Linux traffic Interception with Squid and the Browser on the same box

  • by Joshua N Pritikin

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.


To Intercept web requests transparently without any kind of client configuration. When web traffic is rgenerated by the machine squid is run on.

NP: for most non-Windows boxes setting the http_proxy environment variable (http_proxy="http://SQUIDIP:3128/") is a preferred alternative to the below interception.

NP: other users have reported setting outgoing TOS and filtering on it instead of process gid to also be effective.

iptables configuration

  • /!\ Replace SQUIDIP with the public IP(s) which squid may use for its listening port and outbound connections. Repeat each iptables line one per squid outbound IP.

iptables -t nat -F  # clear table

# normal transparent proxy
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 3127

# handle connections on the same box (SQUIDIP is a loopback instance)
gid=`id -g proxy`
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner $gid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination SQUIDIP:3127

Squid Configuration File

You will need to configure squid to know the IP is being intercepted like so:

http_port 3127 transparent
  • /!\ In Squid 3.1+ the transparent option has been split. Use 'intercept to catch DNAT packets.

http_port 3127 intercept


ConfigExamples/Intercept/LinuxLocalhost (last edited 2009-04-03 07:15:48 by AmosJeffries)