FreeKB - Squid (Proxy) Transparent proxy server
Squid (Proxy) - Transparent proxy server

Let's take an example of a PC in your LAN that wants to go to an HTTP website being hosted on a remote server on the Internet. In the most basic configuration possible, you could connect your PC to your modem, and then request the HTTP website. When HTTP is being used, the connection would use port 80.


Building upon this simple configuration, a proxy server could be placed between your PC and your modem, to proxy requests to and from the Internet. In order to configure Squid to be a transparent proxy, the Squid server will need to have at least two interfaces. The interfaces will be configured to forward traffic to and from each interface, and there will also be a configuration to forward traffic from a standard port, such as 80 for HTTP to a new port, such as 3128 (the default Squid http port).


What you will want to do is to configure the LAN interface with a private IP address and subnet mask, but not default gateway. The WAN interface will be configured with a private IP address, subnet mask, and default gateway. For example:

Tytpe Interface IP address Prefix Gateway
WAN eth0 /24
LAN eth1 /24 n/a


Ensure each interface is working as expected. To test the LAN interface, bring down the WAN interface or disconnect the ethernet cable from the WAN interface. Then, ensure you are able to ping another device in your LAN, but that you are not able to ping a remote server, such as

~]# ping -c1
connect: Network is unreachable


Next ensure the WAN interface is working as expected. Bring down the LAN interface or disconnect the ethernet cable from the LAN interface. Then, ensure you are able to ping another device in your LAN, and that you are also able to ping a remote server, such as the WAN interface is configured and connected to your router, you will be able to ping remote servers, such as google.

~]# ping -c4
64 bytes from ( icmp_seq=1 ttl=55 time=21.9ms
64 bytes from ( icmp_seq=2 ttl=55 time=19.0ms
64 bytes from ( icmp_seq=3 ttl=55 time=18.9ms
64 bytes from ( icmp_seq=4 ttl=55 time=20.6ms



By default, Linux is not configured to forward traffic from one NIC interface to another. We need the system so that requests to the LAN interface are forwarded to the WAN interface. In this example, HTTP requests on port 80 will be forwarded from the LAN to the WAN interface, and the WAN interface will use the default Squid port 3128.


In the /etc/sysctl.conf file, add the following line to enable fowarding.



Reload sysctl.

~]# sysctl -p


If using firewalld, configure the WAN interface (eth0 in this example) to be bound to the public zone, and configure the LAN interface (eth1 in this example) to be bound ot the internal zone.

firewall-cmd --zone=public --add-interface=eth0 --permanent
firewall-cmd --zone=internal --add-interface=eth1 --permanent


Allow traffic on port 3128.

firewall-cmd --zone=internal --add-port=3128/tcp --permanent 


Forward HTTP traffic (port 80) from your LAN interface to the WAN interface. Replace x.x.x.x with the IP address of your WAN interface.

firewall-cmd --zone=internal --add-forward-port=port=80:proto=tcp:toport=3128:toaddr=x.x.x.x --permanent


Configure firewalld to use masquerading.

firewall-cmd --zone=internal --add-masquerade --permanent


Reload the firewalld.

firewall-cmd --reload


Your firewall should now have somthing similar to this.

~]# firewall-cmd --list-all --zone=internal
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  services: ssh dhcpv6-client
  protocols: 3128/tcp
  masquerade: port=80:proto=tcp:toport=3128:toaddr=
  rich rules:


If using iptables, add the following rules. Replace x.x.x.x/xx with the IP address and prefix of the Squid proxy server.

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to x.x.x.x:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I INPUT -s x.x.x.x/xx -p tcp --dport 3128 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT



In the /etc/squid/squid.conf file, configure port 3128 to intercept traffic that will be forwarded to the squid proxy server. Ensure the hostname of the Squid proxy server is visible. Replace your.hostname with the actual hostname of the Squid proxy server.

http_port 3128 intercept
visible_hostname your.hostname


Allow all http access.

http_access allow all


The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.

If your system is using systemd, use the systemctl command to restart squid.

systemctl restart squid


If your system is using init, use the service command to restart squid.

service squid restart




You can now use Wireshark to verify that traffic is being routed through your Squid proxy server.


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 06875 in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |