Slackware 13.1 64bit - Installing TPROXY Squid in bridge mode (with epkg)
=============================================================

Public domain    
********************************************************************************
### encap epkg
[original download link](ftp://ftp.encap.org/pub/encap/epkg/epkg-2.3.9.tar.gz)
    
    cd /usr/src/
    wget -c http://pmoghadam.com/homepage/Pages/Deposit/Source-packages/epkg-2.3.9.tar.gz
    tar zxf epkg-2.3.9.tar.gz
    cd epkg-2.3.9
    ./configure --with-encap-target=/
    make && make install
    groupadd install
    useradd -g install -m -s /bin/bash install
    passwd -l install
    chown install:install /usr/src  /usr/local/encap
    chown -R install:install /usr/local/encap
    
    
********************************************************************************
### ebtables
[original download link](http://downloads.sourceforge.net/project/ebtables/ebtables/ebtables-2-0-9-2/ebtables-v2.0.9-2.tar.gz)
    
    cd /usr/src
    wget -c http://pmoghadam.com/homepage/Pages/Deposit/Source-packages/ebtables-v2.0.9-2.tar.gz 
    su - install
    cd /usr/src
    tar xf ebtables-v2.0.9-2.tar.gz
    cd ebtables-v2.0.9-2
    make
    sed -ie 's,-o root -g root,,' Makefile
    mkdir -p /usr/local/encap/ebtables-v2.0.9-2/etc/rc.d/init.d/
    mkdir -p /usr/local/encap/ebtables-v2.0.9-2/etc/sysconfig/ 
    make install DESTDIR=/usr/local/encap/ebtables-v2.0.9-2
    cd /usr/local/encap/ebtables-v2.0.9-2/
    mv usr/local/man/ usr/
    cd /usr/local/encap/
    mkencap ebtables-v2.0.9-2/
    logout
    cd /usr/local/encap/
    epkg ebtables-v2.0.9-2

********************************************************************************
### Prepare kernel source (2.6.33.4)

    cd /usr/src
    wget -c "http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.33.4.tar.bz2"
    rm -rf linux-2.6.33.4
    tar xf linux-2.6.33.4.tar.bz2
    ln -sfn linux-2.6.33.4 linux
    cd linux-2.6.33.4
    make mrproper
    cp /boot/config .
    make oldconfig
    make all
    make modules_install
    
********************************************************************************
### ipset installation
[original download link](http://ipset.netfilter.org/ipset-4.5.tar.bz2)
    
    cd /usr/src
    wget -c http://pmoghadam.com/homepage/Pages/Deposit/Source-packages/ipset-4.5.tar.bz2
    tar xf ipset-4.5.tar.bz2
    cd ipset-4.5
    make KERNEL_DIR=/usr/src/linux-2.6.33.4
    make KERNEL_DIR=/usr/src/linux-2.6.33.4 install
    make KERNEL_DIR=/usr/src/linux-2.6.33.4 clean
    
********************************************************************************
### libecap
    
    cd /usr/src
    wget -c "http://www.measurement-factory.com/tmp/ecap/libecap-0.0.3.tar.gz"
    su - install
    cd /usr/src
    tar xf libecap-0.0.3.tar.gz
    cd libecap-0.0.3
    ./configure && make
    make install DESTDIR=/usr/local/encap/libecap-0.0.3
    cd /usr/local/encap/
    mkencap libecap-0.0.3/
    logout
    cd /usr/local/encap/
    epkg libecap-0.0.3
    ldconfig
    
********************************************************************************
### squid-ecap-gzip
    
    cd /usr/src
    wget -c "http://squid-ecap-gzip.googlecode.com/files/squid-ecap-gzip-1.2.0.tar.gz"
    su - install
    cd /usr/src
    tar xf squid-ecap-gzip-1.2.0.tar.gz
    cd squid-ecap-gzip
    ./configure && make
    make install DESTDIR=/usr/local/encap/squid-ecap-gzip-1.2.0
    cd /usr/local/encap/
    mkencap squid-ecap-gzip-1.2.0/
    logout
    cd /usr/local/encap/
    epkg squid-ecap-gzip-1.2.0
    ldconfig
    libtool --finish /usr/local/lib
    
    
********************************************************************************
### squid-3.1.10
    
    cd /usr/src
    wget -c "http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.10.tar.gz" 
    tar xf squid-3.1.10.tar.gz
    cd squid-3.1.10
    ulimit -HSn 16384
    ulimit -HSd unlimited
    ./configure \
      --prefix=/usr/local/squid \
      --enable-forward-log \
      --enable-follow-x-forwarded-for \
      --enable-snmp \
      --enable-linux-netfilter \
      --enable-http-violations \
      --enable-delay-pools \
      --enable-storeio=diskd,aufs,ufs \
      --with-large-files \
      --enable-large-cache-files \
      --with-filedescriptors=16384 \
      --enable-async-io=128 \
      --enable-removal-policies=lru,heap \
      --enable-useragent-log \
      --enable-referer-log \
      --enable-err-languages=English \
      --enable-default-err-language=English \
      --enable-zph-qos \
      --enable-ecap \
    && make && make install
    cp /usr/local/squid/etc/squid.conf{,.bak}
    
********************************************************************************
### /usr/local/squid/etc/squid.conf
    
    # Minimum ACL configuration
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
    acl SSL_ports port  443
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http
    acl CONNECT method CONNECT
    
    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager
    
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports
    
    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports
    
    # Protect innocent web applications running on the
    # proxy server who think the only one who can access
    # services on "localhost" is a local user
    http_access deny to_localhost
    
    # Clients access rules
    acl localnet src 172.16.20.0/24
    http_access allow localnet
    http_access allow localhost
    
    # Finally deny all other access to this proxy
    http_access deny all
    
    # Deny all ICP requests to this proxy
    icp_access deny all
    
    # Deny all HTCP requests to this proxy
    htcp_access deny all
    
    # Squid normall listener
    #http_port 3128 tcpkeepalive=60,10,6
    http_port 3128
    
    # TPROXY spoof listener
    #http_port 3129 tproxy tcpkeepalive=60,10,6
    http_port 3129 tproxy
    
    # Override /etc/resolv.conf
    dns_nameservers 8.8.8.8
    
    # Protect dynamic content
    hierarchy_stoplist cgi-bin ? dll aspx
    
    # Cache memory should be at most half of RAM size in MB
    cache_mem 10000 MB
    
    # These objects should be kept in memory
    maximum_object_size_in_memory 20 KB
    
    # Which objects are replaced when memory space is needed
    cache_replacement_policy heap LFUDA
    memory_replacement_policy heap LFUDA
    
    # Disk swap directories
    cache_dir aufs /cache/1 153600 512 2048
    cache_dir aufs /cache/2 153600 512 2048
    cache_dir aufs /cache/3 153600 512 2048
    cache_dir aufs /cache/4 153600 512 2048
    cache_dir aufs /cache/5 153600 512 2048
    cache_dir aufs /cache/6 153600 512 2048
    cache_dir aufs /cache/7 153600 512 2048
    cache_dir aufs /cache/8 153600 512 2048
    
    # These objects should be kept on hard disk
    maximum_object_size 65536 KB
    
    # Water marks for cache object replacement
    cache_swap_high 95
    cache_swap_low 93
    
    # Logfile format
    logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
    
    # Access log address
    access_log /usr/local/squid/var/logs/access.log squid
    
    # Number of old logfiles
    logfile_rotate 0
    
    # Watchdog configs
    acl watchdog src 80.191.194.17
    log_access deny watchdog
    
    # Leave coredumps in the first cache dir
    coredump_dir /cache/1
    
    # Continues downloading abort
    quick_abort_min 16 KB
    quick_abort_max 16 KB
    quick_abort_pct 98
    
    # Time-to-Live for failed requests
    negative_ttl 3 minutes
    
    # How log shuold cache positive DNS responses
    positive_dns_ttl 1 hours
    
    # Maximum size for HTTP headers
    request_header_max_size 100 KB
    
    # Shutdown pending time
    shutdown_lifetime 15 seconds
    
    # Administrator
    cache_mgr Pejman_Moghadam@yahoo.com
    
    # Hostname
    visible_hostname CacheServer
    
    # Don't show version in error pages
    httpd_suppress_version_string on
    
    # Costume error pages
    #error_directory /usr/local/squid/share/errors/mine/
    
    # SNMP settings for MRTG access
    acl mrtg src 172.16.20.1 127.0.0.1
    acl snmppublic snmp_community public
    snmp_access allow snmppublic mrtg
    snmp_access deny all
    snmp_port 3401
    
    # Inter Cache Communication Protocol
    icp_port 0
    
    # Hyper Text Caching Protocol discovery
    htcp_port 0
    
    # Water marks for the IP cache
    ipcache_size 40960
    ipcache_high 95
    ipcache_low 90
    
    # Parallel requests from a pipeline.
    pipeline_prefetch on
    
    # Close immediately half-closed connections
    half_closed_clients off
    
    # Transparent Headers
    forwarded_for transparent
    via off
    
    # Mark HIT packets
    qos_flows local-hit=0x30
    
    # Purge: squidclient -m PURGE http://www.google.com
    acl purge method PURGE
    http_access allow purge localhost
    http_access deny purge
    
    # Web Services workaround
    ignore_expect_100 on
    
    # Maximum connection limit of single client IP
    #client_ip_max_connections -1
    
    # eCAP Gzip (UNSTABLE)
    #ecap_enable on
    #ecap_service gzip_service respmod_precache 0 ecap://www.vigos.com/ecap_gzip
    #loadable_modules /usr/local/lib/ecap_adapter_gzip.so
    #acl GZIP_HTTP_STATUS http_status 200
    #adaptation_access gzip_service allow GZIP_HTTP_STATUS
    
    # Refresh patterns (refresh-ims)
    # Image files
    refresh_pattern -i \.png$                10080   90%     43200
    refresh_pattern -i \.gif$                10080   90%     43200
    refresh_pattern -i \.jpg$                10080   90%     43200
    refresh_pattern -i \.jpeg$               10080   90%     43200
    refresh_pattern -i \.bmp$                10080   90%     43200
    refresh_pattern -i \.tif$                10080   90%     43200
    refresh_pattern -i \.tiff$               10080   90%     43200
    
    # Compressed files
    refresh_pattern -i \.zip$                10080   90%     43200
    refresh_pattern -i \.rar$                10080   90%     43200
    refresh_pattern -i \.tar$                10080   90%     43200
    refresh_pattern -i \.gz$                 10080   90%     43200
    refresh_pattern -i \.tgz$                10080   90%     43200
    refresh_pattern -i \.z$                  10080   90%     43200
    refresh_pattern -i \.arj$                10080   90%     43200
    refresh_pattern -i \.lha$                10080   90%     43200
    refresh_pattern -i \.lzh$                10080   90%     43200
    
    # Binary files
    refresh_pattern -i \.exe$                10080   90%     43200
    refresh_pattern -i \.msi$                10080   90%     43200
    
    # Multimedia files
    refresh_pattern -i \.mp3$                10080   90%     43200
    refresh_pattern -i \.wav$                10080   90%     43200
    refresh_pattern -i \.mid$                10080   90%     43200
    refresh_pattern -i \.midi$               10080   90%     43200
    refresh_pattern -i \.ram$                10080   90%     43200
    refresh_pattern -i \.ra$                 10080   90%     43200
    refresh_pattern -i \.mov$                10080   90%     43200
    refresh_pattern -i \.avi$                10080   90%     43200
    refresh_pattern -i \.wmv$                10080   90%     43200
    refresh_pattern -i \.mpg$                10080   90%     43200
    refresh_pattern -i \.mpeg$               10080   90%     43200
    refresh_pattern -i \.swf$                10080   90%     43200
    
    # Document files
    refresh_pattern -i \.pdf$                10080   90%     43200
    refresh_pattern -i \.ps$                 10080   90%     43200
    refresh_pattern -i \.doc$                10080   90%     43200
    refresh_pattern -i \.ppt$                10080   90%     43200
    refresh_pattern -i \.pps$                10080   90%     43200
    
    # Default patterns
    refresh_pattern ^ftp:                    1440    20%     10080
    refresh_pattern ^gopher:                 1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?)        0       0%      0
    refresh_pattern .                        0       20%     4320
    
    
********************************************************************************
### /etc/rc.d/rc.squid
    
    #!/bin/bash
    #
    # /etc/rc.d/rc.squid
    #
    PIDFILE="/usr/local/squid/var/run/squid.pid"
    TIMEOUT=60
    
    start()
    {
      echo -n 'Starting TPROXY Squid . . . '
    
      PROCESS=$(ps -A | egrep ' squid$')
      if [ "$PROCESS" == "" ]; then
        if [ -f ${PIDFILE} ] ; then
          rm ${PIDFILE}
        fi
      fi
      ulimit -HSn 16384
      ulimit -HSd unlimited
      /usr/local/squid/sbin/squid
    
      echo "Ok"
    }
    
    stop()
    {
      echo 'Stoping TPROXY Squid'
    
      /usr/local/squid/sbin/squid -k shutdown
      TIME=0
      while [ "$TIME" != "$TIMEOUT" ] ; do
        TIME=$(( $TIME + 1 ))
        echo -n $TIME
        if [ "$(pgrep '^squid$')" == "" ]; then
          if [ -f ${PIDFILE} ] ; then
            rm ${PIDFILE}
          fi
          break
        else
          echo -n "."
        fi
        sleep 1
      done
      echo ".Ok"
    }
    
    case "$1" in
      'start')
        start
        ;;
    
      'stop')
        stop
        ;;
    
      'restart')
        stop
        start
        ;;
    
      'rotate')
        echo -n 'Rotating TPROXY Squid log files . . . '
        /usr/local/squid/sbin/squid -k rotate
        echo "Ok"
        ;;
    
      *)
        echo "usage $0 start|stop|restart|rotate"
        ;;
    
    esac
    
********************************************************************************
### /root/scripts/bridge.sh
    
    #!/bin/bash
    PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin"
    ifconfig eth0 0.0.0.0 txqueuelen 5000
    ifconfig eth1 0.0.0.0 txqueuelen 5000
    brctl addbr br0
    brctl addif br0 eth0
    brctl addif br0 eth1
    ifconfig br0 172.16.20.2 netmask 255.255.255.240 txqueuelen 5000
    route add default gw 172.16.20.1
    for F in /proc/sys/net/bridge/* ;do echo 1 > $F;echo $F;cat $F; done
    ip route flush cache
    
********************************************************************************
### /root/scripts/cache-redirect.sh
    
    #!/bin/bash
    PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin"
    INTIF="eth1"
    EXTIF="eth0"
    
    # Network1
    CLIENTS="$CLIENTS 172.16.20.0/24"
    
    # Network2
    CLIENTS="$CLIENTS 10.20.10.0/24"
    
    # User1
    EXCLUDES="$EXCLUDES 172.16.20.100"
    
    # User2
    EXCLUDES="$EXCLUDES 10.20.10.50"
    
    # Static routes
    route add -net    172.16.20.0/28      gw 192.168.10.10
    route add -net    10.20.10.0/24       gw 192.168.10.100
    
    # Flush table
    ebtables -t broute -F
    
    # ExCLUDES
    for NET in $EXCLUDES; do
      ebtables -t broute -I BROUTING -p ipv4 --ip-src $NET -j ACCEPT
      ebtables -t broute -I BROUTING -p ipv4 --ip-dst $NET -j ACCEPT
    done
    
