While the “correct” thing to do is to use wpad autodetection, and thus politely request that users use your proxy, this isn’t always an option:

• Firefox doesn’t Autodetect Proxies by default
• Autodetection doesn’t behave well for many roaming users (firefox should talk to network-manager)
• Many programs simply don’t support wpad.
• Your upstream ISP transparently proxies anyway (the norm in ZA), so it’s not like we have any end-to-endness to protect.

So, here’s how you do it:

1. Lets assume your network is 10.1.1.0/24, and the squid box is 10.1.1.1 on eth0
2. Install squid (aptitude install squid), configure it to have a reasonably large storage pool, give it some sane ACLs, etc.
3. Add http_port 8080 transparent to squid.conf(or http_port 10.1.1.1:8080 transparent if you are using explicit http_port options)
4. invoke-rc.d squid reload
5. Add the following to your iptables script:

If you run squid on your network’s default gateway, then you are done. Otherwise, if you have a separate router, you need to do the following on the router:

1. Add a new transprox table to /etc/iproute2/rt_tables, i.e. 1 transprox
2. Pick a new netfilter MARK value, i.e. 0x04
3. Add the following to the router’s iptables script:

1. Done: test and tail your squid logs

The reason we use iproute rules rather than iptables DNAT is that you lose destination-IP information with a DNAT (like the envelope of an e-mail).

An alternative solution is to run tinyproxy on the router (with the transparent option, enabled in ubuntu but not debian), use the REDIRECT rule above on the router, to redirect to the tinyproxy, and have that upstream to the squid. But tinyproxy requires some RAM, and on a WRT54 or the likes, you don’t have any of that to spare…

Should you need to temporarily disable this for any reason:

• With all-in-one-router: iptables -t nat -F PREROUTING
• With the separate router: iptables -t mangle -F PREROUTING