Implementing Transparent Proxying with Firewall Rules on AlmaLinux 8

Overview

In enterprise environments, network traffic monitoring, content filtering, or security auditing often requires redirecting outbound connections through a proxy. Doing this transparently ensures applications do not need proxy configuration, which is essential for legacy software, containers, or multi-tenant servers.

By combining nftables firewall rules with a local proxy, administrators can implement a transparent, per-port, or per-user proxy on AlmaLinux 8.

This approach is rarely documented online in a complete, production-ready guide.

Use Cases

Enforcing HTTP/HTTPS traffic through a corporate proxy
Logging outbound connections for auditing
Blocking unauthorized network access without application configuration
Transparent caching proxies for performance
Containerized or legacy applications that cannot be reconfigured

Prerequisites

AlmaLinux 8
Root or sudo access
nftables installed and enabled
A local proxy (e.g., Squid, TinyProxy, or HAProxy) installed

Check nftables status:

systemctl status nftables

Step 1: Configure a Local Proxy

Install Squid as an example:

dnf install -y squid

Configure Squid to listen on a non-standard port (e.g., 3128):

nano /etc/squid/squid.conf

Add or modify:

http_port 3128 transparent
acl localnet src 192.168.0.0/16
http_access allow localnet

Start and enable Squid:

systemctl enable squid
systemctl start squid

Step 2: Enable IP Forwarding

Transparent proxying requires traffic forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Make permanent:

nano /etc/sysctl.d/99-sysctl.conf

Add:

net.ipv4.ip_forward = 1

Apply:

sysctl --system

Step 3: Create nftables Table

nft add table inet proxy_redirect

Add chains for prerouting (incoming) and output (local processes):

nft add chain inet proxy_redirect prerouting { type nat hook prerouting priority 0 \; }
nft add chain inet proxy_redirect output { type nat hook output priority 0 \; }

Step 4: Redirect Traffic to Proxy

Redirect all HTTP (port 80) traffic from non-root users to Squid:

nft add rule inet proxy_redirect output ip dport 80 uid != 0 redirect to :3128

ip dport 80 → Target HTTP traffic
uid != 0 → Exclude root processes
redirect to :3128 → Send traffic to Squid

Step 5: Exclude Certain Destinations

Allow direct access to internal networks:

nft add rule inet proxy_redirect output ip daddr 192.168.0.0/16 accept

Step 6: Persist Rules

nft list ruleset > /etc/nftables.conf

Ensure rules load on boot:

systemctl enable nftables

Step 7: Verify Transparent Proxy

Test with a non-root user:

sudo -u devuser curl http://example.com

Traffic should go through Squid automatically.

Check Squid access logs:

tail -f /var/log/squid/access.log

Step 8: Advanced Logging & Monitoring

Use nftables log to track redirected connections:

nft add rule inet proxy_redirect output ip dport 80 log prefix "PROXY-REDIRECT: " level info

Combine with journalctl -f for real-time monitoring:

journalctl -f

Step 9: Security Best Practices

Only redirect non-root processes
Exclude sensitive destinations from proxy
Monitor logs for anomalies
Limit proxy resource usage
Use SSL Bump cautiously for HTTPS traffic

Step 10: Use Cases in Enterprise

Transparent content filtering in multi-tenant servers
Legacy apps that cannot be configured to use a proxy
Auditing outbound HTTP traffic for compliance
Mitigating risky application behavior

Conclusion

Using nftables and a local proxy, AlmaLinux 8 administrators can implement a transparent, user-aware proxy that enforces network policy without modifying applications.

This approach is highly practical for IT professionals but rarely covered in public tutorials.