    # Cache redirect
    for IP in $CLIENTS; do
      ebtables -t broute -A BROUTING -i ${INTIF} -p ipv4 --ip-src ${IP} --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
      ebtables -t broute -A BROUTING -i ${EXTIF} -p ipv4 --ip-dst ${IP} --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP
    done
    
    
********************************************************************************
### /root/scripts/stop-cache-redirect.sh
    
    #!/bin/bash
    ebtables -t broute -F
    ebtables -t broute -L --Lc --Ln
    
    
********************************************************************************
### /root/scripts/filedescriptors.sh
    
    #!/bin/bash
    MAX="2000"
    WEBREDIR="172.16.20.1:8000"
    PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin"
    
    # Delete previous mangle rules
    while :; do
      NUM=$(iptables -t mangle -L PREROUTING -n --line-numbers | grep virus-redirect | awk '{print$1}' | head -1)
      if [ "${NUM}" == "" ]; then break; fi
      iptables -t mangle -D PREROUTING ${NUM}
    done
    
    # Delete previous nat rules
    while :; do
      NUM=$(iptables -t nat    -L PREROUTING -n --line-numbers | grep virus-redirect | awk '{print$1}' | head -1)
      if [ "${NUM}" == "" ]; then break; fi
      iptables -t nat -D PREROUTING ${NUM}
    done
    
    # Delete previous ipset rules
    ipset -F
    ipset -X
    
    # Add new rules
    ipset -N virus-redirect iptree --timeout 60
    iptables -t mangle -I PREROUTING -m set --match-set virus-redirect src -j ACCEPT
    iptables -t nat -I PREROUTING -m set --match-set virus-redirect src -p tcp --dport 80 --j DNAT --to ${WEBREDIR} 
    
    # Searching for bad users forever
    sleep 5
    while :; do
      /usr/local/squid/bin/squidclient mgr:filedescriptors > filedescriptors.squid
      tail -n +14 filedescriptors.squid |\
        awk '{print$6}' |\
        sed -e 's,:.*,,' |\
        sort | uniq -c | sort | tail -100 > filedescriptors.tmp
      COUNT=$(cat filedescriptors.tmp | wc -l)
      for I in $(seq  1 $COUNT); do
        LINE=$(tail -$I filedescriptors.tmp | head -1)
        NUM=$(echo $LINE | awk '{print$1}')
        IP=$(echo $LINE | awk '{print$2}')
        if [ "$NUM" -ge "$MAX" ]; then
          NOW=$(date +"%F %T")
          printf "%s : %5d %s\n" "$NOW" "$NUM" "$IP"
          ipset -q -A virus-redirect $IP
        fi
      done
      rm -f filedescriptors.squid filedescriptors.tmp
      sleep 1
    done
    
    
********************************************************************************
### /etc/rc.d/rc.local
    
    # Bridge
    /root/scripts/bridge.sh
    
    # use less swap memory
    echo 50 > /proc/sys/vm/swappiness
    # tcp keep alive tuning
    #echo 60 >  /proc/sys/net/ipv4/tcp_keepalive_time
    #echo 10 > /proc/sys/net/ipv4/tcp_keepalive_intvl
    #echo 6 >  /proc/sys/net/ipv4/tcp_keepalive_probes
    echo 65000 > /proc/sys/net/ipv4/tcp_max_syn_backlog
    echo 1024 65000 > /proc/sys/net/ipv4/ip_local_port_range
    echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
    echo 1 > /proc/sys/net/ipv4/tcp_timestamps
    echo 33554432 > /proc/sys/net/core/rmem_max
    echo 33554432 > /proc/sys/net/core/wmem_max
    echo 4096 87380 33554432 > /proc/sys/net/ipv4/tcp_rmem
    echo 4096 87380 33554432 > /proc/sys/net/ipv4/tcp_wmem
    echo 1 > /proc/sys/net/ipv4/tcp_no_metrics_save
    echo 3000 > /proc/sys/net/core/netdev_max_backlog
    echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
    echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
    echo 0 > /proc/sys/net/ipv4/tcp_timestamps
    echo 256960 > /proc/sys/net/core/rmem_default
    echo 256960 > /proc/sys/net/core/wmem_default
    echo 524288 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
    echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
    
    # Start TPROXY Squid Cache Server:
    if [ -x /etc/rc.d/rc.squid ]; then
      /etc/rc.d/rc.squid start
    fi
    
    # TPROXY Divert
    iptables -t mangle -N DIVERT
    iptables -t mangle -A DIVERT -j MARK --set-mark 1
    iptables -t mangle -A DIVERT -j ACCEPT
    iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
    iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
    
    # TPROXY Route
    ip rule add fwmark 1 lookup 100
    ip route add local 0.0.0.0/0 dev lo table 100
    
    # Divert
    /root/scripts/cache-redirect.sh
    
    # File descriptor check
    /usr/bin/env SCREENDIR="/root/.screen" /usr/bin/screen -dmS descriptors \
      /root/scripts/filedescriptors.sh
    
    
********************************************************************************
### /etc/rc.d/rc.local_shutdown
    
    #!/bin/bash
    # Stop TPROXY Squid Cache server:
    if [ -x /etc/rc.d/rc.squid ]; then
      /etc/rc.d/rc.squid stop
    fi
    
