diff --git a/.gitignore b/.gitignore
index 42bf20da74a0..cad6ccaa6e41 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,4 +14,4 @@ metallb/frr/
 assets/templates/99_master-chronyd-redhat.yaml
 assets/templates/99_worker-chronyd-redhat.yaml
 
-pull_secret.json
+pull_secret.json
\ No newline at end of file
diff --git a/02_configure_host.sh b/02_configure_host.sh
index 29d3f96bca4a..776b81048447 100755
--- a/02_configure_host.sh
+++ b/02_configure_host.sh
@@ -54,6 +54,18 @@ if [[ ! -z "${MIRROR_IMAGES}" || $(env | grep "_LOCAL_IMAGE=")  || ! -z "${ENABL
     setup_local_registry
 fi
 
+# Configure a local proxy to be used for the installation
+if [[ ! -z "${INSTALLER_PROXY}" ]]; then
+  generate_proxy_conf > ${WORKING_DIR}/squid.conf
+
+  sudo podman run -d --rm \
+     --net host \
+     --volume ${WORKING_DIR}/squid.conf:/etc/squid/squid.conf \
+     --name ds-squid \
+     --dns 127.0.0.1 \
+     quay.io/sameersbn/squid:latest
+fi
+
 sudo systemctl enable --now firewalld
 
 # Configure an NTP server for use by the cluster, this is especially
@@ -191,7 +203,7 @@ ANSIBLE_FORCE_COLOR=true ansible-playbook \
     -e "{use_firewalld: True}" \
     -e "provisioning_interface=$PROVISIONING_NETWORK_NAME" \
     -e "baremetal_interface=$BAREMETAL_NETWORK_NAME" \
-    -e "{provisioning_host_ports: [80, ${LOCAL_REGISTRY_PORT}, 8000]}" \
+    -e "{provisioning_host_ports: [80, ${LOCAL_REGISTRY_PORT}, 8000, ${INSTALLER_PROXY_PORT}]}" \
     -e "vbmc_port_range=$VBMC_BASE_PORT:$VBMC_MAX_PORT" \
     -i ${VM_SETUP_PATH}/inventory.ini \
     -b -vvv ${VM_SETUP_PATH}/firewall.yml
diff --git a/06_create_cluster.sh b/06_create_cluster.sh
index 9946263dac3e..7bfca56c1b63 100755
--- a/06_create_cluster.sh
+++ b/06_create_cluster.sh
@@ -12,6 +12,12 @@ source validation.sh
 
 early_deploy_validation
 
+if [[ ! -z "$INSTALLER_PROXY" ]]; then
+  export HTTP_PROXY=${HTTP_PROXY}
+  export HTTPS_PROXY=${HTTPS_PROXY}
+  export NO_PROXY=${NO_PROXY}
+fi
+
 # Call openshift-installer to deploy the bootstrap node and masters
 create_cluster ${OCP_DIR}
 
diff --git a/Makefile b/Makefile
index 3f24bff6788c..064fdd0b37f2 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-.PHONY: default all requirements configure ironic ocp_run install_config clean ocp_cleanup ironic_cleanup host_cleanup cache_cleanup registry_cleanup workingdir_cleanup podman_cleanup bell
+.PHONY: default all requirements configure ironic ocp_run install_config clean ocp_cleanup ironic_cleanup host_cleanup cache_cleanup registry_cleanup proxy_cleanup workingdir_cleanup podman_cleanup bell
 default: requirements configure build_installer ironic install_config ocp_run bell
 
 all: default
@@ -29,7 +29,7 @@ ocp_run:
 gather:
 	./must_gather.sh
 
-clean: ocp_cleanup ironic_cleanup host_cleanup assisted_deployment_cleanup
+clean: ocp_cleanup ironic_cleanup proxy_cleanup host_cleanup assisted_deployment_cleanup
 
 assisted_deployment_cleanup:
 	./assisted_deployment.sh delete_all
@@ -57,6 +57,9 @@ workingdir_cleanup:
 podman_cleanup:
 	./podman_cleanup.sh
 
