Linux traffic Interception with Squid and the Browser on the same box
by Joshua N Pritikin
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
Contents
Outline
To Intercept web requests transparently without any kind of client configuration. When web traffic is rgenerated by the machine squid is run on.
NP: for most non-Windows boxes setting the http_proxy environment variable (http_proxy="http://SQUIDIP:3128/") is a preferred alternative to the below interception.
NP: other users have reported setting outgoing TOS and filtering on it instead of process gid to also be effective.
iptables configuration
Replace SQUIDIP with the public IP(s) which squid may use for its listening port and outbound connections. Repeat each iptables line one per squid outbound IP.
iptables -t nat -F # clear table # normal transparent proxy iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 3127 # handle connections on the same box (SQUIDIP is a loopback instance) gid=`id -g proxy` iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner $gid -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination SQUIDIP:3127
Squid Configuration File
You will need to configure squid to know the IP is being intercepted like so:
http_port 3127 transparent
In Squid 3.1+ the transparent option has been split. Use 'intercept to catch DNAT packets.
http_port 3127 intercept