    
********************************************************************************
### /etc/logrotate.d/squid
    
    /usr/local/squid/var/logs/access.log {
      daily
      rotate 186
      start 1
      copytruncate
      compress
      compresscmd /usr/bin/bzip2
      compressext .bz2
      compressoptions -sq9
      dateext
      notifempty
      missingok
    }
    
    /usr/local/squid/var/logs/cache.log /usr/local/squid/var/logs/store.log {
      daily
      rotate 31
      start 1
      copytruncate
      compress
      compresscmd /usr/bin/bzip2
      compressext .bz2
      compressoptions -sq9
      dateext
      notifempty
      missingok
      sharedscripts
      postrotate
        /usr/local/squid/sbin/squid -k rotate
      endscript
    }
    
********************************************************************************
### Partitions & memory
    
    # cat /etc/fstab
    
    /dev/cciss/c0d0p1 swap             swap        defaults         0   0
    /dev/cciss/c0d0p5 /                reiserfs    defaults         1   1
    /dev/cdrom        /mnt/cdrom       auto        noauto,owner,ro  0   0
    /dev/fd0          /mnt/floppy      auto        noauto,owner     0   0
    devpts            /dev/pts         devpts      gid=5,mode=620   0   0
    proc              /proc            proc        defaults         0   0
    tmpfs             /dev/shm         tmpfs       defaults         0   0
    /dev/cciss/c0d0p6 /usr/local/squid/var/logs reiserfs noatime,notail 1   2
    /dev/cciss/c0d0p7 /cache/1         reiserfs    noatime,notail       1   2
    /dev/cciss/c0d1p1 /cache/2         reiserfs    noatime,notail       1   2
    /dev/cciss/c0d2p1 /cache/3         reiserfs    noatime,notail       1   2
    /dev/cciss/c0d3p1 /cache/4         reiserfs    noatime,notail       1   2
    /dev/cciss/c0d4p1 /cache/5         reiserfs    noatime,notail       1   2
    /dev/cciss/c0d5p1 /cache/6         reiserfs    noatime,notail       1   2
    /dev/cciss/c0d6p1 /cache/7         reiserfs    noatime,notail       1   2
    /dev/cciss/c0d7p1 /cache/8         reiserfs    noatime,notail       1   2
    
    # df -h
    
    Filesystem            Size  Used Avail Use% Mounted on
    /dev/root              31G  7.8G   23G  26% /
    tmpfs                  18G     0   18G   0% /dev/shm
    /dev/cciss/c0d0p6      41G  1.8G   39G   5% /usr/local/squid/var/logs
    /dev/cciss/c0d0p7     205G   55G  150G  27% /cache/1
    /dev/cciss/c0d1p1     280G   55G  225G  20% /cache/2
    /dev/cciss/c0d2p1     280G   55G  225G  20% /cache/3
    /dev/cciss/c0d3p1     280G   55G  225G  20% /cache/4
    /dev/cciss/c0d4p1     280G   55G  225G  20% /cache/5
    /dev/cciss/c0d5p1     280G   55G  225G  20% /cache/6
    /dev/cciss/c0d6p1     280G   55G  225G  20% /cache/7
    /dev/cciss/c0d7p1     280G   55G  225G  20% /cache/8
    
    # free -m
    
                 total       used       free     shared    buffers     cached
    Mem:         36168      19907      16260          0       1688        402
    -/+ buffers/cache:      17817      18351
    Swap:         5123         10       5113
    
    
********************************************************************************
### First time lunch
    
    mkdir /usr/local/squid/var/cache
    mkdir -p /cache/{1,2,3,4}
    chown -R nobody:nobody /cache
    chown -R nobody:nobody /usr/local/squid/var/logs
    chmod +x /etc/rc.d/rc.local_shutdown
    chmod +x /etc/rc.d/rc.squid
    chmod +x /root/scripts/bridge.sh
    chmod +x /root/scripts/cache-redirect.sh
    chmod +x /root/scripts/stop-cache-redirect.sh
    chmod +x /root/scripts/filedescriptors.sh 
    /usr/local/squid/sbin/squid -z
    /etc/rc.d/rc.squid start
    
********************************************************************************
### MRTG installation
    
    cd /usr/src
    wget -c "http://oss.oetiker.ch/mrtg/pub/mrtg-2.17.0.tar.gz"
    tar xf mrtg-2.17.0.tar.gz
    cd mrtg-2.17.0
    ./configure && make && make install
    mkdir /usr/local/mrtg-2/etc
    
********************************************************************************
### /usr/local/sbin/mrtg-reconfigure.sh
    
    #!/bin/bash
    
    ##### localhost #####
    CFG="/usr/local/mrtg-2/etc/mrtg.cfg"
    WRK="/var/www/htdocs/mrtg"
    SNMP="publicpublic@127.0.0.1"
    
    /usr/local/mrtg-2/bin/cfgmaker  \
      --ifref=name --ifdesc=name    \
      --global "Options[_]: bits"   \
      --global "kilo[_]: 1024"      \
      --global "WorkDir: ${WRK}" \
      --output=${CFG}   \
      ${SNMP}
    /usr/local/mrtg-2/bin/indexmaker ${CFG} > ${WRK}/index.html
    /bin/sed -i -e 's,</td><td>,,' ${WRK}/index.html
    /usr/local/mrtg-2/bin/mrtg ${CFG}
    
