A transparent proxy allows network traffic to be intercepted and redirected without requiring any changes from the client. This is useful for filtering, monitoring, or caching requests. In Linux, we can configure a transparent proxy using iptables, a powerful tool for network traffic control. This article explains how to set up a transparent proxy using iptables, with examples and detailed steps.
Prerequisites
Linux-based system (Ubuntu/Debian/CentOS)
iptables installed and functional
A proxy server installed (e.g., Squid or HAProxy)
Root or sudo access to the system
Step 1: Installing the Proxy Server
Before configuring iptables, ensure that you have a proxy server installed. For this example, we will use Squid, which is a widely used proxy server.
sudo apt update
sudo apt install squid
After installation, Squid will be configured to listen on port 3128 by default. You can check its status with:
sudo systemctl status squid
Step 2: Configuring Squid for Transparent Proxying
To enable Squid as a transparent proxy, we need to configure it to listen on the same port as the redirected traffic (usually HTTP port 80). Edit the Squid configuration file:
sudo nano /etc/squid/squid.conf
Look for the http_port directive and modify it as follows:
http_port 3128 transparent
After editing, restart Squid to apply the changes:
sudo systemctl restart squid
Step 3: Configuring iptables for Transparent Proxying
Now that Squid is configured, we need to configure iptables to intercept traffic and redirect it to the proxy. We will use the REDIRECT target in iptables to capture outgoing HTTP requests and redirect them to Squid.
3.1 Enabling IP Forwarding
First, ensure that IP forwarding is enabled on your system. This allows your system to forward traffic between interfaces.
sudo sysctl -w net.ipv4.ip_forward=1
To make this change persistent across reboots, edit the /etc/sysctl.conf file:
sudo nano /etc/sysctl.conf
Uncomment or add the line:
net.ipv4.ip_forward=1
Apply the changes by running:
sudo sysctl -p
3.2 Creating iptables Rules
Now we will create the iptables rules to redirect HTTP traffic to Squid. The rules should be added to the nat table to manipulate network address translation.
This rule redirects all incoming traffic on port 80 (HTTP) to port 3128, where Squid is listening. To verify the rule is applied, use the following command:
sudo iptables -t nat -L
If you want the iptables rules to persist after a reboot, save the configuration with:
sudo iptables-save > /etc/iptables/rules.v4
Step 4: Testing the Transparent Proxy
Once the iptables rules are in place and Squid is configured, it’s time to test the transparent proxy setup. Open a browser on a client machine within the same network and try to access a website. The traffic should be intercepted by the Squid proxy server.
To verify that the proxy is working, check Squid’s access logs:
sudo tail -f /var/log/squid/access.log
If the requests appear in the log, then the proxy is functioning correctly.
Step 5: Troubleshooting
If the transparent proxy is not working, there are a few common issues to check:
Ensure that Squid is running and listening on port 3128.
Check the iptables rules with sudo iptables -t nat -L to make sure the redirection is correct.
Verify that the client machine is using the correct gateway and routing configuration.
