Unix/Linux Go Back    


UNIX for Advanced & Expert Users Expert-to-Expert. Learn advanced UNIX, UNIX commands, Linux, Operating Systems, System Administration, Programming, Shell, Shell Scripts, Solaris, Linux, HP-UX, AIX, OS X, BSD.

Issue setup Transparent proxy and Gateway using Squid on CentOS 7

UNIX for Advanced & Expert Users


Tags
centos7, gateway, proxy, solved, squid, transparent

Reply    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 12-05-2017   -   Original Discussion by sunnysthakur
sunnysthakur's Unix or Linux Image
sunnysthakur sunnysthakur is offline
Registered User
 
Join Date: Apr 2011
Last Activity: 30 December 2017, 3:26 AM EST
Posts: 51
Thanks: 1
Thanked 3 Times in 3 Posts
Issue setup Transparent proxy and Gateway using Squid on CentOS 7

Hello,

We are migrating our gateways from CentOS 6 to CentOS 7 and for setting up a transparent proxy using squid and Firewalld i am using below configuration.

#Firewalld configurations


Code:
firewall-cmd --permanent --zone=public --add-forward-port=port=80:proto=tcp:toport=3128:toaddr=LAN_IP
firewall-cmd --permanent --zone=public --add-port=3128/tcp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reloa

#Allowed ports


Code:
#firewall-cmd --zone=public --add-port=3128/tcp --permanent
#firewall-cmd --zone=public --add-port=8080/tcp --permanent
#firewall-cmd --zone=public --add-port=443/tcp --permanent
#firewall-cmd --zone=public --add-port=80/tcp --permanent
#firewall-cmd --zone=public --add-port=22/tcp --permanent

#Allow LAN Network in squid.conf [Version 3.5.20]



Code:
acl our_network src 192.168.2.0/24  10.0.0.0/8  192.168.15.0/24

# Allow Network ACL Allow/Deny Section#
http_access allow our_network

# Transparent Proxy Parameters 
http_port 3128 intercept

Now the issue is that we are able to access internet using this gateway on mentioned series but not able to access the services like mstsc/ssh to other machine, not able to access internal web page/URL setup on internal IP. however we are able to ping the IPs.
however we tried disable Firewalld and use iptables instead on CentOS 7 but this setup even not working (even internet not working)

Previously gateway was setup on CentOS 6 and was working fine with below configuration and there wasn't any issue like we fare facing as above.

#Allow LAN Network in squid.conf [Version 3.1.23]



Code:
acl our_network src 192.168.2.0/24  10.0.0.0/8  192.168.15.0/24

# Allow Network ACL Allow/Deny Section#
http_access allow our_network

# Transparent Proxy Parameters 
http_port 3128 transparent

#Below is the bash script we use to setup squid/iptables as transparent proxy. We call this script using /etc/rc.local


Code:
#!/bin/sh
#squid server IP
SQUID_SERVER="WANIP"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -A FORWARD -p tcp --dport 135:139 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --dport 135:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --dport 135:139 -o eth0 -j DROP
iptables -A FORWARD -p udp --dport 135:139 -o eth0 -j DROP
iptables -A FORWARD -p tcp --dport 445 -o eth0 -j DROP
iptables -A FORWARD -p udp --dport 445 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --dport 445 -o eth0 -j DROP
iptables -A OUTPUT -p udp --dport 445 -o eth0 -j DROP

iptables -P INPUT  ACCEPT
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

#iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 443 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 443 -j REDIRECT --to-port $SQUID_PORT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j ACCEPT

Can you help me out to fix this issue. Am i missing some firewalld rules due to which services are not accessible or what else i am missing.
Sponsored Links
    #2  
Old Unix and Linux 12-07-2017   -   Original Discussion by sunnysthakur
sunnysthakur's Unix or Linux Image
sunnysthakur sunnysthakur is offline
Registered User
 
Join Date: Apr 2011
Last Activity: 30 December 2017, 3:26 AM EST
Posts: 51
Thanks: 1
Thanked 3 Times in 3 Posts
Plz help ! i still facing the same issue.
Sponsored Links
    #3  
Old Unix and Linux 12-19-2017   -   Original Discussion by sunnysthakur
sunnysthakur's Unix or Linux Image
sunnysthakur sunnysthakur is offline
Registered User
 
Join Date: Apr 2011
Last Activity: 30 December 2017, 3:26 AM EST
Posts: 51
Thanks: 1
Thanked 3 Times in 3 Posts
FIXED

I disabled NetworkManager and firewalld and use legacy network and iptables to get it working on CentOS7. Firewalld and NetworkManager are kind of wrappers which causes this issue.
Linux
The Following User Says Thank You to sunnysthakur For This Useful Post:
MadeInGermany (12-19-2017)
    #4  
Old Unix and Linux 12-19-2017   -   Original Discussion by sunnysthakur
MadeInGermany's Unix or Linux Image
MadeInGermany MadeInGermany is offline Forum Staff  
Moderator
 
Join Date: May 2012
Last Activity: 22 April 2018, 2:47 AM EDT
Location: Simplicity
Posts: 4,036
Thanks: 346
Thanked 1,356 Times in 1,222 Posts
Yes, firewalld conflicts, must be disabled if using iptables (and vice versa).

NetworkManager should not be a problem.
Sponsored Links
    #5  
Old Unix and Linux 12-20-2017   -   Original Discussion by sunnysthakur
sunnysthakur's Unix or Linux Image
sunnysthakur sunnysthakur is offline
Registered User
 
Join Date: Apr 2011
Last Activity: 30 December 2017, 3:26 AM EST
Posts: 51
Thanks: 1
Thanked 3 Times in 3 Posts
FIXED

Right...actually ethernet (ifconfig) files are managing by NetworkManager in CentOS 7 which create problem on adding multiple VIP on server. Disabling this help to add multiple IPs on server now.Linux
Sponsored Links
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Not able to setup CentOS 7 as gateway [Using squid proxy] sunnysthakur Linux 4 12-20-2017 04:47 AM
How to deny facebook https using squid proxy in Centos 6.5? babinlonston Linux 2 02-08-2014 01:51 PM
How to deny facebook https using squid proxy in Centos 6.5? babinlonston Linux 1 01-29-2014 01:13 AM
Setup a Reverse Proxy on Squid kidzer0 UNIX for Advanced & Expert Users 0 07-23-2010 04:09 AM
SQUID Transparent Proxy Server init6_ IP Networking 1 03-08-2008 09:15 AM



All times are GMT -4. The time now is 04:57 AM.