    
********************************************************************************
### /usr/local/mrtg-2/etc/save.cfg
    
    EnableIPv6: no
    Options[_]: bits
    kilo[_]: 1024
    WorkDir: /var/www/htdocs/save
    
    Target[save]: -#eth0:publicpublic@127.0.0.1 - #eth1:publicpublic@127.0.0.1
    MaxBytes[save]: 1250000
    Title[save]: Squid Bandwidth Save
    PageTop[save]: <h1>Squid Bandwidth Save</h1>
    
    
********************************************************************************
### /usr/local/mrtg-2/etc/squid.cfg
    
    ## http://wiki.squid-cache.org/Features/Snmp
    #snmpwalk -m ALL -v 1 -c public 127.0.0.1:3401 cacheUptime
    #LoadMIBs: /usr/share/snmp/mibs/squid-mib.txt
    LoadMIBs: /usr/local/squid/share/mib.txt
    workdir: /var/www/htdocs/squid
    
    Target[cacheCpuUsage]: cacheCpuUsage&cacheCpuUsage:public@127.0.0.1:3401
    Title[cacheCpuUsage]: CPU Usage
    PageTop[cacheCpuUsage]: <H1>CPU Usage</H1>
    MaxBytes[cacheCpuUsage]: 100
    AbsMax[cacheCpuUsage]: 100
    Colours[cacheCpuUsage]: YELLOW#F9C000,RED#F90000,DARKGREEN#006600,VIOLET#FF00FF
    ShortLegend[cacheCpuUsage]:%
    YLegend[cacheCpuUsage]: usage %
    Legend1[cacheCpuUsage]: cacheCpuUsage
    LegendI[cacheCpuUsage]: CPU Usage
    Legend2[cacheCpuUsage]:
    LegendO[cacheCpuUsage]:
    Options[cacheCpuUsage]: absolute, gauge, noinfo, nopercent
    Unscaled[cacheCpuUsage]: dwmy
    
    Target[cacheSysPageFaults]: cacheSysPageFaults&cacheSysPageFaults:public@127.0.0.1:3401
    Title[cacheSysPageFaults]: cacheSysPageFaults
    PageTop[cacheSysPageFaults]: <H1>cacheSysPageFaults</H1>
    MaxBytes[cacheSysPageFaults]: 1000000000
    Colours[cacheSysPageFaults]: YELLOW#F9C000,RED#F90000,DARKGREEN#006600,VIOLET#FF00FF
    ShortLegend[cacheSysPageFaults]: cacheSysPageFaults
    YLegend[cacheSysPageFaults]: YLegend
    Legend1[cacheSysPageFaults]: Legend1
    LegendI[cacheSysPageFaults]: LegendI
    Legend2[cacheSysPageFaults]: Legend2
    LegendO[cacheSysPageFaults]: LegendO
    Options[cacheSysPageFaults]: nopercent
    
    Target[cacheHttpAllSvcTime]: cacheHttpAllSvcTime.5&cacheHttpAllSvcTime.60:public@127.0.0.1:3401
    Title[cacheHttpAllSvcTime]: HTTP Service Time
    PageTop[cacheHttpAllSvcTime]: <H1>HTTP Service Time</H1>
    MaxBytes[cacheHttpAllSvcTime]: 1000000000
    Colours[cacheHttpAllSvcTime]: YELLOW#F9C000,RED#F90000,DARKGREEN#006600,VIOLET#FF00FF
    ShortLegend[cacheHttpAllSvcTime]: ms
    YLegend[cacheHttpAllSvcTime]: svc time (ms)
    Legend1[cacheHttpAllSvcTime]: cacheHttpAllSvcTime.5
    LegendI[cacheHttpAllSvcTime]: Median Svc Time (5min)&nbsp;
    Legend2[cacheHttpAllSvcTime]: cacheHttpAllSvcTime.60
    LegendO[cacheHttpAllSvcTime]: Median Svc Time (60min)&nbsp;
    Options[cacheHttpAllSvcTime]: gauge, nopercent
    
    Target[cacheDnsSvcTime]: cacheDnsSvcTime.5&cacheDnsSvcTime.60:public@127.0.0.1:3401
    Title[cacheDnsSvcTime]: DNS Service Time
    PageTop[cacheDnsSvcTime]: <H1>DNS Service Time</H1>
    MaxBytes[cacheDnsSvcTime]: 3000
    Colours[cacheDnsSvcTime]: YELLOW#F9C000,RED#F90000,DARKGREEN#006600,VIOLET#FF00FF
    ShortLegend[cacheDnsSvcTime]: ms
    YLegend[cacheDnsSvcTime]: svc time (ms)
    Legend1[cacheDnsSvcTime]: cacheDnsSvcTime.5
    LegendI[cacheDnsSvcTime]: Median Svc Time (5min)&nbsp;
    Legend2[cacheDnsSvcTime]: cacheDnsSvcTime.60
    LegendO[cacheDnsSvcTime]: Median Svc Time (60min)&nbsp;
    Options[cacheDnsSvcTime]: gauge, nopercent
    
