The Site With the Lamp

May 28, 2005

Transparent proxy or interception proxying as it is sometimes known is easy enough to setup. All you need is a simple IPtables rule:

Then all the http requests will be redirected to the squid proxy server running on your gateway machine. Of course the proxy does not have to be squid, it can even be apache. If you are using squid.

Now suppose for a moment that you want to setup a proxy on your own desktop, may be for speed or maybe because you are a geek. Then the above iptables rule will not work because it applies only to packets being routed through a computer acting as a gateway. At first glance a slight modification will do the trick:

This rule instructs iptables to send all outgoing HTTP requests to port 3128 instead. So far so good but there is a catch, no matter what you try you seem to get nothing but access denied errors. The cache.log file has the alarming message:

It would seem that the packets that are sent out by suid are being intercepted again and sent back to squid! so what's the solution? we get a little help from a little know iptables parameter --uid-owner it allows you to associate packets with users. In the case of my installation squid process is owned by nobody and nobody has the uid of 99 so the above rule can be modified as follows:

That means any packet that is not being sent out by squid itself should be redirected to squid.

There is just another small mod, I have a web server also running on my computer (and then there is mysql, postgresql, qmail and about a half dozen FTP servers on different ports). The sites running on the webserver should not be sent through the proxy. So you can add: