Classical firewalls usually depend on either packet filtering (such as ipchains), or proxy filtering technology (such as by a proxy server like Squid). A transparent proxy is a system that appears like a packet filter to client machines (eliminating the need for client-side configuration), and as a classical proxy to servers.

A transparent proxy listens on a specified well-known port (for example, port 80 for Web proxies) for incoming requests, and redirects them to a proxy server running on the same machine. Client machines assume they’re directly talking to the remote Webserver, when instead, they’re communicating through the proxy. Proxy servers such as Squid support transparent proxying.

The first step is to configure transparent proxying on the Linux server. You’ll need to recompile your kernel for this if it’s not already configured. To find out if your kernel has it enabled, look for the file "/proct/net/ip_fwchains". If it exists, you’re in business.

Configuring ipchains

You’ll then need to add some special rules to ipchains, telling it to forward all incoming traffic on Web-specific ports

such as 80 for HTTP, and 81 for HTTPS) to a different port on the same machine, for which your proxy server has been configured (such as port 8080 for Squid).

Enter the following lines into a shell script—you can then put this in your startup scripts to run automatically at boot time. In this case, the server IP address is taken to be 192.168.1.1.

ipchains -A input -p TCP -d 127.0.0.1/32 www -j ACCEPT
ipchains -A input -p TCP -d 192.168.1.1/32 www -j ACCEPT
ipchains -A input -p TCP -d 0/0 www -j REDIRECT 8080

You can use transparent proxying with 2.0.X kernels. These use ipfwadm to create and modify firewall rules.

If you’re using ipfwadm, create a script file with the following lines:

ipfwadm -I -a a -P tcp -S any/0 -D 127.0.0.1 80
ipfwadm -I -a a -P tcp -S any/0 -D 192.168.1.1 80
ipfwadm -I -a a -P tcp -S any/0 -D any/0 80 -r 8080

Configuring Squid

You need at least Squid 2.X to use transparent proxying. Once you have it installed and running, little additional configuration is required. Edit /etc/squid/squid.conf and make the following changes.

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

After you’re done, restart Squid with

/etc/rc.d/init.d/squid.init restart

Client configuration

The best part of the client configuration is that there’s none. Clients think that they’re directly connected to the Webserver, without an intermediate proxy server in between. This means that you can use almost any type of client from behind your firewall, even if it doesn’t have proxy or firewall support.