    Target[cacheServerRequests-cacheServerErrors]: cacheServerRequests&cacheServerErrors:public@127.0.0.1:3401 * 60
    Title[cacheServerRequests-cacheServerErrors]: Server Requests/Errors
    PageTop[cacheServerRequests-cacheServerErrors]: <H1>Server Requests / Server Errors</H1>
    MaxBytes[cacheServerRequests-cacheServerErrors]: 1000000000
    Colours[cacheServerRequests-cacheServerErrors]: YELLOW#F9C000,RED#F90000,DARKGREEN#006600,VIOLET#FF00FF
    ShortLegend[cacheServerRequests-cacheServerErrors]: req/min
    YLegend[cacheServerRequests-cacheServerErrors]: requests/min
    Legend1[cacheServerRequests-cacheServerErrors]: cacheServerRequests
    LegendI[cacheServerRequests-cacheServerErrors]: all
    Legend2[cacheServerRequests-cacheServerErrors]: cacheServerErrors
    LegendO[cacheServerRequests-cacheServerErrors]: err
    Options[cacheServerRequests-cacheServerErrors]: nopercent
    
    Target[cacheProtoClientHttpRequests-cacheHttpHits]: cacheProtoClientHttpRequests&cacheHttpHits:public@127.0.0.1:3401 * 60
    Title[cacheProtoClientHttpRequests-cacheHttpHits]: Client Requests/Hits
    PageTop[cacheProtoClientHttpRequests-cacheHttpHits]: <H1> Client Http Requests / Http Hits</H1>
    MaxBytes[cacheProtoClientHttpRequests-cacheHttpHits]: 1000000000
    Colours[cacheProtoClientHttpRequests-cacheHttpHits]: YELLOW#F9C000,RED#F90000,DARKGREEN#006600,VIOLET#FF00FF
    ShortLegend[cacheProtoClientHttpRequests-cacheHttpHits]: req/min
    YLegend[cacheProtoClientHttpRequests-cacheHttpHits]: requests/min
    Legend1[cacheProtoClientHttpRequests-cacheHttpHits]: cacheProtoClientHttpRequests
    LegendI[cacheProtoClientHttpRequests-cacheHttpHits]: all
    Legend2[cacheProtoClientHttpRequests-cacheHttpHits]: cacheHttpHits
    LegendO[cacheProtoClientHttpRequests-cacheHttpHits]: hit
    Options[cacheProtoClientHttpRequests-cacheHttpHits]: nopercent
    
    Target[cacheCurrentFileDescrCnt-cacheCurrentUnusedFDescrCnt]: cacheCurrentFileDescrCnt&cacheCurrentUnusedFDescrCnt:public@127.0.0.1:3401
    Title[cacheCurrentFileDescrCnt-cacheCurrentUnusedFDescrCnt]: File descriptors used/available
    PageTop[cacheCurrentFileDescrCnt-cacheCurrentUnusedFDescrCnt]: <H1>File descriptors used/available</H1>
    MaxBytes[cacheCurrentFileDescrCnt-cacheCurrentUnusedFDescrCnt]: 1000000000
    Colours[cacheCurrentFileDescrCnt-cacheCurrentUnusedFDescrCnt]: YELLOW#F9C000,RED#F90000,DARKGREEN#006600,VIOLET#FF00FF
    ShortLegend[cacheCurrentFileDescrCnt-cacheCurrentUnusedFDescrCnt]: FDs
    YLegend[cacheCurrentFileDescrCnt-cacheCurrentUnusedFDescrCnt]: # of FDs
    Legend1[cacheCurrentFileDescrCnt-cacheCurrentUnusedFDescrCnt]: cacheCurrentFileDescrCnt
    LegendI[cacheCurrentFileDescrCnt-cacheCurrentUnusedFDescrCnt]: Used
    Legend2[cacheCurrentFileDescrCnt-cacheCurrentUnusedFDescrCnt]: cacheCurrentUnusedFDescrCnt
    LegendO[cacheCurrentFileDescrCnt-cacheCurrentUnusedFDescrCnt]: Available
    Options[cacheCurrentFileDescrCnt-cacheCurrentUnusedFDescrCnt]: gauge, nopercent
    
    Target[cacheMemUsage]: ( cacheMemUsage&cacheMemUsage:public@127.0.0.1:3401 > 0 ? cacheMemUsage&cacheMemUsage:public@127.0.0.1:3401 * 1024 : cacheMemUsage&cacheMemUsage:public@127.0.0.1:3401 * 1024 + 4294967296 )
    Title[cacheMemUsage]: Memory Usage
    PageTop[cacheMemUsage]: <H1>Memory Usage</H1>
    MaxBytes[cacheMemUsage]: 10000000000
    Colours[cacheMemUsage]: YELLOW#F9C000,RED#F90000,DARKGREEN#006600,VIOLET#FF00FF
    ShortLegend[cacheMemUsage]: Bytes
    YLegend[cacheMemUsage]: Bytes
    Legend1[cacheMemUsage]: cacheMemUsage
    LegendI[cacheMemUsage]: Mem Usage
    Legend2[cacheMemUsage]:
    LegendO[cacheMemUsage]:
    Options[cacheMemUsage]: gauge, nopercent
    
