Making Squid a transparent proxy

..has absolutely nothing (almost) to do with Squid.

It’s a single firewall rule like so:

-A PREROUTING -p tcp -m tcp -i wdev0ap0 --dport 80 -j DNAT --to-destination

That’s an IPTables rule, normally but Arch (at least the version I was working with) was using UFW so that goes inside my before.rules in /etc/ufw/before.rules, right at the top.

-A PREROUTING -p tcp -m tcp -i wdev0ap0 --dport 80 -j DNAT --to-destination

Make sure to restart ufw.

ufw disable && ufw enable

From Squid side, you just have to make sure that Squid is listening to a port transparently.
http_port 3128
http_port 3128 intercept.

That should do it.


I wanted to use a FQDN for the splash page though, so we used DNSMasq for DNS.
pacman -S dnsmasq

Then we just edit the /etc/hosts file and put in the FQDN that we want to map to the local IP (not localhost). Of course, this only ever works if your device has a static IP (which it should).

# /etc/hosts: static lookup table for host names

# localhost.localdomain localhost
::1 localhost.localdomain localhost

# End of file

In order for you to use the DNS on the device, you have to make it your first/default DNS. So, configure that on your network settings.

From here, I can change the Squid splash page config accordingly based on where my allow access page is.

Next steps:

  • Pass along default DNS setting during DHCP
  • Start squid and dnsmasq on startup
  • Remove Node.js apps from startup
  • Install Nginx
  • Map default Squid error page from the static HTML error to default web server on localhost (might not be needed)
  • Dealing with SSL on a transparent proxy setting
  • Changing upstream from eth0 to usb dongle

Thanks to Madumlao for all the help. :)