Need help squid/firewalld on CentOS 7 as dns, ftp, http, https transparent proxy

centos7firewalldsquid

I have installed squid v3.3.8 on CentOS 7 that has two interfaces as follows:

internal

interface: ens32

external

interface: ens33    >   masquerade is enabled here

First of all, I enabled IPv4 forwarding:
sysctl -w net.ipv4.ip_forward=1

I want to be able to put ens32 IP address in my browser with port 3128 and be able to access internet, whether ftp, http or https. To honest, I need to make all traffic types allowed later on, but block some websites because some apps I use need tcp/udp traffic on different ports.

I added firewalld rule:

firewall-cmd --permanent --zone=internal --add-service=squid

I can telnet ens32 IP on port 3128!

As an unlucky beginning I left squid.conf as is, but added "intercept" after http_port 3128 to force traffic from ens32 to ens33. When I try to access internet from my browser, I always get the following:

The following error was encountered while trying to retrieve the URL: http://www.whatever.com

    Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is root.

I also don't know how to correctly create necessary firewalld rules in order to forward requests received on ens32 to ens33. All tutorials I read were using iptables, what I really want to use is firewalld. I am new to the whole linux world, I never studied iptables in the past.

I first need to make http requests work first, then I continue with the rest.

thanks in advance

Best Answer

Let's hope someone finds this answer useful, as I did not find these things online any where!

I received the "Access Denied" error because when I first stated in my question that I had

http_port 3128 intercept

It meant that this squid port was dedicated to intercepting the traffic rather than forwarding it, hence firewalld was expected to forward the traffic from port 3128 to another port, for example port 3126:

firewall-cmd --permanent --zone=internal --add-forward-port=port=80:proto=tcp:toport=3126:toaddr=LAN_INTERFACE_IP
firewall-cmd --reload

to enable squid processing the traffic and forward it to port 3126, while listening to port 3128. Off course, I had to open port 3126 as follows:

firewall-cmd --permanent --zone=internal --add-port=3126/tcp

and I can do squid this way then:

http_port  3126 intercept
http_port  3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem

Note that port 3128 is not in intercept mode. So, when firewalld forwards http traffic to port 3126. squid does its job listening to port 3128 while ipv4 forwarding forwards unknown traffic (which is what we wanted in the first place) to WAN interface i.e. ens33.

To be able to reach the server from a different subnet, simply add a static route on LAN interface where the gateway of this route is set to the actual gateway of the subnet to which LAN interface IP belongs.

Concerning the certificate thing, I did the following:

mkdir /etc/squid/ssl_cert/
cd /etc/squid/ssl_cert
openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem
openssl x509 -in myca.pem -outform DER -out myca.der
chown -R squid:squid /etc/squid/ssl_cert/

Finally, SELinux is enabled, I solved this way, ironically I found the solution in the error log of SELinux:

grep ssl_crtd /var/log/audit/audit.log | audit2allow -M ssl_crtd_pol
semodule -i ssl_crtd_pol

This should answer my question and all of my comments above..

Related Topic