    Target[cacheNumObjCount]: cacheNumObjCount&cacheNumObjCount:public@127.0.0.1:3401
    Title[cacheNumObjCount]: Stored Objects
    PageTop[cacheNumObjCount]: <H1>Stored Objects</H1>
    MaxBytes[cacheNumObjCount]: 1000000000
    Colours[cacheNumObjCount]: YELLOW#F9C000,RED#F90000,DARKGREEN#006600,VIOLET#FF00FF
    ShortLegend[cacheNumObjCount]: Objects
    YLegend[cacheNumObjCount]: Objects
    Legend1[cacheNumObjCount]: cacheNumObjCount
    LegendI[cacheNumObjCount]: Stored Objects
    Legend2[cacheNumObjCount]:
    LegendO[cacheNumObjCount]:
    Options[cacheNumObjCount]: gauge, nopercent
    
    Target[cacheClients]: cacheClients&cacheClients:public@127.0.0.1:3401
    Title[cacheClients]: Number Of Clients
    PageTop[cacheClients]: <H1>Number Of Clients</H1>
    MaxBytes[cacheClients]: 1000000000
    Colours[cacheClients]: YELLOW#F9C000,RED#F90000,DARKGREEN#006600,VIOLET#FF00FF
    ShortLegend[cacheClients]: Clients
    YLegend[cacheClients]: Clients
    Legend1[cacheClients]: cacheClients
    LegendI[cacheClients]: Number Of Clients
    Legend2[cacheClients]:
    LegendO[cacheClients]:
    Options[cacheClients]: gauge, nopercent
    
    Target[cacheIpEntries]: cacheIpEntries&cacheIpEntries:public@127.0.0.1:3401
    Title[cacheIpEntries]: IP Cache Entries
    PageTop[cacheIpEntries]: <H1>IP Cache Entries</H1>
    MaxBytes[cacheIpEntries]: 1000000000
    Colours[cacheIpEntries]: YELLOW#F9C000,RED#F90000,DARKGREEN#006600,VIOLET#FF00FF
    ShortLegend[cacheIpEntries]: Entries
    YLegend[cacheIpEntries]: Entries
    Legend1[cacheIpEntries]: cacheIpEntries
    LegendI[cacheIpEntries]: IP Cache Entries
    Legend2[cacheIpEntries]:
    LegendO[cacheIpEntries]:
    Options[cacheIpEntries]: gauge, nopercent
    
    Target[cacheRequestHitRatio]: cacheRequestHitRatio.5&cacheRequestHitRatio.60:public@127.0.0.1:3401
    Title[cacheRequestHitRatio]: HIT Ratio
    PageTop[cacheRequestHitRatio]: <H1>HIT Ratio</H1>
    MaxBytes[cacheRequestHitRatio]: 1000000000
    Colours[cacheRequestHitRatio]: YELLOW#F9C000,RED#F90000,DARKGREEN#006600,VIOLET#FF00FF
    ShortLegend[cacheRequestHitRatio]: ms
    YLegend[cacheRequestHitRatio]: svc time (ms)
    Legend1[cacheRequestHitRatio]: cacheRequestHitRatio.5
    LegendI[cacheRequestHitRatio]: Median Svc Time (5min)&nbsp;
    Legend2[cacheRequestHitRatio]: cacheRequestHitRatio.60
    LegendO[cacheRequestHitRatio]: Median Svc Time (60min)&nbsp;
    Options[cacheRequestHitRatio]: gauge, nopercent
    
    
********************************************************************************
### MRTG lunch
    
    chmod +x /usr/local/sbin/mrtg-reconfigure.sh
    mkdir -p /var/www/htdocs/mrtg
    mkdir -p /var/www/htdocs/squid
    mkdir -p /var/www/htdocs/save
    /usr/local/mrtg-2/bin/indexmaker /usr/local/mrtg-2/etc/squid.cfg > /var/www/htdocs/squid/index.html
    /usr/local/mrtg-2/bin/indexmaker /usr/local/mrtg-2/etc/save.cfg > /var/www/htdocs/save/index.html
    
********************************************************************************
### crontab -e
    
    */5 * * * * /usr/local/sbin/mrtg-reconfigure.sh &> /dev/null
    */5 * * * * /usr/local/mrtg-2/bin/mrtg /usr/local/mrtg-2/etc/squid.cfg &> /dev/null
    */5 * * * * /usr/local/mrtg-2/bin/mrtg /usr/local/mrtg-2/etc/save.cfg &> /dev/null
    
    
********************************************************************************
### Transparency Test Script
    
[http://devel.squid-cache.org/cgi-bin/test](http://devel.squid-cache.org/cgi-bin/test)
    
    
********************************************************************************
### Bookmarks
    
[http://onlamp.com/pub/a/onlamp/2005/11/17/tcp_tuning.html?page=2](http://onlamp.com/pub/a/onlamp/2005/11/17/tcp_tuning.html?page=2)  
[http://fasterdata.es.net/TCP-tuning//linux.html](http://fasterdata.es.net/TCP-tuning//linux.html)  
[http://fasterdata.es.net/TCP-tuning//TCP-tuning.html](http://fasterdata.es.net/TCP-tuning//TCP-tuning.html)  
    
********************************************************************************
_BY: Pejman Moghadam_  
_TAG: squid, tproxy, bridge, epkg, ebtables, ipset, ecap, filedescriptor, mrtg, fstab_  
_DATE: 2011-01-02 01:17:23_