Let's take an example of a PC in your LAN that wants to go to an HTTP website being hosted on a remote server on the Internet. In the most basic configuration possible, you could connect your PC to your modem, and then request the HTTP website. When HTTP is being used, the connection would use port 80.
Building upon this simple configuration, a proxy server could be placed between your PC and your modem, to proxy requests to and from the Internet. In order to configure Squid to be a transparent proxy, the Squid server will need to have at least two interfaces. The interfaces will be configured to forward traffic to and from each interface, and there will also be a configuration to forward traffic from a standard port, such as 80 for HTTP to a new port, such as 3128 (the default Squid http port).
What you will want to do is to configure the LAN interface with a private IP address and subnet mask, but not default gateway. The WAN interface will be configured with a private IP address, subnet mask, and default gateway. For example:
Ensure each interface is working as expected. To test the LAN interface, bring down the WAN interface or disconnect the ethernet cable from the WAN interface. Then, ensure you are able to ping another device in your LAN, but that you are not able to ping a remote server, such as www.google.com.
~]# ping -c1 www.google.com connect: Network is unreachable
Next ensure the WAN interface is working as expected. Bring down the LAN interface or disconnect the ethernet cable from the LAN interface. Then, ensure you are able to ping another device in your LAN, and that you are also able to ping a remote server, such as www.google.com.fOnce the WAN interface is configured and connected to your router, you will be able to ping remote servers, such as google.
~]# ping -c4 www.google.com 64 bytes from ord38s01-in-f4.1e100.net (126.96.36.199): icmp_seq=1 ttl=55 time=21.9ms 64 bytes from ord38s01-in-f4.1e100.net (188.8.131.52): icmp_seq=2 ttl=55 time=19.0ms 64 bytes from ord38s01-in-f4.1e100.net (184.108.40.206): icmp_seq=3 ttl=55 time=18.9ms 64 bytes from ord38s01-in-f4.1e100.net (220.127.116.11): icmp_seq=4 ttl=55 time=20.6ms
By default, Linux is not configured to forward traffic from one NIC interface to another. We need the system so that requests to the LAN interface are forwarded to the WAN interface. In this example, HTTP requests on port 80 will be forwarded from the LAN to the WAN interface, and the WAN interface will use the default Squid port 3128.
In the /etc/sysctl.conf file, add the following line to enable fowarding.
~]# sysctl -p
If using firewalld, configure the WAN interface (eth0 in this example) to be bound to the public zone, and configure the LAN interface (eth1 in this example) to be bound ot the internal zone.
firewall-cmd --zone=public --add-interface=eth0 --permanent firewall-cmd --zone=internal --add-interface=eth1 --permanent
Allow traffic on port 3128.
firewall-cmd --zone=internal --add-port=3128/tcp --permanent
Forward HTTP traffic (port 80) from your LAN interface to the WAN interface. Replace x.x.x.x with the IP address of your WAN interface.
firewall-cmd --zone=internal --add-forward-port=port=80:proto=tcp:toport=3128:toaddr=x.x.x.x --permanent
Configure firewalld to use masquerading.
firewall-cmd --zone=internal --add-masquerade --permanent
Reload the firewalld.
Your firewall should now have somthing similar to this.
~]# firewall-cmd --list-all --zone=internal internal target: default icmp-block-inversion: no interfaces: eth0 eth1 sources: services: ssh dhcpv6-client ports: protocols: 3128/tcp masquerade: port=80:proto=tcp:toport=3128:toaddr=192.168.0.2 forward-ports: sourceports: icmp-blocks: rich rules:
If using iptables, add the following rules. Replace x.x.x.x/xx with the IP address and prefix of the Squid proxy server.
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to x.x.x.x:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -I INPUT -s x.x.x.x/xx -p tcp --dport 3128 -j ACCEPT iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
In the /etc/squid/squid.conf file, configure port 3128 to intercept traffic that will be forwarded to the squid proxy server. Ensure the hostname of the Squid proxy server is visible. Replace your.hostname with the actual hostname of the Squid proxy server.
http_port 3128 intercept visible_hostname your.hostname
Allow all http access.
http_access allow all
~]# systemctl restart squid