Last Updated: February 25, 2016
· pmaoui

Create a gateway with a transparent proxy (Iptables, Squid)

You need to have at least two network interfaces. We call them eth0 and eth1.

  • eth0 brings internet
  • eth1 is the organization network (usually a switch)

Accept connection from inside (eth1) and forward them to (eth0)

iptables -A FORWARD -o eth0 -i eth1 -s -m conntrack --ctstate NEW -j ACCEPT

 We accept to forward all already established connection

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Masquerading (substitute the local source ip address to the public address)

iptables -A POSTROUTING -t nat -j MASQUERADE

Force all connection to HTTP (80) to go to 8080, where Squid can handle the request

sudo iptables -t nat -A PREROUTING -i eth1 -s -p tcp --dport 80 -j REDIRECT --to-port 8080

 If you need an IP to bypass Squid :

sudo iptables -t nat -I PREROUTING 1 -i eth1 -s 192.168.1.XXX -p tcp -m tcp --dport 80 -J ACCEPT

3 Responses
Add your response

i follow all your steps but my squid dosent work. May I send you my configuration files?

over 1 year ago ·

The first step for you is to make Squid works. This protip is a next step to make it transparent for the users of your network and manage people who need to go through squid or bypass it. You can find useful information for your case here

over 1 year ago ·

Thank you very much...

over 1 year ago ·