[squid-users] transparent mode squid on centos 9 with iptables (part 2)
Lola Lo
holitafarolito at gmail.com
Mon Nov 28 04:33:11 UTC 2022
Hi Amos.
Thank you for your advice. I applied the instructionts that you have sent
it to me in this link:
https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect and the
https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute,
the case of: "When Squid is Internal amongst clients" and the section: Routing
Setup. Now I can see the squid is intercepting the traffic however, it is
not applying my policies:
http_access deny cliente_linux sitios2
http_access deny cliente_windows sitios1
http_access allow mi_red
"sitios2"=facebook
"sitios1"=youtube
these policies work when I set up manually the proxy. Do you have any idea
of how to troubleshoot this?
Thank you for your help
On Wed, Nov 16, 2022 at 11:35 PM Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 17/11/2022 9:14 am, Lola Lo wrote:
> > Hi guys.
> >
> >
> > Could you please send a tutorial or any good guidance to implement
> > squid on transparent mode on centos 9 with iptables.
> >
>
> The configuration details for what you appear to be trying to configure
> are here:
> <https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>
>
> My comments below relate to how your attempt differs and how to fix.
>
> > I have configured squid.conf with this parameters:
> >
> >
> >
> > ens192: 172.31.168.28, internet interface
> >
> > ens224: 192.168.1.10, LAN interface (private network)
> >
> >
> > # Mis ACLs #
> >
> > acl mi_red src 192.168.1.0/24 <http://192.168.1.0/24>
> >
> > acl cliente_linux src 192.168.1.20
> >
> > acl cliente_windows src 192.168.1.30
> >
> > acl sitios1 url_regex "/etc/squid/listas/sitios1"
> >
> > acl sitios2 url_regex "/etc/squid/listas/sitios2"
> >
> >
> > # Squid normally listens to port 3128
> >
> > http_port 3128
> >
> > http_port 8080 transparent
> >
> >
>
> Firstly, use "intercept" instead of "transparent" with modern Squid.
>
> Secondly, remember that only port 8080 is setup to receive intercepted
> traffic. Port 3128 still receives normal forward-proxy traffic.
>
> > I want the “deny all” rule get applied to test the client using the proxy
> >
> >
>
> You have not shown any http_access lines from your config. There is a
> clear bug in your NAT which explains the behaviour so I will assume that
> the squid.conf policy does what you want.
>
>
> > My iptables is configured as follows:
> >
> >
> > #!/bin/bash
> >
> >
> > ## NAT server configuration ##
> >
> >
> > sysctl -w net.ipv4.ip_forward=1
> >
> > sysctl -p
> >
> > iptables -X
> >
> > iptables -F
> >
> > iptables -t nat -X
> >
> > iptables -t nat -F
> >
> > iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> > iptables -I FORWARD-m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> > iptables -t nat -I POSTROUTING -o ens192 -j MASQUERADE
> >
> >
> >
>
> Why is this a different script?
> Ideally the firewall rules should be as atomic as possible to avoid
> connections being setup with only part of the rules applied.
>
>
> >
> > #!/bin/bash
> >
> >
> > ## proxy server configuration ##
> >
> >
> > ### Accepting traffic for the ports: 3128 and 8080##
> >
> >
> > iptables -A INPUT -s 192.168.1.0/24 <http://192.168.1.0/24> -p tcp
> > --dport 3128 -j ACCEPT
> >
> > iptables -A INPUT -p tcp --dport 3128 -j DROP
> >
>
> Do not accept traffic directly to the port 8080. Also Squid does not
> make outbound connections from its listening ports.
> So these ...
>
> > iptables -A OUTPUT -d 192.168.1.0/24 <http://192.168.1.0/24> -p tcp
> > --sport 3128 -j ACCEPT
> >
> > iptables -A OUTPUT -p tcp --sport 3128 -j DROP
> >
> >
> > iptables -A INPUT -s 192.168.1.0/24 <http://192.168.1.0/24> -p tcp
> > --dport 8080 -j ACCEPT
> >
> > iptables -A INPUT -p tcp --dport 8080 -j DROP
> >
> > iptables -A OUTPUT -d 192.168.1.0/24 <http://192.168.1.0/24> -p tcp
> > --sport 8080 -j ACCEPT
> >
> > iptables -A OUTPUT -p tcp --sport 8080 -j DROP
> >
> >
>
> ... should be replaced with:
>
> iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j DROP
>
>
> >
> > `### Accepting traffic for the ports: 3128 and 8080##
> >
> >
> > iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE
> >
>
> You are missing a rule to allow Squid outbound traffic to avoid the NAT.
>
> iptables -t nat -A PREROUTING -s 192.168.1.10 -p tcp --dport 80 -j
> ACCEPT
>
> > iptables -t nat -A PREROUTING -s 192.168.1.0/24
> > <http://192.168.1.0/24> -p tcp --dport 80 -j REDIRECT --to-port 8080
> >
> > iptables -t nat -A PREROUTING -s 192.168.1.0/24
> > <http://192.168.1.0/24> -p tcp --dport 443 -j REDIRECT --to-port 8080
> >
> >
>
> Port 8080 in your squid.conf can only handle port 80 traffic syntax.
>
> Port 443 is a more tricky situation. I recommend removing that until you
> have the port 80 working.
>
>
> >
> > But I got this error:
> >
> >
> > 1668381894.7460 192.168.1.20 NONE_NONE/000 0 -
> > error:transaction-end-before-headers - HIER_NONE/- -
> >
> > 1668381967.8000 192.168.1.20 NONE_NONE/400 3690 -
> > error:invalid-request - HIER_NONE/- text/html
> >
>
> This is likely from the missing NAT rule allowing Squid outbound.
>
> If the above changes do not fix everything make sure that you test
> exactly what the real clients will be doing. Specifically that they are
> making contact to servers on port 80 or directly to Squid port 3128.
> They know *nothing* about port 8080 existence so have no reason to send
> anything that way directly.
>
>
> HTH
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221127/6affe651/attachment.htm>
More information about the squid-users
mailing list