Here's my notes on setting up a Linksys WRT54GS version 1 with OpenWRT White Russian RC6 for our church's cafe. The main features are (a) transparent web content filtering and (b) firewall to prevent access to local network. (The Linksys WAN plugged into the local network.) I've only been trying it out one day.
# Flash firmware with new image http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54gs-squashfs.bin
telnet 192.168.2.1
passwd
# setting password disables telnet and enables ssh
# simple proxy (required by dansguardian)
ipkg install http://openwrt.alphacore.net/tinyproxy_1.6.3_mipsel.ipk
tinyproxy -h # verify transparent support is compiled in
vim /etc/tinyproxy/tinyproxy.conf
#uncomment “Allow 192.168.1.0/25”
“LogLevel Warning”
“User root
Group root”
"StartServers 5"
/etc/init.d/S51tinyproxy start
#setup Dansguardian content filtering
ipkg install zlib libgcc # for dansguardian
ipkg install http://openwrt.alphacore.net/experimental/libstdc++_6.0.3-2_mipsel.ipk # for dansguardian
ipkg install http://openwrt.alphacore.net/experimental/dansguardian_2.8.0.4-4_mipsel.ipk
# Dansguardian eats about 55% of the memory (RSS=16M)
vim /etc/dansguardian/dansguardian.conf
"proxyport = 8888
loglevel = 0
loglocation = '/var/log/dansguardian/access.log'
usernameidmethodproxyauth = off
maxchildren=50
minchildren=4
minsparechildren = 2
preforkchildren = 3"
vim /etc/dansguardian/dansguardianf1.conf
"naughtynesslimit = 220"
vim /etc/dansguardian/languages/ukenglish/template.html
#remove some dansguardian weighted lists
cp /etc/init.d/tinyproxy /etc/init.d/S52dansguardian
vim /etc/init.d/S52dansguardian
"mkdir /var/log/dansguardian
chown nobody /var/log/dansguardian/
mkdir /tmp/dansguardian
chown nobody /tmp/dansguardian/"
/etc/init.d/S52dansguardian start
# setup non-volatile ram
nvram set wl0_ssid=its_up_to_you
nvram set wl0_wep=disabled
nvram set wl0_akm=open
nvram commit
# sync time
ipkg install ntpclient
# follow wiki instructions on ntpclient
# setup time zone
echo "MST7MDT" > /etc/TZ
# test Internet access without proxy
# test Internet access using non-transparent proxy
# test that proxies come up after rebooting
# setup firewall
ipkg install iptables-extra
vim /etc/firewall.user
insmod ipt_REDIRECT
# transparently route traffic through content-filtering web proxy
iptables -t nat -A prerouting_rule -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080
#accept a limited rate of e-mail: 2 connections per minute (untested!)
iptables -A forwarding_rule -p tcp --dport 25 --syn -m limit --limit 2/min -j ACCEPT
# reject sending e-mail because of spam zombies
#iptables -A forwarding_rule -i br0 -p tcp --dport 25 -j REJECT
# (local network access)
iptables -A forwarding_rule -i br0 -d 192.168.1.0/24 -j REJECT
iptables -A forwarding_rule -i br0 -d 192.168.0.0/24 -j REJECT
# Windows file sharing across a public network? Bad idea.
iptables -A forwarding_rule -i br0 -p tcp --dport 137 -j REJECT
iptables -A forwarding_rule -i br0 -p tcp --dport 138 -j REJECT
iptables -A forwarding_rule -i br0 -p tcp --dport 139 -j REJECT
iptables -A forwarding_rule -i br0 -p udp --dport 137 -j REJECT
iptables -A forwarding_rule -i br0 -p udp --dport 138 -j REJECT
iptables -A forwarding_rule -i br0 -p udp --dport 139 -j REJECT