Squid configuration directive: tproxy_uses_indirect_client

I have setup some Squid 3.2 proxy servers which deployed in the TPROXY (fully transparent proxy, aka IP spoofing) mode. For the normal deployment could be found here (http://www.balabit.com/downloads/files/tproxy/README.txt).

But I have some special services running inside the box whose intercepting some of clients connections from Squid (via ICAP) and done the request modification before sending it to the origin server and acts as a man-in-the-middle. In this case, my requirement is to also spoofing the outgoing source address of my special services connections. Thus, I have decided to send the requests back to Squid to done the spoofing as well.

I was searching the Internet for the solution. In the first place, I tried to setup the TPROXY destination in the "PREROUTING" chain of "mangle" table but not success as the local generated packets didn't pass this chain.

I found this page (http://www.squid-cache.org/Doc/config/tproxy_uses_indirect_client) and it's lucky that this configuration directive only available in Squid 3.2+.
Therefore, I just setup my special services to make the outgoing connections with "X-Forwarded-For" http header included through the Squid that acts as a proxy on another port, eg. 3129.

For the Squid configuration, I just add

...
http_port 3129 tproxy
...
...
follow_x_forwarded_for allow localhost
...
tproxy_uses_indirect_client on
...
...

Finally, I could done the setup for IP spoofing for all of the connections and the boxes are now truely transparent as it should be.

Note: As the "3129" listening port should not be exposed to the outside of the box, therefore, it should not be allowed to accept the connections from outside. A simple iptables rules is

# iptables -A INPUT -p tcp --dport 3129 ! -s 127.0.0.1 -j DROP