# How 2 Squid transparency proxy?

## CaptainBlood

There seems 2B2 methods:

One implying IPTABLES only via REDIRECT.

Second also implying TPROXY with MANGLE.

Asking 4 advice which 2 choose B4 spending another 2 days 2 succeed the bad way ...  :Laughing: 

Thanks 4 ur attention.

----------

## szatox

I used to do that on iptables redirecting all passing-through traffic to port 80 at local 3128 instead. That was the easy part, hard one was getting squid's config sorted. ACL rules there were a real pain. I think I evenually dropped them all and relied solely on firewall to keep outsiders away.

Oh, and squid is not transparent by default. It expects browser to actively cooperate. You will have to change some option in it's config to let it slip in. (and another if you want to remove the extra header squid puts into http requests it makes)

----------

## papahuhn

Squid combined with tproxy is used in networks where clients have their own public IP. Squid will connect to the destination while using the original source IP on its own socket, which is not possible by default. If you want to use squid in your home network and have only one public IP, there is no point in using tproxy, as you will have to NAT the clients anyway.

----------

## DawgG

what goal are you trying to reach? how many machines (firewalls/routers) are involved?

generally, you have to direct packets destined to port 80 to the (configured) squid-port; this is ususally done with NAT on the same or some other box. then squid has to run in transparent mode and its ACLs and (maybe) parents/siblings configured.

in my case the NAT-firewall picks out the packets sent (by the clients behind the captive portal) to port 80 and SNATs them to the squid-box:3128. this is the relevant line in squid.conf:

```
http_port <SQUID-BOX-IP>:3128 transparent connection-auth=off 
```

squid then fetches the stuff either directly or (in my case) from its parent; this is configured with the ACLs/RULEs. if you don't need any fancy filtering/redirection-stuff 10-20 lines combined will do the job.

the fetched content ist then sent back to the firewall which SNATs it back to the clients.

it is important to note that squid would not run in transparent mode when iptables was not activated in the kernel; nothing has to be installed or configured, it just has to be activated:

```
<SQUID-BOX>~ # zgrep -i iptables /proc/config.gz 

CONFIG_IP_NF_IPTABLES=y
```

these are the relevant rules on the NAT-box that send the traffic to squid and back:

```
NAT-BOX ~ # iptables -L -t nat

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

DNAT       tcp  --  <PORTAL-BOX>  anywhere             tcp dpt:http to:<SQUID-BOX>:3128

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

SNAT       tcp  --  <SQUID-BOX>     anywhere             tcp spt:3128 to:<NAT-BOX-IP>
```

of course you can do everything on the same box, just adapt the interfaces/addresses.

GOOD LUCK!

----------

## CaptainBlood

My aim is mainly prototyping on my laptop.

So no public ip.

There's 2 firewalls/routers involved.

Thks 4 ur attention, interest & support.

----------

