Transparent proxy with Squid and IPTables

iptables

# Rules for transparent proxying
iptables -N NO_PROXY -t nat
iptables -A NO_PROXY -t nat -d 0.0.0.0/8 -j ACCEPT
iptables -A NO_PROXY -t nat -d 10.0.0.0/8 -j ACCEPT
iptables -A NO_PROXY -t nat -d 127.0.0.0/8 -j ACCEPT
iptables -A NO_PROXY -t nat -d 169.254.0.0/16 -j ACCEPT
iptables -A NO_PROXY -t nat -d 172.16.0.0/12 -j ACCEPT
iptables -A NO_PROXY -t nat -d 192.168.0.0/16 -j ACCEPT
iptables -A NO_PROXY -t nat -d 224.0.0.0/4 -j ACCEPT
iptables -A NO_PROXY -t nat -d 240.0.0.0/4 -j ACCEPT
iptables -A NO_PROXY -t nat -j RETURN
iptables -A PREROUTING -t nat -p tcp --dport 80 -j NO_PROXY
iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -A PREROUTING -t nat -p tcp --dport 443 -j NO_PROXY
iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-ports 3130

squid.conf

# http://www.spinics.net/lists/squid/msg77150.html
ssl_bump splice all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/ca.crt key=/etc/squid/ssl/ca.key

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

never_direct allow all
cache_peer <proxt=y> parent <port> 0 no-query no-digest default