#!/bin/sh

# squid proxy's IP address (which is attached to eth0)
SQUID_SERVER=`ifconfig eth0 | sed -ne 's/.*inet addr:\([^ ]*\).*/\1/p'` 

# interface connected to WAN
INTERNET="eth0"

# interface connected to LAN
LAN_IN="eth1"

# squid port
SQUID_PORT="3128"
SQUID_PORT_HTTPS="3127"

# clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# load iptables modules for NAT masquerade and IP conntrack
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# define necessary redirection for incoming http traffic (e.g., 80)
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 443 -j REDIRECT --to-port $SQUID_PORT_HTTPS

# forward locally generated http traffic to Squid
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports $SQUID_PORT

iptables -t nat -A OUTPUT -p tcp --dport 443 -m owner --uid-owner proxy -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports $SQUID_PORT_HTTPS

# forward the rest of non-http traffic
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $INTERNET -j ACCEPT

# enable IP forwarding for proxy
echo 1 > /proc/sys/net/ipv4/ip_forward