Squid Transparent proxy server : How to configure

In our earlier tutorials (Squid Proxy server installation & configuration PART 1 & PART 2 ), we have learned to install & configure squid proxy server. We will now, in this tutorial, learn to configure Squid transparent proxy server. With setting up Squid transparent proxy server, we have a major advantage of not configuring proxy setting on every user’s machine. Being transparent means that users will have no idea that there requests are being passed through a proxy server.

Squid as transparent proxy acts as a gateway between internet and users. It redirects all the internet traffic from port 80 to squid proxy’s port i.e. 3128. So now let’s start with the setting squid as transparent proxy…

( Also read : Setting up squid with authentication )



Firstly, we need to install squid proxy server on the system. To install it, execute

$ sudo yum install squid -y


Configuring squid

Next we need to enable IP Packet Forwarding on the machine, to do this

$ sudo vim /etc/sysctl.conf

then change the following parameter to ‘1’, i.e.

net.ipv4.ip_forward = 1

Save file & exit. Now execute the following command to implement the changes made,

$ sudo sysctl -p

Next, we will configure the squid proxy using it’s main configuration file i.e. ‘/etc/squid/squid.conf’,

$ sudo vim /etc/squid/squid.conf

& make changes as follows to the options mentioned,

http_access allow all

http_port 3128 intercept

visible_hostname squid.proxy

Now save the file & exit. Next to implement the changes restart the squid service,

$ sudo service squid restart

$ chkconfig squid on


Configuring firewall rules

All that remains in the configuration for setting up squid transparent proxy is firewall rules configuration. Firewalld rules for RHEL/CentOS 7 are ,

$ sudo firewall-cmd –permanent –zone=public –add-forward- port=port=80:proto=tcp:toport=3128:toaddr=

$ sudo firewall-cmd –permanent –zone=public –add-port=3128/tcp

$ sudo firewall-cmd –permanent –add-masquerade

$ sudo firewall-cmd –reload

here, is the LAN IP address of the squid proxy server.

For RHEL/CentOS 6, the Iptables rules are

$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to

$ sudo iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to-port 3128

$ sudo iptables –t nat -A POSTROUTING –out-interface eth1 -j MASQUERADE

After the changes have been made to firewall rules, our server is now ready to work as a squid transparent proxy. All we have to do test this, is to change the gateway of the client machine to the IP address of squid server i.e. When we access any website from client machine, it will first arrive at squid proxy server on port 80 & will then be redirected to port 3128, then after analysing the ACLs, traffic will be forward to WAN or internet.

If you think we have helped you or just want to support us, please consider these :-

Connect to us: Facebook | Twitter | Google Plus

Become a Supporter – Make a contribution via PayPal

[paypal_donation_button align=”left” border=”1″]

Linux TechLab is thankful for your continued support.


Passionate about Linux & open source. Loves to learn, read & write about Linux as well as new technologies.

You may also like...

4 Responses

  1. armando says:

    Hello! i ve tried to follow your tutorial but any website that i try to access, it would show Connection to xx.xx.xx.xx failed, Connection refused (111),like it keeps hitting the proxy and the proxy doesnt’ resolve the name.
    Any ideas? im lost and ive been dealing with this days.

    ps. xx xx xx xx is the ip of the proxy.

  2. Javier says:

    So i’ve seen in older “how to” docs that port 8080 could not be forwarded. Is that still true, or would I just add another rule similar to the port 80 rule to forward this traffic? I got tasked with implementing Squid, but had not heard of it until my boss told me to go research and install it and this guide was the most current one I could find that actually made it seem pretty simple.

Leave a Reply

Your email address will not be published. Required fields are marked *