[squid-users] transparent mode squid on centos 9 with iptables (part 2)
ngtech1ltd at gmail.com
ngtech1ltd at gmail.com
Sat Nov 19 21:10:50 UTC 2022
Hey,
CentOS 9 is mainly uses nftables when possible.
I have not seen any example of squid intercept examples with nftables.
If for any reason the iptables command would not work on CentOS 9 (stream) let me know and I might be able to provide these.
Eliezer
----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/
-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
Sent: Thursday, 17 November 2022 6:35
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] transparent mode squid on centos 9 with iptables (part 2)
On 17/11/2022 9:14 am, Lola Lo wrote:
> Hi guys.
>
>
> Could you please send a tutorial or any good guidance to implement
> squid on transparent mode on centos 9 with iptables.
>
The configuration details for what you appear to be trying to configure
are here:
<https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>
My comments below relate to how your attempt differs and how to fix.
> I have configured squid.conf with this parameters:
>
>
>
> ens192: 172.31.168.28, internet interface
>
> ens224: 192.168.1.10, LAN interface (private network)
>
>
> # Mis ACLs #
>
> acl mi_red src 192.168.1.0/24 <http://192.168.1.0/24>
>
> acl cliente_linux src 192.168.1.20
>
> acl cliente_windows src 192.168.1.30
>
> acl sitios1 url_regex "/etc/squid/listas/sitios1"
>
> acl sitios2 url_regex "/etc/squid/listas/sitios2"
>
>
> # Squid normally listens to port 3128
>
> http_port 3128
>
> http_port 8080 transparent
>
>
Firstly, use "intercept" instead of "transparent" with modern Squid.
Secondly, remember that only port 8080 is setup to receive intercepted
traffic. Port 3128 still receives normal forward-proxy traffic.
> I want the “deny all” rule get applied to test the client using the proxy
>
>
You have not shown any http_access lines from your config. There is a
clear bug in your NAT which explains the behaviour so I will assume that
the squid.conf policy does what you want.
> My iptables is configured as follows:
>
>
> #!/bin/bash
>
>
> ## NAT server configuration ##
>
>
> sysctl -w net.ipv4.ip_forward=1
>
> sysctl -p
>
> iptables -X
>
> iptables -F
>
> iptables -t nat -X
>
> iptables -t nat -F
>
> iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> iptables -I FORWARD-m state --state RELATED,ESTABLISHED -j ACCEPT
>
> iptables -t nat -I POSTROUTING -o ens192 -j MASQUERADE
>
>
>
Why is this a different script?
Ideally the firewall rules should be as atomic as possible to avoid
connections being setup with only part of the rules applied.
>
> #!/bin/bash
>
>
> ## proxy server configuration ##
>
>
> ### Accepting traffic for the ports: 3128 and 8080##
>
>
> iptables -A INPUT -s 192.168.1.0/24 <http://192.168.1.0/24> -p tcp
> --dport 3128 -j ACCEPT
>
> iptables -A INPUT -p tcp --dport 3128 -j DROP
>
Do not accept traffic directly to the port 8080. Also Squid does not
make outbound connections from its listening ports.
So these ...
> iptables -A OUTPUT -d 192.168.1.0/24 <http://192.168.1.0/24> -p tcp
> --sport 3128 -j ACCEPT
>
> iptables -A OUTPUT -p tcp --sport 3128 -j DROP
>
>
> iptables -A INPUT -s 192.168.1.0/24 <http://192.168.1.0/24> -p tcp
> --dport 8080 -j ACCEPT
>
> iptables -A INPUT -p tcp --dport 8080 -j DROP
>
> iptables -A OUTPUT -d 192.168.1.0/24 <http://192.168.1.0/24> -p tcp
> --sport 8080 -j ACCEPT
>
> iptables -A OUTPUT -p tcp --sport 8080 -j DROP
>
>
... should be replaced with:
iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j DROP
>
> `### Accepting traffic for the ports: 3128 and 8080##
>
>
> iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE
>
You are missing a rule to allow Squid outbound traffic to avoid the NAT.
iptables -t nat -A PREROUTING -s 192.168.1.10 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -s 192.168.1.0/24
> <http://192.168.1.0/24> -p tcp --dport 80 -j REDIRECT --to-port 8080
>
> iptables -t nat -A PREROUTING -s 192.168.1.0/24
> <http://192.168.1.0/24> -p tcp --dport 443 -j REDIRECT --to-port 8080
>
>
Port 8080 in your squid.conf can only handle port 80 traffic syntax.
Port 443 is a more tricky situation. I recommend removing that until you
have the port 80 working.
>
> But I got this error:
>
>
> 1668381894.7460 192.168.1.20 NONE_NONE/000 0 -
> error:transaction-end-before-headers - HIER_NONE/- -
>
> 1668381967.8000 192.168.1.20 NONE_NONE/400 3690 -
> error:invalid-request - HIER_NONE/- text/html
>
This is likely from the missing NAT rule allowing Squid outbound.
If the above changes do not fix everything make sure that you test
exactly what the real clients will be doing. Specifically that they are
making contact to servers on port 80 or directly to Squid port 3128.
They know *nothing* about port 8080 existence so have no reason to send
anything that way directly.
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list