LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Issue setup Transparent proxy and Gateway using Squid on CentOS 7 (https://www.linuxquestions.org/questions/linux-server-73/issue-setup-transparent-proxy-and-gateway-using-squid-on-centos-7-a-4175618997/)

sunnysthakur 12-05-2017 03:46 AM
Issue setup Transparent proxy and Gateway using Squid on CentOS 7
 
Hello,

We are migrating our gateways from CentOS 6 to CentOS 7 and for setting up a transparent proxy using squid and Firewalld i am using below configuration.

#Firewalld configurations
PHP Code:
firewall-cmd --permanent --zone=public --add-forward-port=port=80:proto=tcp:toport=3128:toaddr=LAN_IP
firewall-cmd --permanent --zone=public --add-port=3128/tcp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload 
#Allowed ports
PHP Code:
#firewall-cmd --zone=public --add-port=3128/tcp --permanent
#firewall-cmd --zone=public --add-port=8080/tcp --permanent
#firewall-cmd --zone=public --add-port=443/tcp --permanent
#firewall-cmd --zone=public --add-port=80/tcp --permanent
#firewall-cmd --zone=public --add-port=22/tcp --permanent 
#Allow LAN Network in squid.conf [Version 3.5.20]

PHP Code:
acl our_network src 192.168.2.0/24  10.0.0.0/8  192.168.15.0/24

# Allow Network ACL Allow/Deny Section#
http_access allow our_network

# Transparent Proxy Parameters 
http_port 3128 intercept 
Now the issue is that we are able to access internet using this gateway on mentioned series but not able to access the services like mstsc/ssh to other machine, not able to access internal web page/URL setup on internal IP. however we are able to ping the IPs.
however we tried disable Firewalld and use iptables instead on CentOS 7 but this setup even not working (even internet not working)

Previously gateway was setup on CentOS 6 and was working fine with below configuration and there wasn't any issue like we fare facing as above.

#Allow LAN Network in squid.conf [Version 3.1.23]

PHP Code:
acl our_network src 192.168.2.0/24  10.0.0.0/8  192.168.15.0/24

# Allow Network ACL Allow/Deny Section#
http_access allow our_network

# Transparent Proxy Parameters 
http_port [/HTML]3128 transparent 
#Below is the bash script we use to setup squid/iptables as transparent proxy. We call this script using /etc/rc.local
PHP Code:
#!/bin/sh
#squid server IP
SQUID_SERVER="WANIP"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -A FORWARD -p tcp --dport 135:139 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --dport 135:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --dport 135:139 -o eth0 -j DROP
iptables -A FORWARD -p udp --dport 135:139 -o eth0 -j DROP
iptables -A FORWARD -p tcp --dport 445 -o eth0 -j DROP
iptables -A FORWARD -p udp --dport 445 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --dport 445 -o eth0 -j DROP
iptables -A OUTPUT -p udp --dport 445 -o eth0 -j DROP

iptables -P INPUT  ACCEPT
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

#iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 443 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 443 -j REDIRECT --to-port $SQUID_PORT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j ACCEPT 
Can you help me out to fix this issue. Am i missing some firewalld rules due to which services are not accessible or what else i am missing.

TenTenths 12-05-2017 04:55 AM
Ditch firewalld and use iptables directly instead.

Install the iptables-services package and you can set iptables up in systemd to automatically start.

firewalld is pretty much a wrapper around iptables anyway and if you're more familiar with iptables (as your post suggests) then just go with it :)

sunnysthakur 12-05-2017 05:09 AM
I tried using iptables on CentOS7 and below iptables rules script but internet is not working. However same is working on CentOS6

PHP Code:
#!/bin/sh 
#squid server IP 
SQUID_SERVER="WANIP" 
# Interface connected to Internet 
INTERNET="eth0" 
# Interface connected to LAN 
LAN_IN="eth1" 
# Squid port 
SQUID_PORT="3128" 
# DO NOT MODIFY BELOW 
# Clean old firewall 
iptables -
iptables -
iptables -t nat -
iptables -t nat -
iptables -t mangle -
iptables -t mangle -
# Load IPTABLES modules for NAT and IP conntrack support 
modprobe ip_conntrack 
modprobe ip_conntrack_ftp 
# For win xp ftp client 
#modprobe ip_nat_ftp 
echo > /proc/sys/net/ipv4/ip_forward 
# Setting default filter policy 
iptables -A FORWARD -p tcp --dport 135:139 -o eth0 -j DROP 
iptables -A OUTPUT -p tcp --dport 135:139 -o eth0 -j DROP 
iptables -A OUTPUT -p udp --dport 135:139 -o eth0 -j DROP 
iptables -A FORWARD -p udp --dport 135:139 -o eth0 -j DROP 
iptables -A FORWARD -p tcp --dport 445 -o eth0 -j DROP 
iptables -A FORWARD -p udp --dport 445 -o eth0 -j DROP 
iptables -A OUTPUT -p tcp --dport 445 -o eth0 -j DROP 
iptables -A OUTPUT -p udp --dport 445 -o eth0 -j DROP 

iptables -P INPUT  ACCEPT 
iptables -P OUTPUT ACCEPT 
# Unlimited access to loop back 
iptables -A INPUT -i lo -j ACCEPT 
iptables -A OUTPUT -o lo -j ACCEPT 
# Allow UDP, DNS and Passive FTP 
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT 
# set this system as a router for Rest of LAN 
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE 
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT 
# unlimited access to LAN 
iptables -A INPUT -i $LAN_IN -j ACCEPT 
iptables -A OUTPUT -o $LAN_IN -j ACCEPT 
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy 
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT 

#iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 443 -j DNAT --to $SQUID_SERVER:$SQUID_PORT 

# if it is same system 
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT 

#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 443 -j REDIRECT --to-port $SQUID_PORT 

# DROP everything and Log it 
iptables -A INPUT -j LOG 
iptables -A INPUT -j ACCEPT 

sunnysthakur 12-07-2017 12:02 AM
Plz help ! i still facing the same issue.

TB0ne 12-13-2017 08:52 AM
Quote:
Originally Posted by sunnysthakur (Post 5789937)
Plz help ! i still facing the same issue.
You've been a member here for five years now, so you should be well aware that you SHOULD NOT use text speak, nor bump your own threads without providing additional information. Also, based on this:
https://www.linuxquestions.org/quest...nt-4175490846/

...you have been a Linux administrator for ELEVEN YEARS now. Have you done ANY troubleshooting/diagnostics, or examined and thought about the problem? If it's working on CentOS 6 and *NOT* working on CentOS 7, then there are obviously differences in the software between the two. Start by enabling your iptables rules one at a time, and see when things break. Look at log files. Without further information other than "not working", there's little we can tell you.

sunnysthakur 12-19-2017 01:26 AM
FIXED
 
Hello @TB0ne

Yes, i troubleshoot it and went through almost all blogs and posts for setting it up. Actually it is working fine when i am going to setup on CentOS 6 as our current gateways are on 6 version.
On setting up gateways on CentOS 7 its giving issue as per the setup we have. It didn't say that nothing was working but some things work but some aren't as we are using multiple series in network.
Anyway, i posted this as i require help on where i was facing issue but still i troubleshoot and googled and make it working.

I disabled NetworkManager and firewalld and use legacy network and iptables to get it working on CentOS7. Firewalld and NetworkManager are kind of wrappers which causes this issue.

Now this is fixed and thanks for providing me details.

sunnysthakur 01-09-2018 03:10 AM
FIXED
 
After modify the squid configuration it get working. Please follow the link for more details.


All times are GMT -5. The time now is 12:53 PM.