I'll explain what's going on, and I hope someone can help me resolve the issue.
I set up a Centos7 Server that is at the edge of the internet with a public IP. In it I have enabled Selinux, Firewalld, Squid and SquiGuard.
I have two active interfaces, one for my internal network (internal zone) and one on the external network (external zone). This server serves internet for all my internal network and currently there are 110 computers.
Browsing (HTTP and HTTPS protocol) is working very well, with SquidGuard blocks and logs all OK.
Code: Select all
external (active)
target: default
icmp-block-inversion: no
interfaces: enp3s0
sources:
services: ssh
ports: 3001/tcp 3128/tcp 7070/tcp 8090/tcp 554/tcp 3389/tcp
protocols:
masquerade: no
forward-ports: port=8090:proto=tcp:toport=8090:toaddr=192.168.1.250
port=3001:proto=tcp:toport=80:toaddr=192.168.1.242
port=2096:proto=tcp:toport=3389:toaddr=192.168.1.178
port=9923:proto=tcp:toport=9922:toaddr=192.168.1.242
source-ports:
icmp-blocks:
rich rules:
internal (active)
target: default
icmp-block-inversion: no
interfaces: enp4s0
sources:
services: dhcpv6-client mdns samba samba-client ssh
ports: 3128/tcp 80/tcp 3001/tcp 7070/tcp 8090/tcp 3268/tcp 3389/tcp 554/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
On my external card I have masquerade = no, because I need the user to use the proxy, configuring it manually in the browser. If I leave the external card's masquerade = yes, I can use any protocol and I don't have any more problems, however, any computer can use the internet without going through Squid, that is, this is not an option.
On my internal card I have masquerade = yes, because I have some internal services with public access and for that I need to do forward-ports.
Another detail is that the connection to the Remote Desktop within my internal network works without any problem, so I understand that the problem is precisely in this masking of the internal card to the external one and Squid is not doing it, except for HTTP and HTTPS protocol.
I'm sure I missed something during the installation and configuration of these services, but I can't find it.
My squid.conf
Code: Select all
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Autenticacao de Usuario
auth_param basic credentialsttl 2 hours
authenticate_cache_garbage_interval 1 hour
authenticate_ttl 1 hour
acl autorizados proxy_auth REQUIRED
acl SSL_ports port 3389
acl SSL_ports port 554
acl Safe_ports port 3389
acl Safe_ports port 554
acl purge method PURGE
acl CONNECT method CONNECT
acl dominio_mydomain dstdomain .meudominio.com.br
delay_pools 2
delay_class 1 2
delay_class 2 2
delay_parameters 1 12500000/12500000 1250000/1250000
delay_parameters 2 -1/-1 -1/-1
delay_access 2 allow dominio_mydomain
delay_access 1 allow autorizados
delay_access 1 deny all
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny to_localhost
http_access allow autorizados
http_access deny all
http_port 3128
cache_dir ufs /var/spool/squid 10000 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
maximum_object_size 4096 KB
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 512 KB
cache_mem 256 MB
pipeline_prefetch on
fqdncache_size 1024
logfile_rotate 30
cache_swap_low 90
cache_swap_high 95
dns_nameservers 192.168.1.251 8.8.8.8 8.8.4.4
dns_v4_first on
hosts_file /etc/hosts
url_rewrite_program /usr/bin/squidGuard