Making Squid a transparent proxy

..has absolutely nothing (almost) to do with Squid.

It’s a single firewall rule like so:

-A PREROUTING -p tcp -m tcp -i wdev0ap0 --dport 80 -j DNAT --to-destination 127.0.0.1:3128

That’s an IPTables rule, normally but Arch (at least the version I was working with) was using UFW so that goes inside my before.rules in /etc/ufw/before.rules, right at the top.


*nat
:PREROUTING - [0,0]
-A PREROUTING -p tcp -m tcp -i wdev0ap0 --dport 80 -j DNAT --to-destination 127.0.0.1:3128
COMMIT

Make sure to restart ufw.

ufw disable && ufw enable

From Squid side, you just have to make sure that Squid is listening to a port transparently.
Change
http_port 3128
to
http_port 3128 intercept.

That should do it.

—-

I wanted to use a FQDN for the splash page though, so we used DNSMasq for DNS.
pacman -S dnsmasq

Then we just edit the /etc/hosts file and put in the FQDN that we want to map to the local IP (not localhost). Of course, this only ever works if your device has a static IP (which it should).


#
# /etc/hosts: static lookup table for host names
#

#
10.1.0.1 rystraum.com
127.0.0.1 localhost.localdomain localhost
::1 localhost.localdomain localhost

# End of file

In order for you to use the DNS on the device, you have to make it your first/default DNS. So, configure that on your network settings.

From here, I can change the Squid splash page config accordingly based on where my allow access page is.

Next steps:

  • Pass along default DNS setting during DHCP
  • Start squid and dnsmasq on startup
  • Remove Node.js apps from startup
  • Install Nginx
  • Map default Squid error page from the static HTML error to default web server on localhost (might not be needed)
  • Dealing with SSL on a transparent proxy setting
  • Changing upstream from eth0 to usb dongle

Thanks to Madumlao for all the help. :)