Transparent proxy with Squid

If you ever wanted to know how to setup a transparent proxy with Squid, because either you are just curious or you have more than one computer from which you want to surf the internet, and you don’t want to set the proxy manually, then this might be something for you.

I will assume that we have two networks: 172.16.0.0/24 and 172.16.1.0/24. These networks are connected to our router via eth1 and eth2 respectively, while the router itself has the IPs 172.16.0.1 and 172.16.1.1.

Setup

If you’re running Debian you have a newer or older version of Squid installed, depending on the release you chose. At the time of this writing that might be 2.5.9 for Sarge aka stable or 2.6.5 for Etch aka testing. If you don’t already know the version, check your version with dpkg -l squid.

For Squid 2.5.xx put the following into /etc/squid/squid.conf:

http_port 172.16.0.1:3128
http_port 172.16.1.1:3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

and for Squid 2.6.xx:

http_port 172.16.0.1:3128 transparent
http_port 172.16.1.1:3128 transparent
always_direct allow all

The last directive was a workaround for early 2.6 versions of Squid, because of this bug. With the current version it seems that this isn’t a problem anymore, so just leave it out.

Firewall

We have to tweak the firewall, so that everybody who wants to surf the internet will go through our transparent proxy.

iptables -t nat -A PREROUTING -i eth1 -p tcp ! -d 172.16.0.0/24
         --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth2 -p tcp ! -d 172.16.1.0/24
         --dport 80 -j REDIRECT --to-port 3128

Access Control

At last we want to allow the users in our network to connect to our proxy. In the squid.conf there is a line saying:

http_access allow localhost

below that line you should put the following:

acl LAN src 172.16.0.0/24 172.16.1.0/24
http_access allow LAN

That’s it.

1 comment so far ↓