send all http/https traffic through squid using firewalld

Issues related to configuring your network
xbucaneer
Posts: 13
Joined: 2022/10/28 05:09:32

Re: send all http/https traffic through squid using firewalld

Post by xbucaneer » 2022/11/23 21:43:18

I gave up getting TPROXY working with firewalld and switched to IPTables.
Then I gave up getting TPROXY working at all and ended up pointing the clients to the proxy and using it explicitly, not an ideal solution as the clients can bypass the proxy and hence bypass the squidGuard filter but at least the children have filtered internet after many months of being cut off!

xbucaneer
Posts: 13
Joined: 2022/10/28 05:09:32

Re: send all http/https traffic through squid using firewalld

Post by xbucaneer » 2022/11/25 21:47:03

I got this working with the following settings
Here is my squid.conf

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl manager proto cache_object
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
acl localnet src 192.168.1.0/24
http_port 192.168.1.101:3129 tproxy
acl lan src 192.168.1.1 192.168.0.0/24
http_access allow localhost
http_access allow lan
acl SSL_ports port 443
acl SSL_ports port 10000
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow localnet
http_access allow localhost
shutdown_lifetime 0 seconds
http_port 3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/myCA.pem
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/myCA.pem
http_port 3129 tproxy
acl broken_sites dstdom_regex icicibank.com hdfcbank.com
acl monitor_domains dstdom_regex youtube.com facebook.com ytimg.com googlevideo.com ggpht.com
acl monitor_domains2 dst 216.58.196.110 216.58.199.174 #youtube connect works over IP
ssl_bump none localhost
ssl_bump none broken_sites #Avoid bumping financial sites such as banks
ssl_bump server-first monitor_domains #Bump facebook and youtube
ssl_bump server-first monitor_domains2 #Since youtube bump fails with just domain also add youtube serverIP
visible_hostname proxy.mallet.lan
strip_query_terms off #This will allow checking which youtube URLs were visited by user
http_access allow all
cache_mem 256 MB
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_query_timeout 2000

here is /etc/sysconfig/iptables

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [23:4197]
-A INPUT -i lo -j ACCEPT
-A INPUT -i enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i enp6s0 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A FORWARD -i enp6s0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o enp6s0 -j ACCEPT
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [3:1516]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i enp6s0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.101:3129
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A POSTROUTING -o enp2s0 -j MASQUERADE
COMMIT

*mangle
:PREROUTING ACCEPT [88:11385]
:INPUT ACCEPT [88:11385]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [63:6805]
:POSTROUTING ACCEPT [63:6805]
COMMIT

Post Reply