May 27, 2010

HOWTO: set up a transparent squid proxy on an Ubuntu desktop box (, )

by fluffy at 5:11 PM
Here is a simple procedure for setting up a simple transparent proxy to conduct basic network testing of some connected device, when your desktop box is running Ubuntu Linux.

  1. Disable NetworkManager with sudo update-rc.d NetworkManager remove; killall nm-applet
  2. Set up your network cards explicitly in /etc/network/interfaces (this isn't hard, but NetworkManager's duty in life is to crap on this configuration, it seems) and do a sudo /etc/init.d/networking restart
  3. Install dhcp3-server and squid, and configure them as appropriate. Most important is to change the squid.conf line like
    http_port 3128
    http_port 3128 transparent
  4. Use FireHOL for the actual iptables configuration, because life is too short to screw around with iptables scripts and tutorials that don't specify where said scripts go if you want things to actually, you know, work. My /etc/firehol/firehol.conf file is like this:
    version 5
    transparent_proxy 80 3128 proxy
    interface eth0 outside
    	policy accept
    	server http accept
    	server ssh accept
    	server https accept
    	client all accept
    interface eth1 inside
    	policy accept
    router nat inface eth1 outface eth0
    	route all accept
  5. Angrily post this article to your blog because seriously why does Ubuntu documentation have to suck so bad
The (only) downside to FireHOL, aside from its website being a bit difficult to figure out and its documentation being hard to navigate, is there's no way (so far as I can tell) to specify which interfaces get the transparent proxy, so you can't restrict it to a certain set of clients on the lan side. So if you're doing this to, say, test how transparent proxies affect cantankerous embedded devices, you're going to have to accept it also screwing around with your desktop's web browser. C'est la vie.