Am 09.05.20 um 09:42 schrieb Nicolas Kovacs:
Hi, I just setup a very basic HTTP proxy with Squid on a router running CentOS 7. Up until early 2020 I've been using a bone-headed shell script with iptables to configure my firewall. But I decided to follow advice from a few gurus on this list, and I've since moved my configurations to FirewallD, which works nicely. There's one configuration left to tackle, that's port redirection for the Squid proxy server. Which also works fine, though I'd like to figure out a little detail. Here goes. My router has two network interfaces, which I've aptly named WAN and LAN in the NetworkManager configuration: $ nmcli con show NAME UUID TYPE DEVICE WAN 9574b606-8f6d-3edc-95ad-8165df0f3fce ethernet enp2s0 LAN c726b168-1fcd-4dc5-a01d-8ad8a1ba38ee ethernet enp3s1 Squid is acting as a transparent proxy server: $ sudo grep http_port /etc/squid/squid.conf http_port 3128 transparent In my firewall configuration, all requests to port 80 (HTTP) are redirected to port 3128: $ sudo firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=3128:toaddr=192.168.3.1 $ sudo firewall-cmd --reload $ sudo firewall-cmd --list-all internal (active) target: default icmp-block-inversion: no interfaces: enp3s1 sources: services: dhcp dns http squid ssh ports: protocols: masquerade: no forward-ports: port=80:proto=tcp:toport=3128:toaddr=192.168.3.1 source-ports: icmp-blocks: rich rules: In the current state, this configuration works as expected. When a client desktop in the 192.168.3.0/24 network browses HTTP sites on the web, it appears in the Squid log on the server in /var/log/squid/access.log. And here comes the question. How can I redirect all HTTP requests to port 3128 EXCEPT THOSE THAT ARE DIRECTLY AIMED AT THE PROXY SERVER? Here's the thing. The proxy server (amandine.sandbox.lan) is also running httpd to display a static information page for the local network. Now client desktops can access http://amandine.sandbox.lan in a web browser just fine. But this still goes through the proxy, and I'd like these requests to rather be handled directly. In iptables syntax this would vaguely look like this: $ iptables -A PREROUTING -t nat -i 192.168.3.1 -p tcp \ ! -d 192.168.3.1 --dport 80 -j REDIRECT --to-port 3128 How can I translate the "! -d 192.168.3.1" part into some FirewallD-specific syntax ?
Untested: $ man firewalld.richlanguage <paste> Destination destination [not] address="address[/mask]" </paste> -- Leon _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos