Now, the question naturally arises, if we can do all this nifty stuff redirecting HTTP connections to local ports, could we do the same thing but to a remote box (e.g., the machine with squid running is not the same machine as iptables is running on). The answer is yes, but it takes a little different magic words. (Thanks to Giles Coochey for help writing this section).
For the purposes of example commands, let's assume we have two boxes called squid-box and iptables-box, and that they are on the network local-network. In the commands below, replace these strings with the actual IP addresses or name of your machines and network.
First, the machine that squid will be running on, squid-box. You do not need iptables or any special kernel options on this machine, just squid. You do not need the 'http_accel' options as described above, just a plain squid (although, if you are a squid newbie, it is suggested that you read the above section on squid, since everything else but the 'http_accel' options will be useful to you).
Now, the machine that iptables will be running on, iptables-box You will need to configure the kernel as described above, except that you don't need the REDIRECT target support). Now, for the iptables commands. You need three:
The first one sends the packets to squid-box from iptables-box. The second makes sure that the reply gets sent back through iptables-box, instead of directly to the client (this is very important!). The last one makes sure the iptables-box will forward the appropriate packets to squid-box. It may not be needed. YMMV. Note that we specified '-i eth0' and then '-o eth0', which stands for input interface eth0 and output interface eth0. If your packets are entering and leaving on different interfaces, you will need to adjust the commands accordingly.
Add these commands to your appropriate startup scripts under /etc/rc.d/
If the iptables-box is on a dynamic IP address (e.g. a dialup PPP connection, or a DHCP assigned IP address from a cable modem, etc.), then you will want to make a slight change to the above commands. Replace the second command with this one:
This change avoids having to specify the IP address of iptables-box in the command. Since it will change often, you'd have to change your commands to reflect it. This will save you a lot of hassle.