%29.photobucket.com%2Falbums%2F%28.%2A%3F%29%2F%28.%2A%3F%29%2F%28.%2A%3F%29\? 43200 90% 999999
refresh_pattern ^http://vid(.*/?%29.photobucket.com%2Falbums%2F%28.%2A%3F%29%2F%28.%2A%3F%29\? 43200 90% 999999
refresh_pattern ^http://*.indowebster.com.*/.* 720 100% 10080
refresh_pattern ^http://*.blogsome.com/.* 720 80% 10080
refresh_pattern ^http://*.gmail.*/.* 720 100% 4320
refresh_pattern ^http://*.blogspot.com/.* 720 100% 4320
refresh_pattern ^http://*.detik.com/.* 720 100% 4320
refresh_pattern ^http://*.detik.*/.* 720 100% 4320
refresh_pattern ^http://*.kompas.com/.* 720 100% 4320
refresh_pattern ^http://*.metrotvnews.com/.* 720 100% 4320
refresh_pattern ^http://*.multiply.*/.* 720 100% 7200
refresh_pattern ^http://*.wikipedia.*/.* 720 80% 10080
refresh_pattern ^http://*.kaskus.*/.* 720 100% 28800
refresh_pattern ^http://*.imperiaonline.org/.* 720 100% 28800
refresh_pattern ^http://*.telkom.*/.* 720 90% 10080
refresh_pattern ^http://*.astaga.*/.* 720 90% 10080
refresh_pattern ^http://*.okezone.*/.* 720 90% 2880
refresh_pattern ^http://*.kapanlagi.*/.* 720 90% 2880
refresh_pattern ^http://*.tvone.*/.* 720 90% 10080
refresh_pattern ^http://*.tribunjabar.*/.* 720 90% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern ^ftp: 10080 95% 241920
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# TIMEOUTS
# -----------------------------------------------------------------------------
pipeline_prefetch on
vary_ignore_expire on
reload_into_ims on
icp_hit_stale on
query_icmp on
quick_abort_min -1 KB
quick_abort_max 0
quick_abort_pct 98
memory_pools off
connect_timeout 5 minutes
peer_connect_timeout 30 seconds
dead_peer_timeout 30 seconds
read_timeout 5 minutes
request_timeout 30 seconds
persistent_request_timeout 1 minute
half_closed_clients off
pconn_timeout 120 seconds
positive_dns_ttl 6 hours
negative_dns_ttl 10 minutes
dns_defnames on
dns_retransmit_interval 5 seconds
dns_timeout 5 minutes
ignore_unknown_nameservers on
shutdown_lifetime 10 seconds
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#acl client src 125.166.239.80/255.255.255.255
acl comast src 192.168.1.0/24
acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
http_access deny numeric_IPs all
acl block dstdomain .trafficmp.com .hotbar.com .bonzi.com .gator.com .gohip.com .ezula.com .epilot.com
acl dialer urlpath_regex -i \.Fre_Sex_Download.exe$ \StripSetup.exe \.vbs$ \.bat$ \.dialer.exe$
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl ircports port 6666-7000 # irc port
acl CONNECT method CONNECT
#acl erase method PURGE
http_access deny ircports
http_access deny !Safe_ports
http_access allow manager localhost
http_access deny block
http_access deny dialer
#http_access allow client
http_access allow comast
http_access allow localhost
http_access deny manager
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny all
http_reply_access allow localhost
#http_reply_access allow client
http_reply_access allow comast
http_reply_access deny all
#icp_access allow client
icp_access deny all
miss_access allow all
#always_direct allow client
always_direct allow comast
always_direct deny all
# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
cache_mgr ast@comast.com
cache_effective_user squid
cache_effective_group squid
visible_hostname proxy@comast.com
# MISCELLANEOUS
# -----------------------------------------------------------------------------
logfile_rotate 5
log_icp_queries off
store_objects_per_bucket 50
buffered_logs on
# DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
# -----------------------------------------------------------------------------
prefer_direct off
coredump_dir none
ie_refresh off
# squid clamav antivirus
# url_rewrite_program /usr/local/bin/squidclamav
# -------------------------------------------------------------------------------
###### High Anonymous (elite) Proxy
# -------------------------------------------------------------------------------
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
VPN menggunakan PPTP Server Mikrotik
/ interface ethernet
set ether1 name="ether1"
/ interface bridge
add name="lan" arp=proxy-arp
/ interface bridge port
add interface=ether1 bridge=lan
/ ip address
add address=192.168.0.1/24 interface=lan
/ ip dns
allow-remote-requests=yes
/ ip firewall service-port
set gre disabled=no
set pptp disabled=no
/ ip pool
add name="pptp" ranges=192.168.0.200-192.168.0.229
/ ppp profile
add name="pptp-in" local-address=192.168.0.1 remote-address=pptp \
use-encryption=required only-one=yes change-tcp-mss=yes \
dns-server=192.168.0.1
/ interface pptp-server server
set enabled=yes max-mtu=1460 max-mru=1460 \
authentication=chap,mschap1,mschap2 default-profile=pptp-in
/ ppp secret
add name="sony1" service=pptp password="cape_d" profile=pptp-in
add name="sony2" service=pptp password="cape_d" profile=pptp-in
set ether1 name="ether1"
/ interface bridge
add name="lan" arp=proxy-arp
/ interface bridge port
add interface=ether1 bridge=lan
/ ip address
add address=192.168.0.1/24 interface=lan
/ ip dns
allow-remote-requests=yes
/ ip firewall service-port
set gre disabled=no
set pptp disabled=no
/ ip pool
add name="pptp" ranges=192.168.0.200-192.168.0.229
/ ppp profile
add name="pptp-in" local-address=192.168.0.1 remote-address=pptp \
use-encryption=required only-one=yes change-tcp-mss=yes \
dns-server=192.168.0.1
/ interface pptp-server server
set enabled=yes max-mtu=1460 max-mru=1460 \
authentication=chap,mschap1,mschap2 default-profile=pptp-in
/ ppp secret
add name="sony1" service=pptp password="cape_d" profile=pptp-in
add name="sony2" service=pptp password="cape_d" profile=pptp-in
Slackware boot recovery
masukan CD bootable slackware =>> mount /dev/sda6 /mnt
edit lilo =>> cat /mnt/etc/lilo.conf
test configurasi =>> lilo -v -t -b /dev/sda1
write lilo to MBR =>> lilo -v -b /dev/sda1
load balancing di linux box
Linux box pake 3 NIC / kartu jaringan / LAN Card :
eth0 nyambung ke ISP (misal “TELENET”) pake kabel
eth1 nyambung ke ISP ADSL (misal “SKYNET”) (pake modem eksternal)
eth2 nyambung ke LAN (misal “INTERN”).
