Separate Squid Server for Transparent Proxy

Separate Squid Server for Transparent Proxy

Post by Kirk » Mon, 26 Feb 2001 08:33:27

I'm running a Netfilter/iptables firewall with transparent proxy ala Squid
on the same server.  All is well.  However I want to move Squid onto its
own machine.  All attempts at this have failed with any packets directed to
a Squid server other than the local firewall disappearing or looping.  The
iptables command I'm using is below.  I suspect I need to do some work on
the remote Squid server, but I'm not sure what.

{IPTABLES} -t nat -A PREROUTING -i ${LAN_IFACE} -p tcp --dport 80 -j DNAT
--to ${SQUID}




1. Help with configuring squid (aka proxy server) in transparent caching mode

I am running RedHat Linux 7.0 with kernel version 2.4.2.  This linux box has 2 interfaces.
The external (public) interface [eth1] has an IP of and the internal interface [eth0]
(private) has an IP address of  I am running iptables (aka netfilter) on this
box so that other clients (microsoft Windows 98/NT/2k) on the private network can
access the Internet.  Everything is working smoothly and I am quite happy with it.

Now I would like to implement squid (aka proxy server) on another linux box in my private
network (this linux box has an IP address of so that I can improve Internet
access performance for internal clients.  After installing and configuring squid, I run the
following command to make sure that squid is running properly:

/usr/local/squid/bin/client -h -p 3128

I look at the /usr/local/squid/logs/access.log file and see that squid if functioning properly.
To make sure that squid is also functioning properly, I configure the Netscape browser
on one of the clients (IP to point to the squid server (in netscape,
edit, Preferences, Advanced, proxies and specify the IP address and the port 3128).
In summary, squid works.

Now, what I would like to accomplish is to configure squid server to run in transparent
caching mode.  I do NOT want to go to every-clients and reconfigure the browser to point
to the squid server.  Because I am running ipmasquarade (NAT) on the main linux box, so
I put the following lines in the rc.firewall script:

#Accept port 3128 for squid
$IPT -A INPUT -p tcp --destination-port 3128 -j ACCEPT
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to
$IPT -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to

what this accomplished is to redirect any traffic (80 or 443) that hits the internal interface of
linux box (ip to the squid server and see if the information is already in the
cache.  Only go to the Internet if necessary.  

Well, it does NOT work.  Because I am not a linux expert, I am stuck at this point.  I don't know
how to prceed from here.  If anyone in the group has done this or something similar to this, please
show me how.  

Sorry for a very long mumbo-jumbo question.


2. Code review requested: strlcpy(), strlcat() Safer string copy and cat

3. Help on ppp connections( I have read the How-to's please help!!)

4. Dual Token Ring Card Problem

5. technical diff between transparent/non-transparent proxy servers

6. AIX Trace Utility

7. Transparent proxy with Squid and Apache problem

8. LinuxPowered - Transparent proxy using Squid

9. transparent squid proxy on obsd2.8/9

10. Transparent proxy other than squid???

11. Squid as transparent caching proxy