Proxy Squid Version 5.5 + Alma Linux 9.4

maoflaric
(usa CentOS)

Enviado em 24/09/2024 - 16:19h

Bom dia, tarde, noite,


Estou querendo subir um firewall iptables com serviço de proxy squid e dhcpd-server no SO Alma Linux 9.4. Todos os serviços estão funcionando normalmente, porém não consigo setar o proxy transparente o que seria bem melhor.
Alguém poderia me ajudar?
Vou por aqui o que já fiz no squid e no iptables.

#SQUID.CONF

#### Cabeçalho ####

http_port 172.17.10.1:3128
http_port 127.0.0.1:3128
visible_hostname fw-upa-cidoperaia-01

dns_nameservers 192.166.254.60
dns_nameservers 192.166.254.70

cache_mem 2048 MB
maximum_object_size_in_memory 512 MB
maximum_object_size 512 MB
minimum_object_size 0 MB
cache_swap_high 95
cache_swap_low 90
httpd_suppress_version_string on

cache_dir ufs /var/spool/squid 2048 16 256
error_directory /usr/share/squid/errors/pt-br
cache_log /var/log/squid/cache.log
access_log /var/log/squid/access.log

refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 20% 2280
refresh_pattern . 15 20% 2280

#### Regras ACLs de bloqueio de sites ####

# sites liberados
acl sites_liberados url_regex -i "/etc/squid/sites_liberados"
http_access allow sites_liberados

acl SitesBloqueados url_regex -i "/etc/squid/SitesBloqueados"
http_access deny SitesBloqueados

acl SitesImproprios url_regex -i "/etc/squid/SitesImproprios"
http_access deny SitesImproprios

#### ACLs Portas ####

acl SSL_ports port 5938 # teamviewer
acl SSL_ports port 3389 # teamviewer
acl SSL_ports port 2200 # ssh
acl SSL_ports port 443 # https
acl SSL_ports port 444 # https
acl SSL_ports port 3001 # https
acl SSL_ports port 3002 # https
acl SSL_ports port 3003 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 8059 #
acl SSL_ports port 8050 #
acl SSL_ports port 8058 #
acl SSL_ports port 8061 # Sistema Ponto
acl SSL_ports port 2021 # Sistema Ponto
acl SSL_ports port 2022 # Sistema Ponto
acl SSL_ports port 3000 # Sistema Ponto
acl SSL_ports port 3001 # node socket sisupa
acl SSL_ports port 3002 # node socket sisupa
acl SSL_ports port 3003 # node socket sisupa
acl SSL_ports port 3005 # node socket sisupa
acl safe_ports port 5938 # teamviewer
acl Safe_ports port 3389 # teamviewer
acl Safe_ports port 2200 # ssh
acl Safe_ports port 80 # http
acl Safe_ports port 83 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 444 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 8050 # Sistema Ponto
acl Safe_ports port 8058 # Sistema Ponto
acl Safe_ports port 8059 # Sistema Ponto
acl Safe_ports port 8061 # Sistema Ponto
acl Safe_ports port 2021 # Sistema Ponto
acl Safe_ports port 2022 # Sistema Ponto
acl Safe_ports port 3000 # Sistema Ponto
acl Safe_ports port 3001 # Sistema Ponto

acl porge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
#http_access allow purge localhost
#http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

########## HIERARQUIA DE PROXY ###########

#SEATI PROXY
cache_peer 192.166.254.2 parent 3128 3130 no-query no-digest

#### Regra de acesso local ####

acl redelan src 172.17.10.0/24
http_access allow localhost
http_access allow redelan


http_access deny all


## Agora o script que fiz para o iptables

#!/bin/bash
# chkconfig: 2345 25 98

# SCRIPT DE FIREWALL COM GATEWAY NA REDE!

# DECLARANDO VARIAVEIS
IF_LOCAL="enp3s0" # interface local network
INTERNET="enp2s0" # external interface
LOCAL_NETWORK="172.17.10.0/24"
LOOPBACK="lo" # loopback interface

IPTABLES="/sbin/iptables" # Daemon of firewall

begin(){

# LIMPA (FLUSH) TODAS AS REGRAS DA TABELA DE FILTRAGEM
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X
$IPTABLES -F -t nat
$IPTABLES -X

# POLICIES DEFAULT
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# COMPARTILHANDO CONEXÃO
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward

# INICIO DE REGRAS APLICADAS COM DESTINO AO FIREWALL
$IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p tcp --dport 2200 -j ACCEPT
$IPTABLES -A INPUT -i $IF_LOCAL -p tcp --dport 2200 -j ACCEPT
$IPTABLES -A INPUT -i $IF_LOCAL -p tcp --dport 3128 -s $LOCAL_NETWORK -d 172.17.10.1 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p udp --dport 161 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p icmp -j ACCEPT


# INICIO DE REGRAS PARA REDE LOCAL
$IPTABLES -A FORWARD -i $IF_LOCAL -p udp --dport 53 -s $LOCAL_NETWORK -j ACCEPT
$IPTABLES -A FORWARD -i $IF_LOCAL -p icmp -j ACCEPT

# RULES FOR SNAT
$IPTABLES -t nat -A POSTROUTING -o $INTERNET -s $LOCAL_NETWORK -j SNAT --to-source 10.70.7.5
$IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 53,389,636,135,139,445,110,995,25,465,587 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m udp -m multiport --dports 53,389,636 -j ACCEPT

# TERMINO REGRAS PARA REDE LOCAL
# ESTABILIZANDO CONEXÕES
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

echo "INICIANDO O FIREWALL..."
}
stop(){
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -t mangle -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -X
echo "FIREWALL PARADO, REDE DESPROTEGIDA"
}

case "$1" in
"start") begin ;;
"stop") stop ;;
"restart") stop; begin ;;
*) echo "Use os parametros start ou stop"
esac


### Alguma dica de regra que eu possa aplicar para o proxy transparent?

Desde já agradeço.