root@HTTPCache:~# cat /etc/firewall.conf
#!/bin/sh
IPTABLES=iptables
EBTABLES=ebtables
EXTDEV="enp0s7"
INTDEV="enp1s10"
SERVERIP="xx.xx.xx.xx"

${EBTABLES} -t broute -F
${EBTABLES} -t broute -A BROUTING -i $EXTDEV -p ipv4 --ip-protocol tcp --ip-source-port 80 -j redirect --redirect-target DROP
${EBTABLES} -t broute -A BROUTING -i $INTDEV -p ipv4 --ip-protocol tcp --ip-destination-port 80 -j redirect --redirect-target DROP

${IPTABLES} -F
${IPTABLES} -F -t nat
${IPTABLES} -F -t mangle
${IPTABLES} -v -t mangle -N DIVERT
${IPTABLES} -v -t mangle -A DIVERT -j MARK --set-mark 1
${IPTABLES} -v -t mangle -A DIVERT -j ACCEPT
${IPTABLES} -v -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
${IPTABLES} -v -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

${IPTABLES} -I INPUT -s $SERVERIP -i br0 -j REJECT
${IPTABLES} -A INPUT -m state --state INVALID -j DROP
${IPTABLES} -A INPUT -s 10.0.0.0/8 -j ACCEPT
${IPTABLES} -A INPUT -s 172.16.0.0/12 -j ACCEPT
${IPTABLES} -I INPUT -i lo -j ACCEPT
${IPTABLES} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
${IPTABLES} -A INPUT -j DROP

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

#sysctl -w net.ipv4.ip_nonlocal_bind=1
#sysctl -w net.ipv4.ip_forward=1