How to configure Squid to be a transparent proxy server

Home > Search > How-to
  by

In order to configure Squid to be a transparent proxy, the OS will need at least two interfaces, such as eth0 and eth1. Let's say that eth0 will connect to the WAN, and eth1 will serve the LAN.

 

Only the WAN interface will need a default gateway. For example:

Tytpe Interface IP address Prefix Gateway
WAN eth0 192.168.0.14 /24 192.168.0.1
LAN eth1 192.168.0.15 /24 n/a

 

To verify that eth1 is unable to connect to remote servers over the WAN, eth0 can be brought down.

[root@server1 ~]# ifdown eth0

 

With eth0 down, on the proxy server, pinging an remote server, such as www.google.com, will fail.

[root@server1 ~]# ping www.google.com
connect: Network is unreachable

 

Once eth0 is brought up, pinging www.google.com from the proxy server will be successful.

[root@server1 ~]# ifup eth0

 

Forwarding will need to be enabled. In the /etc/sysctl.conf file, remove the comment from this line.

net.ipv4.ip_forward=1

 

  • INPUT = Packets addressed to the host
  • OUTPUT = Packets created by the host
  • FORWARD = Packets neither addressed to the host nor created by the host. Forward is used to forward or route a packet to it's destination

In iptables, add rules so that packets addressed to eth1 can be forwarded to eth0, and vice versa.

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

 


In the /etc/squid/squid.conf file, configure port 3128 to be transparent.

http_port 3128 transparent

 

Ensure the hostname of the Squid proxy server is visible. Replace your.hostname with the actual hostname of the Squid proxy server.

visible_hostname your.hostname

 

Add the following to iptables. Replace x.x.x.x/xx with the IP address and prefix of the Squid proxy server.

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to x.x.x.x:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I INPUT -s x.x.x.x/xx -p tcp --dport 3128 -j ACCEPT

 

Restart the proxy server, and ensure the service is active and running.

[root@server1 ~]# systemctl restart squid
[root@server1 ~]# systemctl status squid

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments