Hi Amos. Thank you for your advice. I applied the instructionts that you have sent it to me in this link: https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect and the https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute, the case of: "When Squid is Internal amongst clients" and the section: Routing Setup. Now I can see the squid is intercepting the traffic however, it is not applying my policies:
http_access deny cliente_linux sitios2 http_access deny cliente_windows sitios1 http_access allow mi_red "sitios2"=facebook "sitios1"=youtube these policies work when I set up manually the proxy. Do you have any idea of how to troubleshoot this? Thank you for your help On Wed, Nov 16, 2022 at 11:35 PM Amos Jeffries <squ...@treenet.co.nz> wrote: > On 17/11/2022 9:14 am, Lola Lo wrote: > > Hi guys. > > > > > > Could you please send a tutorial or any good guidance to implement > > squid on transparent mode on centos 9 with iptables. > > > > The configuration details for what you appear to be trying to configure > are here: > <https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect> > > My comments below relate to how your attempt differs and how to fix. > > > I have configured squid.conf with this parameters: > > > > > > > > ens192: 172.31.168.28, internet interface > > > > ens224: 192.168.1.10, LAN interface (private network) > > > > > > # Mis ACLs # > > > > acl mi_red src 192.168.1.0/24 <http://192.168.1.0/24> > > > > acl cliente_linux src 192.168.1.20 > > > > acl cliente_windows src 192.168.1.30 > > > > acl sitios1 url_regex "/etc/squid/listas/sitios1" > > > > acl sitios2 url_regex "/etc/squid/listas/sitios2" > > > > > > # Squid normally listens to port 3128 > > > > http_port 3128 > > > > http_port 8080 transparent > > > > > > Firstly, use "intercept" instead of "transparent" with modern Squid. > > Secondly, remember that only port 8080 is setup to receive intercepted > traffic. Port 3128 still receives normal forward-proxy traffic. > > > I want the “deny all” rule get applied to test the client using the proxy > > > > > > You have not shown any http_access lines from your config. There is a > clear bug in your NAT which explains the behaviour so I will assume that > the squid.conf policy does what you want. > > > > My iptables is configured as follows: > > > > > > #!/bin/bash > > > > > > ## NAT server configuration ## > > > > > > sysctl -w net.ipv4.ip_forward=1 > > > > sysctl -p > > > > iptables -X > > > > iptables -F > > > > iptables -t nat -X > > > > iptables -t nat -F > > > > iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > > > iptables -I FORWARD-m state --state RELATED,ESTABLISHED -j ACCEPT > > > > iptables -t nat -I POSTROUTING -o ens192 -j MASQUERADE > > > > > > > > Why is this a different script? > Ideally the firewall rules should be as atomic as possible to avoid > connections being setup with only part of the rules applied. > > > > > > #!/bin/bash > > > > > > ## proxy server configuration ## > > > > > > ### Accepting traffic for the ports: 3128 and 8080## > > > > > > iptables -A INPUT -s 192.168.1.0/24 <http://192.168.1.0/24> -p tcp > > --dport 3128 -j ACCEPT > > > > iptables -A INPUT -p tcp --dport 3128 -j DROP > > > > Do not accept traffic directly to the port 8080. Also Squid does not > make outbound connections from its listening ports. > So these ... > > > iptables -A OUTPUT -d 192.168.1.0/24 <http://192.168.1.0/24> -p tcp > > --sport 3128 -j ACCEPT > > > > iptables -A OUTPUT -p tcp --sport 3128 -j DROP > > > > > > iptables -A INPUT -s 192.168.1.0/24 <http://192.168.1.0/24> -p tcp > > --dport 8080 -j ACCEPT > > > > iptables -A INPUT -p tcp --dport 8080 -j DROP > > > > iptables -A OUTPUT -d 192.168.1.0/24 <http://192.168.1.0/24> -p tcp > > --sport 8080 -j ACCEPT > > > > iptables -A OUTPUT -p tcp --sport 8080 -j DROP > > > > > > ... should be replaced with: > > iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j DROP > > > > > > `### Accepting traffic for the ports: 3128 and 8080## > > > > > > iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE > > > > You are missing a rule to allow Squid outbound traffic to avoid the NAT. > > iptables -t nat -A PREROUTING -s 192.168.1.10 -p tcp --dport 80 -j > ACCEPT > > > iptables -t nat -A PREROUTING -s 192.168.1.0/24 > > <http://192.168.1.0/24> -p tcp --dport 80 -j REDIRECT --to-port 8080 > > > > iptables -t nat -A PREROUTING -s 192.168.1.0/24 > > <http://192.168.1.0/24> -p tcp --dport 443 -j REDIRECT --to-port 8080 > > > > > > Port 8080 in your squid.conf can only handle port 80 traffic syntax. > > Port 443 is a more tricky situation. I recommend removing that until you > have the port 80 working. > > > > > > But I got this error: > > > > > > 1668381894.7460 192.168.1.20 NONE_NONE/000 0 - > > error:transaction-end-before-headers - HIER_NONE/- - > > > > 1668381967.8000 192.168.1.20 NONE_NONE/400 3690 - > > error:invalid-request - HIER_NONE/- text/html > > > > This is likely from the missing NAT rule allowing Squid outbound. > > If the above changes do not fix everything make sure that you test > exactly what the real clients will be doing. Specifically that they are > making contact to servers on port 80 or directly to Squid port 3128. > They know *nothing* about port 8080 existence so have no reason to send > anything that way directly. > > > HTH > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
