'Re: [squid-users] transparent mode squid on centos 9 with iptables (part 2)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] transparent mode squid on centos 9 with iptables (part 2)
From:       <ngtech1ltd () gmail ! com>
Date:       2022-11-30 23:07:22
Message-ID: 001701d90510$82126700$86373500$ () gmail ! com
[Download RAW message or body]

Hey Lola,

I have created a demo video at:
https://cloud1.ngtech.co.il/static/squid-data/CentOS%209%20-%20Intercept%20Demo.mp4

This gives a demo on how to configure squid in intercept (transparent)  mode for both \
port 80 HTTP and port 443 HTTPS. It's not in a tutorial, it's a demo.

The client is a Windows Server 2022 and the proxy server is a CentOS 9 with the \
default Squid 5.5 package. it's recommended by the Squid-Cache project to use the \
latest stable but from my tests the latest 5 cannot be compiled on CentOS 9 and all \
other RHEL 9 based distributions. Pay attention for the OpenSSL version that is being \
used  on CentOS 9 and others.

For now I do recommend to use the RHEL / Oracle 8 and not CentOS 9 Stream.
If you do feel comfortable with CentOS 8 Stream then use that instead of CentOS 9 \
Stream for now.


# CentOS 9 squid 5.5 complication flags
# squid -v
Squid Cache: Version 5.5
Service Name: squid

This binary uses OpenSSL 3.0.1 14 Dec 2021. For legal restrictions on distribution \
see https://www.openssl.org/source/license.html

configure options:  '--build=x86_64-redhat-linux-gnu' \
'--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' \
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' \
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' \
'--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' \
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--libexecdir=/usr/lib64/squid' \
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' \
'--with-pidfile=/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' \
'--enable-follow-x-forwarded-for' '--enable-auth' \
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM' \
'--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP' \
'--enable-auth-negotiate=kerberos' \
'--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' \
'--enable-storeid-rewrite-helpers=file' '--enable-cache-digests' \
'--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' \
'--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' \
'--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' \
'--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio' \
'--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' \
'--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' \
'--disable-arch-native' '--disable-security-cert-validators' \
'--disable-strict-error-checking' '--with-swapdir=/var/spool/squid' \
'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' \
'CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe \
-Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS \
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong \
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2 -mtune=generic \
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' \
'LDFLAGS=-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now \
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld \
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ' 'CXX=g++' 'CXXFLAGS=-O2 -flto=auto \
-ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall \
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS \
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong \
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2 -mtune=generic \
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' \
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' \
'LT_SYS_LIBRARY_PATH=/usr/lib64:'


All The Bests,
Eliezer

----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: mailto:ngtech1ltd@gmail.com
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/

From: squid-users <squid-users-bounces@lists.squid-cache.org> On Behalf Of Lola Lo
Sent: Wednesday, 16 November 2022 22:15
To: squid-users@lists.squid-cache.org
Subject: [squid-users] transparent mode squid on centos 9 with iptables (part 2)

Hi guys.

Could you please send a tutorial or any good guidance to implement  squid on \
transparent mode on centos 9 with iptables.   I have configured squid.conf with this \
parameters:


ens192: 172.31.168.28, internet interface
ens224: 192.168.1.10, LAN interface (private network)

# Mis ACLs #
acl mi_red src http://192.168.1.0/24
acl cliente_linux src 192.168.1.20
acl cliente_windows src 192.168.1.30
acl sitios1 url_regex "/etc/squid/listas/sitios1"
acl sitios2 url_regex "/etc/squid/listas/sitios2"

# Squid normally listens to port 3128
http_port 3128
http_port 8080 transparent

I want the "deny all" rule get applied to test the client using the proxy

My iptables is configured as follows:

#!/bin/bash

## NAT server configuration ##

sysctl -w net.ipv4.ip_forward=1
sysctl -p
iptables -X
iptables -F
iptables -t nat -X
iptables -t nat -F
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD  -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -o ens192 -j MASQUERADE



#!/bin/bash

## proxy server configuration ##

### Accepting traffic for the ports: 3128 and 8080##

iptables -A INPUT -s http://192.168.1.0/24 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -p tcp --dport 3128 -j DROP
iptables -A OUTPUT -d http://192.168.1.0/24 -p tcp --sport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3128 -j DROP

iptables -A INPUT -s http://192.168.1.0/24 -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
iptables -A OUTPUT -d http://192.168.1.0/24 -p tcp --sport 8080 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 8080 -j DROP


### Accepting traffic for the ports: 3128 and 8080##

iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE
iptables -t nat -A PREROUTING -s http://192.168.1.0/24 -p tcp --dport 80 -j REDIRECT \
--to-port 8080 iptables -t nat -A PREROUTING -s http://192.168.1.0/24 -p tcp --dport \
443 -j REDIRECT --to-port 8080



But I got this error:

1668381894.746      0 192.168.1.20 NONE_NONE/000 0 - \
error:transaction-end-before-headers - HIER_NONE/- - 1668381967.800      0 \
192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html \
1668381967.805      0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - \
HIER_NONE/- text/html 1668381967.809      0 192.168.1.20 NONE_NONE/400 3690 - \
error:invalid-request - HIER_NONE/- text/html 1668381967.814      0 192.168.1.20 \
NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html 1668381967.818     \
0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html \
1668381967.823      0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - \
HIER_NONE/- text/html 1668381967.827      0 192.168.1.20 NONE_NONE/400 3690 - \
error:invalid-request - HIER_NONE/- text/html 1668381967.832      0 192.168.1.20 \
NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html 1668381967.836     \
0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html \
1668381967.841      0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - \
HIER_NONE/- text/html

Could you please help me to solve this; i am completely new using squid and in Linux?

I was following these sources:

• https://www.xmodulo.com/squid-transparent-web-proxy-centos-rhel.html 
• https://www.maravento.com/2015/06/no-forward-proxy-ports-configured.html 
• https://www.xmodulo.com/internet-connection-sharing-iptables-linux.html 

You can find the logs of squid 5.5 here: \
https://epnecuador-my.sharepoint.com/:u:/g/personal/mercy_anchundia_epn_edu_ec/EaqrQJFkDfhLnEha14CIfKoBhrKZLaSTIE51t_gw0_iUZw?e=Y8xirv
 I configured the linux client with the ip http://192.168.1.20/24, gateway is the \
linux server: 192.168.1.10 and DNS: 192.168.1.10 and others of my ISP.

....

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic