Nicolas Kovacs
2020-May-09 07:42 UTC
[CentOS] Transparent Squid and FirewallD : fine-tuning question
Hi, I just setup a very basic HTTP proxy with Squid on a router running CentOS 7. Up until early 2020 I've been using a bone-headed shell script with iptables to configure my firewall. But I decided to follow advice from a few gurus on this list, and I've since moved my configurations to FirewallD, which works nicely. There's one configuration left to tackle, that's port redirection for the Squid proxy server. Which also works fine, though I'd like to figure out a little detail. Here goes. My router has two network interfaces, which I've aptly named WAN and LAN in the NetworkManager configuration: $ nmcli con show NAME UUID TYPE DEVICE WAN 9574b606-8f6d-3edc-95ad-8165df0f3fce ethernet enp2s0 LAN c726b168-1fcd-4dc5-a01d-8ad8a1ba38ee ethernet enp3s1 Squid is acting as a transparent proxy server: $ sudo grep http_port /etc/squid/squid.conf http_port 3128 transparent In my firewall configuration, all requests to port 80 (HTTP) are redirected to port 3128: $ sudo firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=3128:toaddr=192.168.3.1 $ sudo firewall-cmd --reload $ sudo firewall-cmd --list-all internal (active) target: default icmp-block-inversion: no interfaces: enp3s1 sources: services: dhcp dns http squid ssh ports: protocols: masquerade: no forward-ports: port=80:proto=tcp:toport=3128:toaddr=192.168.3.1 source-ports: icmp-blocks: rich rules: In the current state, this configuration works as expected. When a client desktop in the 192.168.3.0/24 network browses HTTP sites on the web, it appears in the Squid log on the server in /var/log/squid/access.log. And here comes the question. How can I redirect all HTTP requests to port 3128 EXCEPT THOSE THAT ARE DIRECTLY AIMED AT THE PROXY SERVER? Here's the thing. The proxy server (amandine.sandbox.lan) is also running httpd to display a static information page for the local network. Now client desktops can access amandine.sandbox.lan in a web browser just fine. But this still goes through the proxy, and I'd like these requests to rather be handled directly. In iptables syntax this would vaguely look like this: $ iptables -A PREROUTING -t nat -i 192.168.3.1 -p tcp \ ! -d 192.168.3.1 --dport 80 -j REDIRECT --to-port 3128 How can I translate the "! -d 192.168.3.1" part into some FirewallD-specific syntax ? Cheers from the sunny South of France, Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32 Mob. : 06 51 80 12 12
Leon Fauster
2020-May-09 13:06 UTC
[CentOS] Transparent Squid and FirewallD : fine-tuning question
Am 09.05.20 um 09:42 schrieb Nicolas Kovacs:> Hi, > > I just setup a very basic HTTP proxy with Squid on a router running CentOS 7. > > Up until early 2020 I've been using a bone-headed shell script with iptables to > configure my firewall. But I decided to follow advice from a few gurus on this > list, and I've since moved my configurations to FirewallD, which works nicely. > > There's one configuration left to tackle, that's port redirection for the Squid > proxy server. Which also works fine, though I'd like to figure out a little > detail. Here goes. > > My router has two network interfaces, which I've aptly named WAN and LAN in the > NetworkManager configuration: > > $ nmcli con show > NAME UUID TYPE DEVICE > WAN 9574b606-8f6d-3edc-95ad-8165df0f3fce ethernet enp2s0 > LAN c726b168-1fcd-4dc5-a01d-8ad8a1ba38ee ethernet enp3s1 > > Squid is acting as a transparent proxy server: > > $ sudo grep http_port /etc/squid/squid.conf > http_port 3128 transparent > > In my firewall configuration, all requests to port 80 (HTTP) are redirected to > port 3128: > > $ sudo firewall-cmd --permanent > --add-forward-port=port=80:proto=tcp:toport=3128:toaddr=192.168.3.1 > $ sudo firewall-cmd --reload > $ sudo firewall-cmd --list-all > internal (active) > target: default > icmp-block-inversion: no > interfaces: enp3s1 > sources: > services: dhcp dns http squid ssh > ports: > protocols: > masquerade: no > forward-ports: port=80:proto=tcp:toport=3128:toaddr=192.168.3.1 > source-ports: > icmp-blocks: > rich rules: > > In the current state, this configuration works as expected. When a client > desktop in the 192.168.3.0/24 network browses HTTP sites on the web, it appears > in the Squid log on the server in /var/log/squid/access.log. > > And here comes the question. How can I redirect all HTTP requests to port 3128 > EXCEPT THOSE THAT ARE DIRECTLY AIMED AT THE PROXY SERVER? > > Here's the thing. The proxy server (amandine.sandbox.lan) is also running httpd > to display a static information page for the local network. Now client desktops > can access amandine.sandbox.lan in a web browser just fine. But this > still goes through the proxy, and I'd like these requests to rather be handled > directly. > > In iptables syntax this would vaguely look like this: > > $ iptables -A PREROUTING -t nat -i 192.168.3.1 -p tcp \ > ! -d 192.168.3.1 --dport 80 -j REDIRECT --to-port 3128 > > How can I translate the "! -d 192.168.3.1" part into some FirewallD-specific > syntax ? >Untested: $ man firewalld.richlanguage <paste> Destination destination [not] address="address[/mask]" </paste> -- Leon
Hello, what port does ether-wake use?? (I believe it is port 9? but not sure). Ron
The WoL magic packet is only scanned for the string above, and not actually parsed by a full protocol stack, it could be sent as any network- and transport-layer protocol, although it is typically sent as a UDP <en.m.wikipedia.org/wiki/User_Datagram_Protocol> datagram <en.m.wikipedia.org/wiki/Datagram> to port <en.m.wikipedia.org/wiki/TCP_and_UDP_port> 0,] <en.m.wikipedia.org/wiki/Wake-on-LAN#cite_note-6> 7 or 9, or directly over Ethernet as EtherType <en.m.wikipedia.org/wiki/EtherType> 0x0842 - from Wikipedia On Sun, May 17, 2020, 6:46 PM R C <cjvijf at gmail.com> wrote:> Hello, > > > what port does ether-wake use? (I believe it is port 9? but not sure). > > > Ron > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > lists.centos.org/mailman/listinfo/centos >
On Sun, May 17, 2020 at 07:46:00PM -0600, R C wrote:> what port does ether-wake use?? (I believe it is port 9? but not sure).The 'ether-wake' command in net-tools doesn't use a port at all. It's just a raw packet of EtherType 0x0842 as the so-called "Magic Packet" <en.wikipedia.org/wiki/Wake-on-LAN#Magic_packet> For example, if you were to run: (assuming interface name 'eth0') # tcpdump -i eth0 ether proto 0x0842 You'd see the ether-wake command's packet. If you strace the process, you'll see the socket is created as socket(AF_PACKET, SOCK_RAW, htons(0)). -- Jonathan Billings <billings at negate.org>