In order to configure Squid to be a transparent proxy, the OS will need at least two interfaces, such as eth0 and eth1. Let's say that eth0 will connect to the WAN, and eth1 will serve the LAN.
Only the WAN interface will need a default gateway. For example:
To verify that eth1 is unable to connect to remote servers over the WAN, eth0 can be brought down.
[root@server1 ~]# ifdown eth0
With eth0 down, on the proxy server, pinging an remote server, such as www.google.com, will fail.
[root@server1 ~]# ping www.google.com connect: Network is unreachable
Once eth0 is brought up, pinging www.google.com from the proxy server will be successful.
[root@server1 ~]# ifup eth0
Forwarding will need to be enabled. In the /etc/sysctl.conf file, remove the comment from this line.
- INPUT = Packets addressed to the host
- OUTPUT = Packets created by the host
- FORWARD = Packets neither addressed to the host nor created by the host. Forward is used to forward or route a packet to it's destination
In iptables, add rules so that packets addressed to eth1 can be forwarded to eth0, and vice versa.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
In the /etc/squid/squid.conf file, configure port 3128 to be transparent.
http_port 3128 transparent
Ensure the hostname of the Squid proxy server is visible. Replace your.hostname with the actual hostname of the Squid proxy server.
Add the following to iptables. Replace x.x.x.x/xx with the IP address and prefix of the Squid proxy server.
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to x.x.x.x:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -I INPUT -s x.x.x.x/xx -p tcp --dport 3128 -j ACCEPT
Restart the proxy server, and ensure the service is active and running.
[root@server1 ~]# systemctl restart squid [root@server1 ~]# systemctl status squid