———— MAIN ROUTING TABLE ———–
# ip route show table main
192.168.0.0/24 dev eth2 proto kernel scope link src 192.168.0.254
192.168.254.0/24 dev eth1 proto kernel scope link src 192.168.254.2
81.82.0.0/19 dev eth0 proto kernel scope link src 81.82.x.x
default via 81.82.0.1 dev eth0
———— EXTRA ROUTING TABLE———–
# ip route show table 4
192.168.0.0/24 dev eth2 proto kernel scope link src 192.168.0.254
192.168.254.0/24 dev eth1 proto kernel scope link src 192.168.254.2
81.82.0.0/19 dev eth0 proto kernel scope link src 81.82.x.x
default via 192.168.254.1 dev eth1
———– ROUTING RULES ———–
# ip rule show
0: from all lookup 255
32764: from 192.168.254.1 lookup 4
32765: from all fwmark 0×4 lookup 4
32766: from all lookup main
32767: from all lookup default
More…
———- FIREWALL (rules) SCRIPT (partial) ———-
IPTABLES=/sbin/iptables
TELENET=”eth0″
SKYNET=”eth1″
INTERN=”eth2″
INTNET=”192.168.0.0/24″
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
$IPTABLES -A INPUT -i lo -s 127.0.0.1/8 -d 0.0.0.0/0 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1/8 -d 0.0.0.0/0 -j ACCEPT
$IPTABLES -A INPUT -i $TELENET -s 0.0.0.0/0 -d $TELENETIP -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $SKYNET -s 0.0.0.0/0 -d $SKYNETIP -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $TELENET -s $TELENETIP -d 0.0.0.0/0 -j ACCEPT
$IPTABLES -A OUTPUT -o $SKYNET -s $SKYNETIP -d 0.0.0.0/0 -j ACCEPT
$IPTABLES -A INPUT -i $INTERN -s $INTNET -d 0.0.0.0/0 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERN -s $INTERNIP -d $INTNET -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -s $SERVER1IP -p tcp -m tcp –sport 443 -j MARK –set-mark 0×4
$IPTABLES -t mangle -A PREROUTING -s $SERVER1IP -p tcp -m tcp –sport 444 -j MARK –set-mark 0×4
$IPTABLES -t mangle -A PREROUTING -s $SERVER1IP -p tcp -m tcp –sport 1723 -j MARK –set-mark 0×4
$IPTABLES -t mangle -A PREROUTING -s $SERVER1IP -p tcp -m tcp –sport 4125 -j MARK –set-mark 0×4
$IPTABLES -t nat -A PREROUTING -d $SKYNETIP -p tcp -m tcp –dport 443 -m state –state NEW,RELATED,ESTABLISHED -j DNAT –to-destination $SERVER1IP:443
$IPTABLES -t nat -A PREROUTING -d $SKYNETIP -p tcp -m tcp –dport 444 -m state –state NEW,RELATED,ESTABLISHED -j DNAT –to-destination $SERVER1IP:444
$IPTABLES -t nat -A PREROUTING -d $SKYNETIP -p tcp -m tcp –dport 1723 -m state –state NEW,RELATED,ESTABLISHED -j DNAT –to-destination $SERVER1IP:1723
$IPTABLES -t nat -A PREROUTING -d $SKYNETIP -p tcp -m tcp –dport 4125 -m state –state NEW,RELATED,ESTABLISHED -j DNAT –to-destination $SERVER1IP:4125
$IPTABLES -t nat -A POSTROUTING -o $TELENET -j SNAT –to-source $TELENETIP
$IPTABLES -t nat -A POSTROUTING -o $SKYNET -j SNAT –to-source $SKYNETIP
$IPTABLES -A INPUT -d $SKYNETIP -i $SKYNET -p tcp -m tcp –sport 1024:65535 –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -d $SKYNETIP -i $SKYNET -p tcp -m tcp –sport 1024:65535 –dport 444 -m state –state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -d $SKYNETIP -i $SKYNET -p tcp -m tcp –sport 1024:65535 –dport 1723 -m state –state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -d $SKYNETIP -i $SKYNET -p tcp -m tcp –sport 1024:65535 –dport 4125 -m state –state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -d $INTNET -j ACCEPT
$IPTABLES -A FORWARD -s $INTNET -j ACCEPT
