Configuring TomatoUSB router to forward all http requests on port 80 to Squid/Dansguardian server

Once I setup my proxy server with Squid and Dansguardian and after I tested it manually by pointing a Firefox web browser to the server, the only thing left to do was to have all http trafic request on port 80 to be routed to the proxy server for content filtering.

Now there are three different ways to accomplish this. These different approaches involves different levels of configuration and they have different drawbacks.  You can have your http traffic going through your proxy server by following one of the proposed solutions:

  • Manually edit the proxy settings on each web browser on every device on your network. This approach is not bullet proof for the following reasons: a new device can be introduced on your network, a new browser is installed, the user manually removes the proxy settings.
  • Install apache and create a php page that will automatically configure yous web browser's proxy settings when the page is accessed by the browser.  This approach is less time consuming than approach one but it does have the same security issues as one.
  • Configure your router to re-direct all http requests on port 80 to your proxy server.  This approach requires a router that can forward traffic to a different machine as well as writing the forwarding rules.  This makes it transparent to client devices since no change is done on the client side and all trafic is routed without the user noticing.  Also, there is no way that users can bypass the proxy server unless the user has admin access to the router.  This will be the approach used in this document and for this solution we will use a router that supports TomatoUSB or DDWRT such as ASUS RT-N16.

The first thing we will do is to add a port forwarding rule on port 443 so that we can ssh to our proxy server box.  Go to your router port forwarding page ( and enter the following:


On Proto Src Address Ext Ports Int Port Int Address Description
On TCP   443   192.168.0.YY SSH Access to proxy server


where YY needs to be replaced by the number that identifies your proxy server on your network.

You will now ssh to your router and create two file under the jffs permanent storage directory:

ssh root@

The first file called should have the following contents:







#Accept Connections that have been ESTABLISHED RELATED already

iptables -t mangle -A PREROUTING -i eth1 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t mangle -A PREROUTING -i br0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

#Accept any requests on port 80 for the following devices

iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s $ROKU

iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s $PROXY_IP

iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s $PS3

#Route to dansguardian/proxy any requests not comming for the wan_ipaddr on port 80

iptables -t mangle -A PREROUTING -m limit --limit 1/min -j LOG --log-prefix 'WakeMe' -p tcp --dport 80

iptables -t mangle -A PREROUTING -d ! `nvram get wan_ipaddr` -j MARK --set-mark 3 -p tcp --dport 80

ip rule add fwmark 3 table 2

ip route add default via $PROXY_IP dev br0 table 2

#Route any requests on port 80 for wan_ipaddr to webserver

iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 80 -j DNAT --to $WEBSERVER_IP:$WEBSERVER_PORT

iptables -I FORWARD -p tcp -d $WEBSERVER_IP --dport $WEBSERVER_PORT -j ACCEPT

This script contain rules to re-direct requests on port 80 to the proxy server, to allow certain devices to bypass the proxy server, and it also logs requests on port 80 so that the next script can search the log files and wake up our server with a waken on lan command.

We now need to go back to our router admin page and setup this scripts to run as the router initializes. Go the the script admin page on your router ( and do the following:

1) go to the Firewall tab and enter the following line


2) save



No votes yet