A transparent proxy operates on port 80, so that the clients don't set a proxy on their browser, but all requests actually go through the proxy anyway. This is an interesting way of doing it, but if/when your proxy kicks the bucket, you've got no backup. Personally I like to switch between proxy and no-proxy, but for your setup a transparent proxy might be the answer. I'd suggest you get it working on port 3128 first though.
I have to admit I'm still puzzled too!
(You haven't confirmed a lot of my 'if-then' setups.)
To give an example using my setup (the proxy is on the gateway).
I have a client using a proxy with the following routing table.
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.0.133 0.0.0.0 UG 0 0 0 eth0
The 0.0.0.0 address (ie. everything) is available through my gateway (192.168.0.133 = an ipcop box running a proxy).
Let's just say, that I remove the defaut route through the gateway from the client:
# route del -net 0.0.0.0
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
# ping google.com
connect: Network is unreachable
# ping -c 1 192.168.0.133
PING 192.168.0.133 (192.168.0.133) 56(84) bytes of data.
64 bytes from 192.168.0.133: icmp_seq=1 ttl=64 time=5.05 ms
Right! So now the client can't reach the net at all, but can reach the machine running the proxy.
Now I can turn the proxy on and off to allow/disallow net access for my client. And this is not just the browser, most net apps can be set to use a proxy.
Does that help to explain the concept better?
Good luck!