Gentoo Wiki


Imagine the following scenario. You have a home computer, with only one connection to the internet (say via ADSL) and you wish to have all your HTTP traffic go through a proxy on the same machine. This article will give you a possible implementation.

The need for transparent proxying might arise as a way of not having to configure a huge number of programs and save some bandwith on very common downloads. The motivation is irrelevant for the solution.

What we will try to do is have all HTTP traffic (to be accurate all outgoing tcp traffic to port 80) redirect to a proxy listening on localhost (say port 8888) while not redirecting the proxy's request (because this would cause an endless loop).

The difference between this guide and others is mainly the last part.

First, create a user named proxy with no privileges (group nobody, no login, no shell).

To do this, edit /etc/passwd and add a line like this:

File: /etc/paswd

proxy:x:109:65534:added by user for proxy:/nonexistent:/usr/sbin/nologin

or use the useradd command.

next install iptables and configure the kernel to allow it's use. Several other tutorials explain this.

Configure your proxy to bind only on the localhost interface (so that no one else can access it), listen on port 8888, and to work as a transparent proxy.

The details of this depend on which proxy you use.

Finally start the iptables service and run:

 iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner proxy -j REDIRECT --to-port 8888

This will redirect all tcp traffic to port 80 of any host, not generated by the user proxy to port 8888 of localhost, and thus all outbound HTTP traffic will be proxyed except the proxy's own requests.

Retrieved from ""

Last modified: Fri, 05 Sep 2008 05:16:00 +0000 Hits: 2,508