Issue setup Transparent proxy and Gateway using Squid on CentOS 7


 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users Issue setup Transparent proxy and Gateway using Squid on CentOS 7
# 1  
Old 12-05-2017
Issue setup Transparent proxy and Gateway using Squid on CentOS 7

Hello,

We are migrating our gateways from CentOS 6 to CentOS 7 and for setting up a transparent proxy using squid and Firewalld i am using below configuration.

#Firewalld configurations
Code:
firewall-cmd --permanent --zone=public --add-forward-port=port=80:proto=tcp:toport=3128:toaddr=LAN_IP
firewall-cmd --permanent --zone=public --add-port=3128/tcp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reloa

#Allowed ports
Code:
#firewall-cmd --zone=public --add-port=3128/tcp --permanent
#firewall-cmd --zone=public --add-port=8080/tcp --permanent
#firewall-cmd --zone=public --add-port=443/tcp --permanent
#firewall-cmd --zone=public --add-port=80/tcp --permanent
#firewall-cmd --zone=public --add-port=22/tcp --permanent

#Allow LAN Network in squid.conf [Version 3.5.20]

Code:
acl our_network src 192.168.2.0/24  10.0.0.0/8  192.168.15.0/24

# Allow Network ACL Allow/Deny Section#
http_access allow our_network

# Transparent Proxy Parameters 
http_port 3128 intercept

Now the issue is that we are able to access internet using this gateway on mentioned series but not able to access the services like mstsc/ssh to other machine, not able to access internal web page/URL setup on internal IP. however we are able to ping the IPs.
however we tried disable Firewalld and use iptables instead on CentOS 7 but this setup even not working (even internet not working)

Previously gateway was setup on CentOS 6 and was working fine with below configuration and there wasn't any issue like we fare facing as above.

#Allow LAN Network in squid.conf [Version 3.1.23]

Code:
acl our_network src 192.168.2.0/24  10.0.0.0/8  192.168.15.0/24

# Allow Network ACL Allow/Deny Section#
http_access allow our_network

# Transparent Proxy Parameters 
http_port 3128 transparent

#Below is the bash script we use to setup squid/iptables as transparent proxy. We call this script using /etc/rc.local
Code:
#!/bin/sh
#squid server IP
SQUID_SERVER="WANIP"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -A FORWARD -p tcp --dport 135:139 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --dport 135:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --dport 135:139 -o eth0 -j DROP
iptables -A FORWARD -p udp --dport 135:139 -o eth0 -j DROP
iptables -A FORWARD -p tcp --dport 445 -o eth0 -j DROP
iptables -A FORWARD -p udp --dport 445 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --dport 445 -o eth0 -j DROP
iptables -A OUTPUT -p udp --dport 445 -o eth0 -j DROP

iptables -P INPUT  ACCEPT
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

#iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 443 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 443 -j REDIRECT --to-port $SQUID_PORT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j ACCEPT

Can you help me out to fix this issue. Am i missing some firewalld rules due to which services are not accessible or what else i am missing.
# 2  
Old 12-07-2017
Plz help ! i still facing the same issue.
# 3  
Old 12-19-2017
FIXED

I disabled NetworkManager and firewalld and use legacy network and iptables to get it working on CentOS7. Firewalld and NetworkManager are kind of wrappers which causes this issue.
Smilie
This User Gave Thanks to sunnysthakur For This Post:
# 4  
Old 12-19-2017
Yes, firewalld conflicts, must be disabled if using iptables (and vice versa).

NetworkManager should not be a problem.
# 5  
Old 12-20-2017
FIXED

Right...actually ethernet (ifconfig) files are managing by NetworkManager in CentOS 7 which create problem on adding multiple VIP on server. Disabling this help to add multiple IPs on server now.Smilie
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Linux

Not able to setup CentOS 7 as gateway [Using squid proxy]

Hello, Did anyone setup a CentOS7 as a gateway (with squid transparent proxy). I am trying to do so but not able to setup. I setup squid , iptables (using it instead of firewalld) and all the necessary IPtables rules but nothing work. It work previously but access.log of squid not getting... (4 Replies)
Discussion started by: sunnysthakur
4 Replies

2. Linux

How to deny facebook https using squid proxy in Centos 6.5?

Hi we have Centos Server and we have client machines using Ubuntu 12.04 and Win7,I Have Configured Squid only purposely for facebook denied, Cos User;s often being in fb so need to do it, have configured squid as transparent , followed this How to install squid proxy on centos 6 steps to did it and... (2 Replies)
Discussion started by: babinlonston
2 Replies

3. Linux

How to deny facebook https using squid proxy in Centos 6.5?

Hi we have Centos Server and we have client machines using Ubuntu 12.04 and Win7,I Have Configured Squid only purposely for facebook denied, Cos User;s often being in fb so need to do it, have configured squid as transpernt , followed this How to install squid proxy on centos 6 steps to did it and... (1 Reply)
Discussion started by: babinlonston
1 Replies

4. IP Networking

Transparent Proxy with URL Rewriting

All traffic on the LAN is routed through a single machine and filtered using iptables. I'd like to redirect this traffic to a transparent proxy running on the same machine that will rewrite the URL if it matches a specified regex, in which case the user will be redirected to a local server. In... (0 Replies)
Discussion started by: crottyan
0 Replies

5. IP Networking

SQUID Proxy server configuration

Can any one direct me to the resources where I can find in-depth instructions on Squid Proxy server and its configuration? Thanks in advance.:) (1 Reply)
Discussion started by: admin_xor
1 Replies

6. Linux

GNUGK-How to setup static gateway to gateway routing

Dear Sir I am a newbie in the world of IP telephony. I have been working with Asterisk PBX (SIP) and Cisco Call Manager (MGCP) but now I am learning on how to work GNUGK for H.323 Gatekeeper. I am having a problem, configuring static call routing on GNUGK in the section ... (0 Replies)
Discussion started by: mfondoum
0 Replies

7. UNIX for Advanced & Expert Users

Setup a Reverse Proxy on Squid

Hi all, The scenario is: http://img834.imageshack.us/img834/7990/1234z.jpg - With: + 192.168.100.0/24 : internet link (simulation) + Multiple Websites are hosting in local. + Complete DNS configuration. + OS: CentOS 5 - Requirements: Configure Squid Proxy as... (0 Replies)
Discussion started by: kidzer0
0 Replies

8. Shell Programming and Scripting

Need help with a shell script:Config Transparent Proxy using Shell

I want to config Transparent Proxy using Shell Script. I have more questions<exercise of me :D>: + Check that the squid is installed or not install and version is installed +Allows users to choose to run a transparent proxy or not +Perform configuration and turn on service in accordance... (0 Replies)
Discussion started by: kaka287
0 Replies

9. IP Networking

SQUID Transparent Proxy Server

hi guys! We are setting up Squid Server. we want the server to be transparent. But I don't know how will i be able to set the network up. is it possible to set the squid server in the same LAN with the Squid Client and still functions as a transparent server? if so, can anybody help me do it? ... (1 Reply)
Discussion started by: init6_
1 Replies

10. Cybersecurity

IPNAT / Transparent proxy loops...

Hi! My situation: I have an OpenBSD firewall/proxy (192.168.0.1), running IPF/IPNAT w/ Squid as transparent proxy. This machine is configured to be gateway to the network. This works great, all the clients WWW-requests on the internal network are rerouted to the proxyport by this... (0 Replies)
Discussion started by: indo1144
0 Replies
Login or Register to Ask a Question

Featured Tech Videos