How to set up a transparent proxy on Linux
Last updated on August 19, 2020 by Dan Nanni
A transparent proxy sits between clients and the Internet, acting as a gateway for the clients. It is called transparent because clients are not required to configure anything for the proxy. A transparent proxy is useful when it is not possible or desirable to modify client configuration, ant yet it's still necessary for client traffic to go through the proxy.
If you need to set up a transparent proxy on Linux, one of the easiest ways is to use Squid, open-source proxy server software. While Squid has rich feature sets as a general web-caching proxy server, this tutorial will not discuss all those features. Instead, it focuses on describing how to configure a transparent proxy with Squid.
Install Squid on Linux
For Ubuntu or Debian:
$ sudo apt-get install squid
For CentOS, RHEL or Fedora:
$ sudo yum install squid
Configure Squid
The above step will install Squid version 3 (squid3) on your system, and create a default Squid configuration file in /etc/squid3. Squid is set to start automatically upon boot. To configure Squid as a transparent proxy, modify its configuration file, and restart it as follows.
$ sudo vi /etc/squid3/squid.conf
acl localhost src 100.100.100.0/24 ::1 http_port 3128 transparent cache_peer 100.100.100.10 parent 8000 0 no-query default cache_effective_user proxy cache_effective_group proxy
$ sudo /etc/init.d/squid3 restart
The line starting with acl specifies the clients which are allowed to use the proxy. In this case, those whose IP address belongs to 100.100.100.0/24 are added to the proxy's white list. The line starting with cache_peer is optional, and needed only when your network is behind an upstream proxy or firewall. Essentially this line declares the upstream proxy (i.e., 100.100.100.10:8000) as a parent proxy to connect to in order to reach any external networks.
Next, you need to set up iptables rules so that any HTTP traffic (e.g., destined to port 80) is routed through Squid. For that, you can run the following script called proxy.sh.
#!/bin/sh # squid proxy's IP address (which is attached to eth0) SQUID_SERVER=`ifconfig eth0 | sed -ne 's/.*inet addr:([^ ]*).*/1/p'` # interface connected to WAN INTERNET="eth0" # interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" # clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # load iptables modules for NAT masquerade and IP conntrack modprobe ip_conntrack modprobe ip_conntrack_ftp # define necessary redirection for incoming HTTP traffic (e.g., 80) iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # forward locally generated http traffic to Squid iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports $SQUID_PORT # forward the rest of non-HTTP traffic iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $INTERNET -j ACCEPT # enable IP forwarding for proxy echo 1 > /proc/sys/net/ipv4/ip_forward
Once you have set up iptables rules using this script, you can save the current iptables rules permanently, so that you don't need to re-run the script.
Finally, those clients who wish to use the transparent proxy should specify the IP address of the transparent proxy as their default gateway.
If you would like more advanced setup for your transparent proxy such as web filtering, refer to this tutorial.
Support Xmodulo
This website is made possible by minimal ads and your gracious donation via PayPal or credit card
Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.
Xmodulo © 2021 ‒ About ‒ Write for Us ‒ Feed ‒ Powered by DigitalOcean