+proxy_cleanup:
+	./proxy_cleanup.sh
+
 bell:
 	@echo "Done!" $$'\a'
 
diff --git a/common.sh b/common.sh
index 5f67f616c0ad..ed9f9c298b41 100644
--- a/common.sh
+++ b/common.sh
@@ -69,6 +69,10 @@ export SSH_PUB_KEY="${SSH_PUB_KEY:-$(cat $HOME/.ssh/id_rsa.pub)}"
 # mirror images for installation in restricted network
 export MIRROR_IMAGES=${MIRROR_IMAGES:-}
 
+# Setup up a local proxy for installation
+export INSTALLER_PROXY=${INSTALLER_PROXY:-}
+export INSTALLER_PROXY_PORT=${INSTALLER_PROXY_PORT:-8215}
+
 # Hypervisor details
 export REMOTE_LIBVIRT=${REMOTE_LIBVIRT:-0}
 export PROVISIONING_HOST_USER=${PROVISIONING_HOST_USER:-$USER}
diff --git a/config_example.sh b/config_example.sh
index 52ebe5eaddf0..1ff9db1cebe7 100755
--- a/config_example.sh
+++ b/config_example.sh
@@ -272,6 +272,10 @@ set -x
 # been configured.
 # export ADDITIONAL_TRUST_BUNDLE=/path/to/ca_file
 
+# Configures the installer to use a proxy running on the local host
+# and blocks all outgoing traffic
+# export INSTALLER_PROXY=true
+
 ##
 ## Assisted Deployment
 ##
diff --git a/network.sh b/network.sh
index 26d29b2c4ac0..dbb32a6e7a60 100755
--- a/network.sh
+++ b/network.sh
@@ -7,6 +7,21 @@ function nth_ip() {
   python -c "from ansible_collections.ansible.netcommon.plugins.filter import ipaddr; print(ipaddr.nthhost('"$network"', $idx))"
 }
 
+function ipversion(){
+    if [[ $1 =~ : ]] ; then
+        echo 6
+        exit
+    fi
+    echo 4
+}
+
+function wrap_if_ipv6(){
+    if [ $(ipversion $1) == 6 ] ; then
+        echo "[$1]"
+        exit
+    fi
+    echo "$1"
+}
 
 export IP_STACK=${IP_STACK:-"v6"}
 export HOST_IP_STACK=${HOST_IP_STACK:-${IP_STACK}}
@@ -151,3 +166,19 @@ else
   export BOOTSTRAP_PROVISIONING_IP=${BOOTSTRAP_PROVISIONING_IP:-$(nth_ip $PROVISIONING_NETWORK 2)}
   export CLUSTER_PROVISIONING_IP=${CLUSTER_PROVISIONING_IP:-$(nth_ip $PROVISIONING_NETWORK 3)}
 fi
+
+# Proxy related configuration
+if  [[ ! -z "$INSTALLER_PROXY" ]]; then
+  export EXT_SUBNET=${EXTERNAL_SUBNET_V6}
+  if [[ "$IP_STACK" = "v4" ]]; then
+    EXT_SUBNET=${EXTERNAL_SUBNET_V4}
+  fi
+
+  HTTP_PROXY=http://$(wrap_if_ipv6 ${PROVISIONING_HOST_EXTERNAL_IP}):${INSTALLER_PROXY_PORT}
+  HTTPS_PROXY=http://$(wrap_if_ipv6 ${PROVISIONING_HOST_EXTERNAL_IP}):${INSTALLER_PROXY_PORT}
+  NO_PROXY=${PROVISIONING_NETWORK},9999,${EXT_SUBNET}
+
+  if [[ "$PROVISIONING_NETWORK_PROFILE" == "Disabled" ]]; then
+    NO_PROXY=${EXT_SUBNET},9999
+  fi
+fi
\ No newline at end of file
diff --git a/ocp_install_env.sh b/ocp_install_env.sh
index 0ff4c3dcdd71..b1b145bc9846 100644
--- a/ocp_install_env.sh
+++ b/ocp_install_env.sh
@@ -270,6 +270,16 @@ sshKey: |
 fips: ${FIPS_MODE:-false}
 EOF
 