$IPTABLES -A FORWARD -i $SKYNET -o $INTERN -p tcp -m tcp –dport 443 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $SKYNET -o $INTERN -p tcp -m tcp –dport 444 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $SKYNET -o $INTERN -p tcp -m tcp –dport 1723 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $SKYNET -o $INTERN -p tcp -m tcp –dport 4125 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -A FORWARD -d $INTNET -j ACCEPT
$IPTABLES -A FORWARD -s $INTNET -j ACCEPT
2 ISP 1 LAN
biar nge-cache di google ato search engine lainnya
* load balancing 2 ISP
* load balancing multiple ISP link
* http://www.lartc.org/howto/lartc.rpdb.multiple-links.html Load balancing LARTC
contohnya
Berikut ini file konfigurasi:
1. /etc/iproute2/rt_tables
2. loadbalancing.sh
—- /etc/iproute2/rt_tables —-
#
# reserved values
#
#255 local
#254 main
#253 default
#0 unspec
#
# local
#
#1 inr.ruhep
# ADSL1
10 T1
# ADSL2
20 T2
— loadbalancing.sh —-
#!/bin/sh
# Parameter
IF0=eth0
P0_NET=192.168.0.0/24
# Koneksi ke modem adsl (brige mode) via ppp0
IF1=ppp0
IP1=125.164.255.xxx
P1=125.164.255.1
P1_NET=125.164.255.0/24
# Koneksi ke modem adsl (router mode) via eth2
IF2=eth2
IP2=192.168.11.250
P2=192.168.11.200
P2_NET=192.168.11.0/24
ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add default via $P1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2
ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2
ip route add default via $P1
ip rule add from $IP1 table T1
ip rule add from $IP2 table T2
ip route add $P0_NET dev $IF0 table T1
ip route add $P2_NET dev $IF2 table T1
ip route add 127.0.0.0/8 dev lo table T1
ip route add $P0_NET dev $IF0 table T2
ip route add $P1_NET dev $IF1 table T2
ip route add 127.0.0.0/8 dev lo table T2
ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
nexthop via $P2 dev $IF2 weight 1
eth0 nyambung ke ISP (misal “TELENET”) pake kabel
eth1 nyambung ke ISP ADSL (misal “SKYNET”) (pake modem eksternal)
eth2 nyambung ke LAN (misal “INTERN”).
———— MAIN ROUTING TABLE ———–
# ip route show table main
192.168.0.0/24 dev eth2 proto kernel scope link src 192.168.0.254
192.168.254.0/24 dev eth1 proto kernel scope link src 192.168.254.2
81.82.0.0/19 dev eth0 proto kernel scope link src 81.82.x.x
default via 81.82.0.1 dev eth0
———— EXTRA ROUTING TABLE———–
# ip route show table 4
192.168.0.0/24 dev eth2 proto kernel scope link src 192.168.0.254
192.168.254.0/24 dev eth1 proto kernel scope link src 192.168.254.2
81.82.0.0/19 dev eth0 proto kernel scope link src 81.82.x.x
default via 192.168.254.1 dev eth1
———– ROUTING RULES ———–
# ip rule show
0: from all lookup 255
32764: from 192.168.254.1 lookup 4
32765: from all fwmark 0×4 lookup 4
32766: from all lookup main
32767: from all lookup default
More…
———- FIREWALL (rules) SCRIPT (partial) ———-
IPTABLES=/sbin/iptables
TELENET=”eth0″
SKYNET=”eth1″
INTERN=”eth2″
INTNET=”192.168.0.0/24″
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
$IPTABLES -A INPUT -i lo -s 127.0.0.1/8 -d 0.0.0.0/0 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1/8 -d 0.0.0.0/0 -j ACCEPT
$IPTABLES -A INPUT -i $TELENET -s 0.0.0.0/0 -d $TELENETIP -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $SKYNET -s 0.0.0.0/0 -d $SKYNETIP -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $TELENET -s $TELENETIP -d 0.0.0.0/0 -j ACCEPT
$IPTABLES -A OUTPUT -o $SKYNET -s $SKYNETIP -d 0.0.0.0/0 -j ACCEPT
$IPTABLES -A INPUT -i $INTERN -s $INTNET -d 0.0.0.0/0 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERN -s $INTERNIP -d $INTNET -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -s $SERVER1IP -p tcp -m tcp –sport 443 -j MARK –set-mark 0×4
