Transparent proxy with Squid

If you ever wanted to know how to setup a transparent proxy with Squid, because either you are just curious or you have more than one computer from which you want to surf the internet, and you don’t want to set the proxy manually, then this might be something for you.

I will assume that we have two networks: and These networks are connected to our router via eth1 and eth2 respectively, while the router itself has the IPs and


If you’re running Debian you have a newer or older version of Squid installed, depending on the release you chose. At the time of this writing that might be 2.5.9 for Sarge aka stable or 2.6.5 for Etch aka testing. If you don’t already know the version, check your version with dpkg -l squid.

For Squid 2.5.xx put the following into /etc/squid/squid.conf:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

and for Squid 2.6.xx:

http_port transparent
http_port transparent
always_direct allow all

The last directive was a workaround for early 2.6 versions of Squid, because of this bug. With the current version it seems that this isn’t a problem anymore, so just leave it out.


We have to tweak the firewall, so that everybody who wants to surf the internet will go through our transparent proxy.

iptables -t nat -A PREROUTING -i eth1 -p tcp ! -d
         --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth2 -p tcp ! -d
         --dport 80 -j REDIRECT --to-port 3128

Access Control

At last we want to allow the users in our network to connect to our proxy. In the squid.conf there is a line saying:

http_access allow localhost

below that line you should put the following:

acl LAN src
http_access allow LAN

That’s it.

1 thought on “Transparent proxy with Squid”

  1. Pingback: Il blog di Gas ® » Debian 4.0 out

Comments are closed.