+  if [[ ! -z "$INSTALLER_PROXY" ]]; then
+
+    cat >> "${outdir}/install-config.yaml" << EOF
+proxy:
+  httpProxy: ${HTTP_PROXY}
+  httpsProxy: ${HTTPS_PROXY}
+  noProxy: ${NO_PROXY}
+EOF
+  fi
+
     cp "${outdir}/install-config.yaml" "${outdir}/install-config.yaml.save"
 }
 
diff --git a/proxy_cleanup.sh b/proxy_cleanup.sh
new file mode 100755
index 000000000000..3ad814f40ad4
--- /dev/null
+++ b/proxy_cleanup.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -x
+
+source logging.sh
+source common.sh
+source validation.sh
+
+early_cleanup_validation
+
+sudo podman kill ds-squid || true
diff --git a/utils.sh b/utils.sh
index 99b2876c91e1..fe12f02c7128 100755
--- a/utils.sh
+++ b/utils.sh
@@ -165,22 +165,6 @@ function create_cluster() {
     $OPENSHIFT_INSTALLER --dir "${assets_dir}" --log-level=debug create cluster 2>&1 | grep --line-buffered -v 'password\|X-Auth-Token\|UserData:'
 }
 
-function ipversion(){
-    if [[ $1 =~ : ]] ; then
-        echo 6
-        exit
-    fi
-    echo 4
-}
-
-function wrap_if_ipv6(){
-    if [ $(ipversion $1) == 6 ] ; then
-        echo "[$1]"
-        exit
-    fi
-    echo "$1"
-}
-
 function network_ip() {
     local network
     local rc
@@ -584,6 +568,21 @@ function wait_for_crd() {
   oc wait --for condition=established --timeout=60s "crd/$1" || exit 1
 }
 
+function generate_proxy_conf() {
+  if [[ "$PROVISIONING_NETWORK_PROFILE" != "Disabled" ]]; then
+    echo "acl all src ${PROVISIONING_NETWORK}"
+  fi
+
+  cat <<EOF
+acl all src ${EXT_SUBNET}
+http_access allow all
+http_port ${INSTALLER_PROXY_PORT}
+debug_options ALL,2
+dns_v4_first on
+coredump_dir /var/spool/squid
+EOF
+}
+
 _tmpfiles=
 function removetmp(){
     [ -n "$_tmpfiles" ] && rm -rf $_tmpfiles || true
diff --git a/vm_setup_vars.yml b/vm_setup_vars.yml
index 8fd11ec9678a..c0fb31fd9539 100644
--- a/vm_setup_vars.yml
+++ b/vm_setup_vars.yml
@@ -54,7 +54,7 @@ provisioning_network:
 external_network:
   - name: "{{ baremetal_network_name }}"
     bridge: "{{ baremetal_network_name }}"
-    forward_mode: "{{ 'bridge' if lookup('env', 'MANAGE_BR_BRIDGE') == 'n' else 'nat' }}"
+    forward_mode: "{{ 'bridge' if lookup('env', 'MANAGE_BR_BRIDGE') == 'n' else 'nat' if not lookup('env', 'INSTALLER_PROXY') else 'route'}}"
     address_v4: "{{ baremetal_network_cidr_v4|nthhost(1)|default('', true) }}"
     netmask_v4: "{{ baremetal_network_cidr_v4|ipaddr('netmask') }}"
     address_v6: "{{ baremetal_network_cidr_v6|nthhost(1)|default('', true) }}"