Squid or Firewalld blocking access to Remote Desktop

Issues related to configuring your network
Post Reply
tecdiogenes
Posts: 3
Joined: 2023/03/10 16:02:12

Squid or Firewalld blocking access to Remote Desktop

Post by tecdiogenes » 2023/03/10 16:35:08

Hello!
I'll explain what's going on, and I hope someone can help me resolve the issue.
I set up a Centos7 Server that is at the edge of the internet with a public IP. In it I have enabled Selinux, Firewalld, Squid and SquiGuard.

I have two active interfaces, one for my internal network (internal zone) and one on the external network (external zone). This server serves internet for all my internal network and currently there are 110 computers.
Browsing (HTTP and HTTPS protocol) is working very well, with SquidGuard blocks and logs all OK.

Code: Select all

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0
  sources:
  services: ssh
  ports: 3001/tcp 3128/tcp 7070/tcp 8090/tcp 554/tcp 3389/tcp
  protocols:
  masquerade: no
  forward-ports: port=8090:proto=tcp:toport=8090:toaddr=192.168.1.250
        port=3001:proto=tcp:toport=80:toaddr=192.168.1.242
        port=2096:proto=tcp:toport=3389:toaddr=192.168.1.178
        port=9923:proto=tcp:toport=9922:toaddr=192.168.1.242
  source-ports:
  icmp-blocks:
  rich rules:

internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp4s0
  sources:
  services: dhcpv6-client mdns samba samba-client ssh
  ports: 3128/tcp 80/tcp 3001/tcp 7070/tcp 8090/tcp 3268/tcp 3389/tcp 554/tcp
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
The problem is in the other protocols, more specifically in connections to External Desktop, port 3389, and MMS protocol, port 554. Some computers on my network need to access another external server via Remote Desktop, and it simply doesn't work. I already released the port on firewalld and squid, but the problem persists. The detail is that not even the logs have any clue of what might be happening.

On my external card I have masquerade = no, because I need the user to use the proxy, configuring it manually in the browser. If I leave the external card's masquerade = yes, I can use any protocol and I don't have any more problems, however, any computer can use the internet without going through Squid, that is, this is not an option.

On my internal card I have masquerade = yes, because I have some internal services with public access and for that I need to do forward-ports.

Another detail is that the connection to the Remote Desktop within my internal network works without any problem, so I understand that the problem is precisely in this masking of the internal card to the external one and Squid is not doing it, except for HTTP and HTTPS protocol.

I'm sure I missed something during the installation and configuration of these services, but I can't find it.

My squid.conf

Code: Select all

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Autenticacao de Usuario
auth_param basic credentialsttl 2 hours

authenticate_cache_garbage_interval 1 hour
authenticate_ttl 1 hour

acl autorizados proxy_auth REQUIRED

acl SSL_ports port 3389         
acl SSL_ports port 554          

acl Safe_ports port 3389      
acl Safe_ports port 554        

acl purge method PURGE
acl CONNECT method CONNECT

acl dominio_mydomain dstdomain .meudominio.com.br

delay_pools 2
delay_class 1 2
delay_class 2 2

delay_parameters 1 12500000/12500000 1250000/1250000
delay_parameters 2 -1/-1 -1/-1

delay_access 2 allow dominio_mydomain
delay_access 1 allow autorizados
delay_access 1 deny all

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

http_access allow purge localhost
http_access deny purge

http_access deny to_localhost
http_access allow autorizados
http_access deny all

http_port 3128

cache_dir ufs /var/spool/squid 10000 16 256
coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

maximum_object_size 4096 KB
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 512 KB
cache_mem 256 MB
pipeline_prefetch on
fqdncache_size 1024
logfile_rotate 30
cache_swap_low 90
cache_swap_high 95
dns_nameservers 192.168.1.251 8.8.8.8 8.8.4.4
dns_v4_first on

hosts_file /etc/hosts
url_rewrite_program /usr/bin/squidGuard
Does anyone have any idea what is going on in this scenario? What do I need to do for any service on the client computer to work accessing the internet through Squid?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Squid or Firewalld blocking access to Remote Desktop

Post by TrevorH » 2023/03/10 16:43:58

Squid doesn't proxy RDP, it's http and ftp. You'll need to allow RDP clients to go out direct without going through a proxy.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

tecdiogenes
Posts: 3
Joined: 2023/03/10 16:02:12

Re: Squid or Firewalld blocking access to Remote Desktop

Post by tecdiogenes » 2023/03/13 12:41:33

Hello TrevorH!
Thank you for your help!
Sorry for the delay in responding, it was due to the work flow here.
I had imagined that, since I can't access anything through Squid, except http and https.
Could you give me a tip on how to make the firewall allow any other client protocol, but http and https is directed to pass through Squid?

Thanks

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Squid or Firewalld blocking access to Remote Desktop

Post by jlehtone » 2023/03/13 13:39:12

First, I don't know proxies. You have router R that has port L on LAN and port W on WAN? Squid listens on L?
The browser on your client is configured to use L as proxy?
You type https://www.centos.org/ and the browser contacts squid on L:443, squid contacts www.centos.org:443, and replies flow back?
If your browser is not configured to use L and proxy, then attempt to connect to www.centos.org would be blocked by R?


It seems obvious that you do not want http/https to be forwarded through the router R.
The default is usually to allow all from LAN to WAN (and only replies back from WAN to LAN).
You want to explicitly deny http/http from LAN to WAN before you allow other traffic.


RHEL 7 was released with two firewall managements services: firewalld.service and iptables.service.
Since then Red Hat did backport nf_tables into kernel of RHEL 7 and made nftables.service available.

The FirewallD in RHEL 7 lack support for some things; Red Hat recommends to use the other services "for real work".
One of the poorly supported things is router.

The iptables.service is deprecated and removed (el8 and el9, respectively.)

It is probably more useful to learn nftables than to try to coarse FirewallD to do anything. (FirewallD in el8 and el9 has now different features.)

tecdiogenes
Posts: 3
Joined: 2023/03/10 16:02:12

Re: Squid or Firewalld blocking access to Remote Desktop

Post by tecdiogenes » 2023/03/13 15:26:36

Hello jlehtone!

I will explain my structure. I have a router from the internet service provider that only has a LAN connection, because on this router I receive a range of 7 public IPs.
This router is connected to a switch and on this switch I have my servers connected.
The server with Squid is one of them, and on it I have two network cards, one serving the connection to the operator's router and the other serving my internal network.
This way all computers use a single path which is 192.168.1.254:3128. This proxy is leaving all my traffic.

As I said, all http traffic flows perfectly, however it does not pass connections from my internal network to the external desktop.

I don't know nftables, I'll study it and do some tests!

Thanks

Post Reply