$IPTABLES -t mangle -A PREROUTING -s $SERVER1IP -p tcp -m tcp –sport 444 -j MARK –set-mark 0×4
$IPTABLES -t mangle -A PREROUTING -s $SERVER1IP -p tcp -m tcp –sport 1723 -j MARK –set-mark 0×4
$IPTABLES -t mangle -A PREROUTING -s $SERVER1IP -p tcp -m tcp –sport 4125 -j MARK –set-mark 0×4
$IPTABLES -t nat -A PREROUTING -d $SKYNETIP -p tcp -m tcp –dport 443 -m state –state NEW,RELATED,ESTABLISHED -j DNAT –to-destination $SERVER1IP:443
$IPTABLES -t nat -A PREROUTING -d $SKYNETIP -p tcp -m tcp –dport 444 -m state –state NEW,RELATED,ESTABLISHED -j DNAT –to-destination $SERVER1IP:444
$IPTABLES -t nat -A PREROUTING -d $SKYNETIP -p tcp -m tcp –dport 1723 -m state –state NEW,RELATED,ESTABLISHED -j DNAT –to-destination $SERVER1IP:1723
$IPTABLES -t nat -A PREROUTING -d $SKYNETIP -p tcp -m tcp –dport 4125 -m state –state NEW,RELATED,ESTABLISHED -j DNAT –to-destination $SERVER1IP:4125
$IPTABLES -t nat -A POSTROUTING -o $TELENET -j SNAT –to-source $TELENETIP
$IPTABLES -t nat -A POSTROUTING -o $SKYNET -j SNAT –to-source $SKYNETIP
$IPTABLES -A INPUT -d $SKYNETIP -i $SKYNET -p tcp -m tcp –sport 1024:65535 –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -d $SKYNETIP -i $SKYNET -p tcp -m tcp –sport 1024:65535 –dport 444 -m state –state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -d $SKYNETIP -i $SKYNET -p tcp -m tcp –sport 1024:65535 –dport 1723 -m state –state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -d $SKYNETIP -i $SKYNET -p tcp -m tcp –sport 1024:65535 –dport 4125 -m state –state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -d $INTNET -j ACCEPT
$IPTABLES -A FORWARD -s $INTNET -j ACCEPT
$IPTABLES -A FORWARD -i $SKYNET -o $INTERN -p tcp -m tcp –dport 443 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $SKYNET -o $INTERN -p tcp -m tcp –dport 444 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $SKYNET -o $INTERN -p tcp -m tcp –dport 1723 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $SKYNET -o $INTERN -p tcp -m tcp –dport 4125 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -A FORWARD -d $INTNET -j ACCEPT
$IPTABLES -A FORWARD -s $INTNET -j ACCEPT
2 ISP 1 LAN
biar nge-cache di google ato search engine lainnya
* load balancing 2 ISP
* load balancing multiple ISP link
* http://www.lartc.org/howto/lartc.rpdb.multiple-links.html Load balancing LARTC
contohnya
Berikut ini file konfigurasi:
1. /etc/iproute2/rt_tables
2. loadbalancing.sh
—- /etc/iproute2/rt_tables —-
#
# reserved values
#
#255 local
#254 main
#253 default
#0 unspec
#
# local
#
#1 inr.ruhep
# ADSL1
10 T1
# ADSL2
20 T2
— loadbalancing.sh —-
#!/bin/sh
# Parameter
IF0=eth0
P0_NET=192.168.0.0/24
# Koneksi ke modem adsl (brige mode) via ppp0
IF1=ppp0
IP1=125.164.255.xxx
P1=125.164.255.1
P1_NET=125.164.255.0/24
# Koneksi ke modem adsl (router mode) via eth2
IF2=eth2
IP2=192.168.11.250
P2=192.168.11.200
P2_NET=192.168.11.0/24
ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add default via $P1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2
ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2
ip route add default via $P1
ip rule add from $IP1 table T1
ip rule add from $IP2 table T2
ip route add $P0_NET dev $IF0 table T1
ip route add $P2_NET dev $IF2 table T1
ip route add 127.0.0.0/8 dev lo table T1
ip route add $P0_NET dev $IF0 table T2
ip route add $P1_NET dev $IF1 table T2
ip route add 127.0.0.0/8 dev lo table T2
ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
nexthop via $P2 dev $IF2 weight 1
