[SOLVED] Problems setting up squid in transparent mode using fedora 21

acarri · 06-10-2015, 08:11 AM

Hello everyone,

I'm having problems setting up squid in trasparent mode using fedora 21 and firewalld on my laptop workstation. I'm using a laptop with a wifi conection to the internet and that's it. Wifi IP is 192.168.1.64. Works well when I configure squid in my browser (192.168.1.64:3128), but not in transparent mode, so, here is my configuration:

/etc/squid/squid.conf

visible_hostname localhost.localdomain

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl palabrasno url_regex wikipedia google yahoo facebook fb wix wixtools
acl restringe dstdomain "/etc/squid/bad.acl"

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

http_access allow localnet !palabrasno !restringe
http_access allow localhost !palabrasno !restringe

http_access deny all

http_port 192.168.1.64:3128 intercept

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

firewall-cmd --list-all

public (default, active)
interfaces: tun0 wlp4s0
sources:
services: dhcpv6-client http https mdns squid ssh
ports: 3128/tcp
masquerade: yes
forward-ports: port=80

roto=tcp:toport=3128:toaddr=192.168.1.64
icmp-blocks:
rich rules:

Can someone tell me what am I missing?, how can I force redirect traffic through 3128?

Thanks in advance...

acarri · 06-10-2015, 07:52 PM

Can anybody give me a hint?...

Thank you.

acarri · 06-11-2015, 02:31 PM

I am in shock, this is the first time I post on linuxquestions.org forums without a reply... I always regarded this forum as the ultimate linux help platform... can anyone kindly help please?...

acarri · 12-16-2016, 05:36 AM

Well I replaced this line:

http_port 192.168.1.64:3128 intercept

with this line

http_port 192.168.1.64:3128 transparent

and everything start working as it should.

But, I discovered that this setup doesn't work well with HTTPS, if you want to succesfully filter HTTPS, then you have to put the proxy settings directly in the browser, or, if you don't want to configure each client proxy setting (computer, tablet, phone, etc), then have a look at wpad and pac file for automatic proxy discovery.

Ok, I will mark this one as solved.