19.8. Setting Up a Transparent Proxy
Many networks use proxy servers like Squid to cache commonly accessed websites and thus cut down on the amount of bandwidth used by web browsing clients. Normally, each client must be configured to use the proxy server instead of making direct connections to websites. On a large network with many client systems or at an ISP where they are owned by many different people, this individual configuration can be difficult. It is made worse by each browser having its own proxy server settings, so if a user installs a new browser it will probably default to not using a proxy at all.
Fortunately, there is a solution—transparent proxying. If all client systems access the Internet through a gateway running an IPtables firewall, it can be configured to redirect connections to port 80 (used by most websites) to a proxy server on some other system. This means that clients do not need to be configured to access a proxy, as any HTTP requests that they make will be transparently sent to the proxy server without their knowledge.
To set up transparent proxying, the steps to follow are:
1. | On the main page of the Linux Firewall module on the gateway system, select Network address translation from the list next to the Showing IPtable button, then click the button. |
2. | In the Packets before routing section, click on Add rule to go to the rule creation form. The rule being added will redirect all traffic on port 80 forwarded by the firewall system to a proxy server. |
3. | Set the Action to take to Destination NAT. |
4. | In the IPs and ports for DNAT field, select IP range and enter the address of the proxy server system into the field next to it. If the proxy is running on the same system, enter its Ethernet IP address (not 127.0.0.1). In the field next to Port range, enter the port the proxy server is running on, such as 8080. |
5. | Set the Incoming interface to Equals and select the internal LAN interface, such as eth0. |
6. | Set the Network protocol to Equals and select TCP. |
7. | If the proxy is on another system that is also on the internal LAN, make sure that its connections on port 80 will not be proxied by the firewall as well! To do this, set the Source address or network condition to Does not equal and enter the IP address of the proxy server into the field next to it. If the proxy is on a different LAN or is the firewall system, this is not necessary. |
8. | Set the Destination TCP or UDP port to Equals and enter 80 into the Port(s) field. |
9. | Click the Create button to save the rule and return to the module's main page. |
10. | Click on Add rule under Packets after routing to bring up the rule creation form again. This rule will forward packets back in the other direction from the proxy to the client. If your firewall system is also running the proxy server, this rule is not necessary and you can skip to Step 16. |
11. | For the Action to take, select Source NAT. |
12. | In the IPs and ports for SNAT field, select IP range and enter the LAN IP address of the firewall server into the field next to it. |
13. | Set the Destination address or network to Equals and enter the IP address of the proxy server into the field next to it. |
14. | Set the Network protocol to Equals and select TCP. |
15. | Click the Create button to add the new rule. |
16. | Back on the main page, click the Apply Configuration button. All packets on port 80 forwarded by your firewall will now be sent to the proxy server instead. |
17. | Assuming you are running the Squid proxy server (version 2.4 or above) on the proxy system, you can use Webmin to configure it. Otherwise, you will need to set it up manually to accept transparent proxy connections, and there is no point reading beyond this step. |
18. | On the proxy system, enter the Squid Proxy Server module and click on Miscellaneous Options. |
19. | |
20. | |
21. | Finally, click Save to return to the main page of the Squid module, and click the Apply Changes link near the top of the page to activate the new configuration. |
From now on, any HTTP requests on port 80 forwarded by your firewall will be sent to the proxy server for processing. Transparent proxying can be safely used at the same time as conventional NAT by creating a masquerade rule in the Packets after routing chain, as explained in Section 19.7 “Setting Up Network Address Translation”.