Hey Lola, I have created a demo video at: https://cloud1.ngtech.co.il/static/squid-data/CentOS%209%20-%20Intercept%20Demo.mp4 This gives a demo on how to configure squid in intercept (transparent) mode for both port 80 HTTP and port 443 HTTPS. It’s not in a tutorial, it’s a demo. The client is a Windows Server 2022 and the proxy server is a CentOS 9 with the default Squid 5.5 package. it’s recommended by the Squid-Cache project to use the latest stable but from my tests the latest 5 cannot be compiled on CentOS 9 and all other RHEL 9 based distributions. Pay attention for the OpenSSL version that is being used on CentOS 9 and others. For now I do recommend to use the RHEL / Oracle 8 and not CentOS 9 Stream. If you do feel comfortable with CentOS 8 Stream then use that instead of CentOS 9 Stream for now. # CentOS 9 squid 5.5 complication flags # squid -v Squid Cache: Version 5.5 Service Name: squid This binary uses OpenSSL 3.0.1 14 Dec 2021. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--libexecdir=/usr/lib64/squid' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM' '--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-storeid-rewrite-helpers=file' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--disable-security-cert-validators' '--disable-strict-error-checking' '--with-swapdir=/var/spool/squid' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protect ion' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ' 'CXX=g++' 'CXXFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' All The Bests, Eliezer ---- Eliezer Croitoru NgTech, Tech Support Mobile: +972-5-28704261 Email: mailto:ngtech1ltd@xxxxxxxxx Web: https://ngtech.co.il/ My-Tube: https://tube.ngtech.co.il/ From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Lola Lo Sent: Wednesday, 16 November 2022 22:15 To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: transparent mode squid on centos 9 with iptables (part 2) Hi guys. Could you please send a tutorial or any good guidance to implement squid on transparent mode on centos 9 with iptables. I have configured squid.conf with this parameters: ens192: 172.31.168.28, internet interface ens224: 192.168.1.10, LAN interface (private network) # Mis ACLs # acl mi_red src http://192.168.1.0/24 acl cliente_linux src 192.168.1.20 acl cliente_windows src 192.168.1.30 acl sitios1 url_regex "/etc/squid/listas/sitios1" acl sitios2 url_regex "/etc/squid/listas/sitios2" # Squid normally listens to port 3128 http_port 3128 http_port 8080 transparent I want the “deny all” rule get applied to test the client using the proxy My iptables is configured as follows: #!/bin/bash ## NAT server configuration ## sysctl -w net.ipv4.ip_forward=1 sysctl -p iptables -X iptables -F iptables -t nat -X iptables -t nat -F iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t nat -I POSTROUTING -o ens192 -j MASQUERADE #!/bin/bash ## proxy server configuration ## ### Accepting traffic for the ports: 3128 and 8080## iptables -A INPUT -s http://192.168.1.0/24 -p tcp --dport 3128 -j ACCEPT iptables -A INPUT -p tcp --dport 3128 -j DROP iptables -A OUTPUT -d http://192.168.1.0/24 -p tcp --sport 3128 -j ACCEPT iptables -A OUTPUT -p tcp --sport 3128 -j DROP iptables -A INPUT -s http://192.168.1.0/24 -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -p tcp --dport 8080 -j DROP iptables -A OUTPUT -d http://192.168.1.0/24 -p tcp --sport 8080 -j ACCEPT iptables -A OUTPUT -p tcp --sport 8080 -j DROP ### Accepting traffic for the ports: 3128 and 8080## iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE iptables -t nat -A PREROUTING -s http://192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -s http://192.168.1.0/24 -p tcp --dport 443 -j REDIRECT --to-port 8080 But I got this error: 1668381894.746 0 192.168.1.20 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- - 1668381967.800 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html 1668381967.805 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html 1668381967.809 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html 1668381967.814 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html 1668381967.818 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html 1668381967.823 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html 1668381967.827 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html 1668381967.832 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html 1668381967.836 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html 1668381967.841 0 192.168.1.20 NONE_NONE/400 3690 - error:invalid-request - HIER_NONE/- text/html Could you please help me to solve this; i am completely new using squid and in Linux? I was following these sources: • https://www.xmodulo.com/squid-transparent-web-proxy-centos-rhel.html • https://www.maravento.com/2015/06/no-forward-proxy-ports-configured.html • https://www.xmodulo.com/internet-connection-sharing-iptables-linux.html You can find the logs of squid 5.5 here: https://epnecuador-my.sharepoint.com/:u:/g/personal/mercy_anchundia_epn_edu_ec/EaqrQJFkDfhLnEha14CIfKoBhrKZLaSTIE51t_gw0_iUZw?e=Y8xirv I configured the linux client with the ip http://192.168.1.20/24, gateway is the linux server: 192.168.1.10 and DNS: 192.168.1.10 and others of my ISP. .... _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users