🔗 Linux traffic Interception at source using DNAT
🔗 Outline
Using NAT interception is not recommended other than as a final backup to other systems. There are other methods such as Proxy WPAD/PAC, linux http_proxy environment variable, and windows policy enforcement of browser config. All of which are just as effective and encounter less problems when multiple clients are involved.
This configuration is to use NAT to Intercept web requests generated by other software running on the same machine as Squid without any kind of client application configuration or proxy support. It is extremely intrusive and not applicable unless full control is had over the client machine (ie rogue application server).
:information_soiurce: NAT configuration will only work when used on the squid box. This is required to perform intercept accurately and securely. To intercept from a gateway machine and direct traffic at a separate squid box use policy routing.
🔗 iptables configuration
Replace SQUIDIP with the public IP which squid may use for its listening port and outbound connections.
You may also need to replace “squid” UID with the cache_effective_user account Squid runs as. This may be using a built-in default of “nobody”, “squid”, or “proxy” depending on your operating system.
iptables -t nat -A OUTPUT --match owner --uid-owner squid -p tcp --dport 80 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination SQUIDIP:3129
🔗 Squid Configuration File
You will need to configure squid to know the IP is being intercepted like so:
http_port 3129 transparent
In Squid 3.1+ the transparent option has been split. Use ‘intercept to catch DNAT packets.
http_port 3129 intercept
⚠️ Disclaimer: Any example presented here is provided "as-is" with no support
or guarantee of suitability. If you have any further questions about
these examples please email the squid-users mailing list.
Categories: ConfigExample
Navigation: Site Search, Site Pages, Categories, 🔼 go up