Firewall rules for openWRT/dd-wrt when using dansguardian/squid

Jeremy Willden jeremy.willden+plug at
Wed Jul 22 00:22:19 MDT 2009

Sorry if this duplicates another message, I just get a digest of the
list traffic, so I'm often behind.

I run Dansguardian (on port 8080) and Squid (on port 3128) on, and my dd-wrt router is (connected to the internet
via cablemodem).  These are the rules I use on

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -d -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! -p tcp --dport 80
-j DNAT --to
iptables -t nat -A POSTROUTING -o br0 -s -d -j
SNAT --to
iptables -I FORWARD -s -d -i br0 -p tcp --dport
8080 -j ACCEPT

It grabs all outbound port 80 (web) traffic and diverts it to
dansguardian, which uses squid as a caching proxy (see the tutorials
for setting up squid as a transparent proxy - otherwise you get very
weird errors when trying to access the internet).

I believe br0 is the LAN side.

I hope that helps.  Note: be sure to verify that your proxy port is
not open on the WAN side.  Filtered or not, someone could use your
connection for something you wouldn't like.

More information about the PLUG mailing list