LinuxQuestions.org - transparent proxy on a single machine

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - transparent proxy on a single machine (https://www.linuxquestions.org/questions/linux-networking-3/transparent-proxy-on-a-single-machine-198071/)

transparent proxy on a single machine

I am trying to build a single machine that performs web filtering (using DansGuardian) for several users.
The box (Morphix/Debian system) will be behind a cable router and has five users (kids). I have Dansguardian and Squid running correctly in normal proxy mode. The next step is to make the proxy transparent so that users cannot bypass the Danguardian/squid path simply by telling their browser to connect directly (ie without using the proxy).
I have looked around and see instructions on this at several places (mostly for non-single machine implementations) and know I need a line something like like:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8181

where 8181 is where Dansguardian is listening.

I also need to configure squid with (I think) :

http_port 3128 # where squid is listening
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
httpd_accel_single_host off

The question is, on a single machine, will this work? The part I can't figure out pertains to when squid finally wants to send out the actual request to the internet, isn't that a port 80 request that the above iptables rule will redirect back to Danguardian??
Is this the best strategy or is some other approach better?
Thanks in advance
Ken S.

You have to redirect all request to port 80 to port 3128 and the destination address has to be changed to the IP of the interface that Squid is running on.

Finally figured out an elegant and easy solution (thanks to Dimitar Katerinski helping via the netfilter@list.netfilter.org mailing list)

1)Keep the normal settings for squid (no tranparent proxy needed since users are internal to the same machine)
2) Set up two iptables rules to only let squid reach port 80 and only let dansguardian reach port 3128 (where squid is listening).

# allow only squid to be able to connect to port 80
iptables -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner squid -j REJECT --reject-with tcp-reset

#allow only DG to be able to connect to 3128.
iptables -A OUTPUT -p tcp --dport 3128 -m owner ! --uid-owner dansguardian -j REJECT --reject-with tcp-reset

These rules force the users to put in the proper proxy info into their browsers in order to connect to internet.
Work great !!
Other boxes on the local lan can also access dansguardian webfiltering using same proxy address [ http://this_box_lan_ip_addr:8181 ] (although there is nothing forcing other boxes through this path) . The above iptables rules only require that local users on this machine use Dansguardian.
Cheers!
Ken