Using Squid as a Transparent Proxy

One of the difficulties in running a web proxy is that each client browser has to be configured to use it. A much neater solution is to force all attempts to access a web site to go through the proxy. This can be achieved quite simply by using iptables firewall rules on the machine where Squid runs.

What you want to do is to intercept all outbound packets to external hosts on port 80 (and certain others perhaps) and redirect them to port 3128 on the server. Squid will then do the proxying. So you need an iptables rule similar to this:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

This assumes that eth0 is the internal interface that is receiving the outgoing HTTP requests and that the machine where Squid is running is set as the gateway for the client machines.

I j?" See also the discussion of firewall rules in Chapter 24. Note that SuSEfirewall2 is capable of setting up the necessary rules for a transparent proxy. SuSEfirewall2 is also discussed in Chapter 24.

The Squid configuration file needs just the http_port line to be modified so that it reads: http_port 3128 transparent

I j ,'■ : - - This is a change in recent versions of Squid. Older versions required a more compli-

¡\- . , ..-r i . cated setup to achieve a transparent proxy, and a lot of outdated tutorials can still be found on the Internet.

j f - - r You cannot combine a transparent proxy with authorization on the proxy. It has also been reported that in some circumstances there can be problems with remote sites that require authentication.

Was this article helpful?

0 0

Post a comment