[CentOS] Transparent Squid and FirewallD : fine-tuning question

Sat May 9 13:06:38 UTC 2020
Leon Fauster <leonfauster at googlemail.com>

Am 09.05.20 um 09:42 schrieb Nicolas Kovacs:
> Hi,
> 
> I just setup a very basic HTTP proxy with Squid on a router running CentOS 7.
> 
> Up until early 2020 I've been using a bone-headed shell script with iptables to
> configure my firewall. But I decided to follow advice from a few gurus on this
> list, and I've since moved my configurations to FirewallD, which works nicely.
> 
> There's one configuration left to tackle, that's port redirection for the Squid
> proxy server. Which also works fine, though I'd like to figure out a little
> detail. Here goes.
> 
> My router has two network interfaces, which I've aptly named WAN and LAN in the
> NetworkManager configuration:
> 
> $ nmcli con show
> NAME  UUID                                  TYPE      DEVICE
> WAN   9574b606-8f6d-3edc-95ad-8165df0f3fce  ethernet  enp2s0
> LAN   c726b168-1fcd-4dc5-a01d-8ad8a1ba38ee  ethernet  enp3s1
> 
> Squid is acting as a transparent proxy server:
> 
> $ sudo grep http_port /etc/squid/squid.conf
> http_port 3128 transparent
> 
> In my firewall configuration, all requests to port 80 (HTTP) are redirected to
> port 3128:
> 
> $ sudo firewall-cmd --permanent
> --add-forward-port=port=80:proto=tcp:toport=3128:toaddr=192.168.3.1
> $ sudo firewall-cmd --reload
> $ sudo firewall-cmd --list-all
> internal (active)
>    target: default
>    icmp-block-inversion: no
>    interfaces: enp3s1
>    sources:
>    services: dhcp dns http squid ssh
>    ports:
>    protocols:
>    masquerade: no
>    forward-ports: port=80:proto=tcp:toport=3128:toaddr=192.168.3.1
>    source-ports:
>    icmp-blocks:
>    rich rules:
> 
> In the current state, this configuration works as expected. When a client
> desktop in the 192.168.3.0/24 network browses HTTP sites on the web, it appears
> in the Squid log on the server in /var/log/squid/access.log.
> 
> And here comes the question. How can I redirect all HTTP requests to port 3128
> EXCEPT THOSE THAT ARE DIRECTLY AIMED AT THE PROXY SERVER?
> 
> Here's the thing. The proxy server (amandine.sandbox.lan) is also running httpd
> to display a static information page for the local network. Now client desktops
> can access http://amandine.sandbox.lan in a web browser just fine. But this
> still goes through the proxy, and I'd like these requests to rather be handled
> directly.
> 
> In iptables syntax this would vaguely look like this:
> 
> $ iptables -A PREROUTING -t nat -i 192.168.3.1 -p tcp \
>    ! -d 192.168.3.1 --dport 80 -j REDIRECT --to-port 3128
> 
> How can I translate the "! -d 192.168.3.1" part into some FirewallD-specific
> syntax ?
> 

Untested:

$ man firewalld.richlanguage

<paste>
    Destination
            destination [not] address="address[/mask]"
</paste>

--
Leon