How to setup a transparent proxy with squid?

There are a few ways to achieve a transparent proxy, the one I am describing here is with the Linux system being the gateway and the proxy on the same machine, of course you can split these functions, but for this tutorial we will go that way. So I presume all your clients are already online via the linux machine and iptables nat/masquerading, additionally the thing you need now is a transparent proxy. So we are going to need is two more things for that: squid itself and some more iptables.

So first of all comes the squid installation:

  • aptitude install squid

(If you are not running Debian/Ubuntu, you have to look some place else to find a proper installation guide)

After squid is installed we have to tweak the configuration file a bit ( /etc/squid/squid.conf ):

for squid prior to 2.6 we add to the end of the file:

  • httpd_accel_host virtual
  • httpd_accel_port 80
  • httpd_accel_with_proxy on
  • httpd_accel_uses_host_header on

for squid 2.6 and later its a bit simpler, just change the entry for http_port so it looks like:

  • http_port 3128 transparent
another thing we need to take of are squids ACLs, look out for the string "acl our_networks src" within your squid.conf and change to fit your needs:
e.g.: acl our_networks src 192.168.2.0/24
after that you have to uncomment the line:  "http_access allow our_networks"
now reload squid:
  • /etc/init.d/squid reload
    ( or /etc/init.d/squid restart )
	
now you can try with a client and setup the proxy manually on the connection settings. If that works, you need only one simple iptable rules to make the rest work:
  • iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    ( replace eth0 with the interface on which the clients request are received )
Voila, you are done, now the proxy should be transparently working for your clients.

You cannot comment on this entry