I'll explain what's going on, and I hope someone can help me resolve the issue.
I set up a Centos7 Server that is at the edge of the internet with a public IP. In it I have enabled Selinux, Firewalld, Squid and SquiGuard.
I have two active interfaces, one for my internal network (internal zone) and one on the external network (external zone). This server serves internet for all my internal network and currently there are 110 computers.
Browsing (HTTP and HTTPS protocol) is working very well, with SquidGuard blocks and logs all OK.
The problem is in the other protocols, more specifically in connections to External Desktop, port 3389, and MMS protocol, port 554. Some computers on my network need to access another external server via Remote Desktop, and it simply doesn't work. I already released the port on firewalld and squid, but the problem persists. The detail is that not even the logs have any clue of what might be happening.
Code: Select all
external (active) target: default icmp-block-inversion: no interfaces: enp3s0 sources: services: ssh ports: 3001/tcp 3128/tcp 7070/tcp 8090/tcp 554/tcp 3389/tcp protocols: masquerade: no forward-ports: port=8090:proto=tcp:toport=8090:toaddr=192.168.1.250 port=3001:proto=tcp:toport=80:toaddr=192.168.1.242 port=2096:proto=tcp:toport=3389:toaddr=192.168.1.178 port=9923:proto=tcp:toport=9922:toaddr=192.168.1.242 source-ports: icmp-blocks: rich rules: internal (active) target: default icmp-block-inversion: no interfaces: enp4s0 sources: services: dhcpv6-client mdns samba samba-client ssh ports: 3128/tcp 80/tcp 3001/tcp 7070/tcp 8090/tcp 3268/tcp 3389/tcp 554/tcp protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
On my external card I have masquerade = no, because I need the user to use the proxy, configuring it manually in the browser. If I leave the external card's masquerade = yes, I can use any protocol and I don't have any more problems, however, any computer can use the internet without going through Squid, that is, this is not an option.
On my internal card I have masquerade = yes, because I have some internal services with public access and for that I need to do forward-ports.
Another detail is that the connection to the Remote Desktop within my internal network works without any problem, so I understand that the problem is precisely in this masking of the internal card to the external one and Squid is not doing it, except for HTTP and HTTPS protocol.
I'm sure I missed something during the installation and configuration of these services, but I can't find it.
Does anyone have any idea what is going on in this scenario? What do I need to do for any service on the client computer to work accessing the internet through Squid?
Code: Select all
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Autenticacao de Usuario auth_param basic credentialsttl 2 hours authenticate_cache_garbage_interval 1 hour authenticate_ttl 1 hour acl autorizados proxy_auth REQUIRED acl SSL_ports port 3389 acl SSL_ports port 554 acl Safe_ports port 3389 acl Safe_ports port 554 acl purge method PURGE acl CONNECT method CONNECT acl dominio_mydomain dstdomain .meudominio.com.br delay_pools 2 delay_class 1 2 delay_class 2 2 delay_parameters 1 12500000/12500000 1250000/1250000 delay_parameters 2 -1/-1 -1/-1 delay_access 2 allow dominio_mydomain delay_access 1 allow autorizados delay_access 1 deny all http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow purge localhost http_access deny purge http_access deny to_localhost http_access allow autorizados http_access deny all http_port 3128 cache_dir ufs /var/spool/squid 10000 16 256 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 maximum_object_size 4096 KB maximum_object_size 4096 KB minimum_object_size 0 KB maximum_object_size_in_memory 512 KB cache_mem 256 MB pipeline_prefetch on fqdncache_size 1024 logfile_rotate 30 cache_swap_low 90 cache_swap_high 95 dns_nameservers 192.168.1.251 22.214.171.124 126.96.36.199 dns_v4_first on hosts_file /etc/hosts url_rewrite_program /usr/bin/squidGuard