[squid-users] transparent mode squid on centos 9 with iptables (part 2)
ngtech1ltd at gmail.com
ngtech1ltd at gmail.com
Wed Nov 30 23:07:22 UTC 2022
Hey Lola,
I have created a demo video at:
https://cloud1.ngtech.co.il/static/squid-data/CentOS%209%20-%20Intercept%20Demo.mp4
This gives a demo on how to configure squid in intercept (transparent) mode for both port 80 HTTP and port 443 HTTPS.
It’s not in a tutorial, it’s a demo.
The client is a Windows Server 2022 and the proxy server is a CentOS 9 with the default Squid 5.5 package.
it’s recommended by the Squid-Cache project to use the latest stable but from my tests the latest 5 cannot be compiled on CentOS 9
and all other RHEL 9 based distributions.
Pay attention for the OpenSSL version that is being used on CentOS 9 and others.
For now I do recommend to use the RHEL / Oracle 8 and not CentOS 9 Stream.
If you do feel comfortable with CentOS 8 Stream then use that instead of CentOS 9 Stream for now.
# CentOS 9 squid 5.5 complication flags
# squid -v
Squid Cache: Version 5.5
Service Name: squid
This binary uses OpenSSL 3.0.1 14 Dec 2021. For legal restrictions on distribution see https://www.openssl.org/source/license.html
configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--libexecdir=/usr/lib64/squid' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM' '--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-storeid-rewrite-helpers=file' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--disable-security-cert-validators' '--disable-strict-error-checking' '--with-swapdir=/var/spool/squid' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ' 'CXX=g++' 'CXXFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' 'LT_SYS_LIBRARY_PATH=/usr/lib64:'
All The Bests,
Eliezer
----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: mailto:ngtech1ltd at gmail.com
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Lola Lo
Sent: Wednesday, 16 November 2022 22:15
To: squid-users at lists.squid-cache.org
Subject: [squid-users] transparent mode squid on centos 9 with iptables (part 2)
Hi guys.
Could you please send a tutorial or any good guidance to implement squid on transparent mode on centos 9 with iptables.
I have configured squid.conf with this parameters:
ens192: 172.31.168.28, internet interface
ens224: 192.168.1.10, LAN interface (private network)
# Mis ACLs #
acl mi_red src http://192.168.1.0/24
acl cliente_linux src 192.168.1.20
acl cliente_windows src 192.168.1.30
acl sitios1 url_regex "/etc/squid/listas/sitios1"
acl sitios2 url_regex "/etc/squid/listas/sitios2"
# Squid normally listens to port 3128
http_port 3128
http_port 8080 transparent
I want the “deny all” rule get applied to test the client using the proxy
My iptables is configured as follows:
#!/bin/bash
## NAT server configuration ##
sysctl -w net.ipv4.ip_forward=1
sysctl -p
iptables -X
iptables -F
iptables -t nat -X
iptables -t nat -F
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -o ens192 -j MASQUERADE
#!/bin/bash
## proxy server configuration ##
### Accepting traffic for the ports: 3128 and 8080##
iptables -A INPUT -s http://192.168.1.0/24 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -p tcp --dport 3128 -j DROP
iptables -A OUTPUT -d http://192.168.1.0/24 -p tcp --sport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3128 -j DROP
iptables -A INPUT -s http://192.168.1.0/24 -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
iptables -A OUTPUT -d http://192.168.1.0/24 -p tcp --sport 8080 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 8080 -j DROP
### Accepting traffic for the ports: 3128 and 8080##
iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE
iptables -t nat -A PREROUTING -s http://192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -s http://192.168.1.0/24 -p tcp --dport 443 -j REDIRECT --to-port 8080
But I got this error:
1668381894.746 0 192.168.1.20 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
1668381967.800 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html
1668381967.805 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html
1668381967.809 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html
1668381967.814 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html
1668381967.818 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html
1668381967.823 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html
1668381967.827 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html
1668381967.832 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html
1668381967.836 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html
1668381967.841 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html
Could you please help me to solve this; i am completely new using squid and in Linux?
I was following these sources:
• https://www.xmodulo.com/squid-transparent-web-proxy-centos-rhel.html
• https://www.maravento.com/2015/06/no-forward-proxy-ports-configured.html
• https://www.xmodulo.com/internet-connection-sharing-iptables-linux.html
You can find the logs of squid 5.5 here: https://epnecuador-my.sharepoint.com/:u:/g/personal/mercy_anchundia_epn_edu_ec/EaqrQJFkDfhLnEha14CIfKoBhrKZLaSTIE51t_gw0_iUZw?e=Y8xirv
I configured the linux client with the ip http://192.168.1.20/24, gateway is the linux server: 192.168.1.10 and DNS: 192.168.1.10 and others of my ISP.
....
More information about the squid-users
mailing list