
I got a Server with a static ipadress for rent and now i want to setup a transparent proxy on this server.

after i configured the squid for testing purposes with the listener "http_access allow all", i wanted to set the iptables. i figured out that i only have one ethernet connection with my static ipadress mounted. but at least i didnt found a documentation which showed me how to configure this. (found much about how config squid with two physical seperate NICs but not with one)


root@1:~# ifconfig
lo        Link encap:Local Loopback  
          inet addr:  Mask:
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:49 errors:0 dropped:0 overruns:0 frame:0
          TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3536 (3.5 KB)  TX bytes:3536 (3.5 KB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:  P-t-P:  Bcast:  Mask:
          inet6 addr: ::2/128 Scope:Compat
          inet6 addr: 2a01:[....]external-ipv6[...]/128 Scope:Global
          RX packets:551353 errors:0 dropped:0 overruns:0 frame:0
          TX packets:455717 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:351211942 (351.2 MB)  TX bytes:267054641 (267.0 MB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:[...]external-ipv4[...]  P-t-P:[...]external-ipv4[...]  Bcast:  Mask:

i have read much about iptables, and some about ebtables. and now i got stucked. i dont know which step should be my next.

my iptables are complete empty at the moment.

do i need ebtables for a correctly working transparent proxy? are the correct iptables enough to get this done without ebtables? if so, i would very appreciate if you can give me a string to set them.


Sources: wiki[.]ubuntuusers[.]de/Squid http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html


especially this quote should explain me how to do this but i dont get it...

Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128


iptables -t nat -A PREROUTING -i venet0 -p tcp --dport 80 -j DNAT --to
iptables -t nat -A PREROUTING -i venet0:0 -p tcp --dport 80 -j REDIRECT --to-port 3128

this should work, but it doesnt...

  • Are you going to intercept traffic directed only to your server? – Martino Dino Dec 06 '13 at 18:57
  • yeah. i have set static routes in my homerouter routing to this external server. this external server recieves evrything, and should route the incomming traffic to a port opened on his localhost. there it should be recieved and reworked through squid. – homeFault Dec 07 '13 at 17:31
  • with: `iptables -t nat -A PREROUTING -i venet0 -p tcp --dport 80 -j DNAT --to` # `iptables -t nat -A PREROUTING -i venet0:0 -p tcp --dport 80 -j REDIRECT --to-port 3128` # it should work but it doesnt – homeFault Dec 07 '13 at 17:38

1 Answers1


You can't use a transparent proxy in this scenario.

A transparent proxy must be in the network route of the traffic so that it can intercept and rewrite all of the traffic to redirect it to squid, and since your server is outside your network path, you have no way to do this.

If you want to use this server as a proxy, it will have to be a normal forward proxy.

Michael Hampton
  • uh, i thought if i redirect port 80 from external interface, to squids port on the internal interface it would work, for this i found some tuts, but i dont know why this shouldnt work if my home router sents his psckets statically to this proxy server – homeFault Dec 07 '13 at 16:21
  • If you are actually configuring your browser to use the proxy server, you do not need to do _any_ of this transparent proxy stuff at all. Just set up the proxy server normally. – Michael Hampton Dec 07 '13 at 19:06