How to configure Squid to be a transparent proxy server

Home > Search > How-to

In order to configure Squid to be a transparent proxy, the OS will need at least two interfaces, such as eth0 and eth1. Let's say that eth0 will connect to the WAN, and eth1 will serve the LAN.


Only the WAN interface will need a default gateway. For example:

Tytpe Interface IP address Prefix Gateway
WAN eth0 /24
LAN eth1 /24 n/a


To verify that eth1 is unable to connect to remote servers over the WAN, eth0 can be brought down.

[root@server1 ~]# ifdown eth0


With eth0 down, on the proxy server, pinging an remote server, such as, will fail.

[root@server1 ~]# ping
connect: Network is unreachable


Once eth0 is brought up, pinging from the proxy server will be successful.

[root@server1 ~]# ifup eth0


Forwarding will need to be enabled. In the /etc/sysctl.conf file, remove the comment from this line.



  • INPUT = Packets addressed to the host
  • OUTPUT = Packets created by the host
  • FORWARD = Packets neither addressed to the host nor created by the host. Forward is used to forward or route a packet to it's destination

In iptables, add rules so that packets addressed to eth1 can be forwarded to eth0, and vice versa.

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT


In the /etc/squid/squid.conf file, configure port 3128 to be transparent.

http_port 3128 transparent


Ensure the hostname of the Squid proxy server is visible. Replace your.hostname with the actual hostname of the Squid proxy server.

visible_hostname your.hostname


Add the following to iptables. Replace x.x.x.x/xx with the IP address and prefix of the Squid proxy server.

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to x.x.x.x:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I INPUT -s x.x.x.x/xx -p tcp --dport 3128 -j ACCEPT


Restart the proxy server, and ensure the service is active and running.

[root@server1 ~]# systemctl restart squid
[root@server1 ~]# systemctl status squid


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter in the box below so that we can be sure you are a human.