分享centos9+firewalld+squid5.7透明代理+双网卡，并请大佬指点

环境：
1.系统：CentOS Stream release 9
2.双网卡：
2.1.外网卡(双口网卡组term)term0,ip192.168.1.30/24,网关192.168.1.1
2.1.内网卡enp3s0,10.10.0.0/24和10.10.100.0/24(只配置IP和子网掩码，而且想代理几个可以配几个也可以通过子网掩码控制)
准备：
1.处理文件支持数
ulimit -Hs 65535
ulimit -n 65535
vi /etc/security/limits.conf
* soft nofile 65535
* hard nofile 65535
#2.squid部分
#2.1.编译：enable-linux-netfilter-启用透明代理,with-openssl-https代理会用到,其他参数抄的可能无效甚至负优化
./configure --prefix=/usr/local/squid \
--enable-async-io=100 \
--with-openssl=/var/kerberos \
--with-pthreads \
--enable-storeio="aufs,diskd,ufs" \
--enable-removal-policies="heap,lru" \
--enable-icmp \
--enable-linux-netfilter \
--enable-delay-pools \
--enable-useragent-log \
--enable-referer-log \
--enable-kill-parent-hack \
--enable-arp-acl \
--enable-default-err-language=Simplify_Chinese \
--enable-err-languages="Simplify_Chinese English" \
--disable-poll \
--disable-wccp \
--disable-wccpv2 \
--disable-ident-lookups \
--disable-internal-dns \
--enable-basic-auth-helpers="NCSA" \
--enable-stacktrace \
--with-large-files \
--disable-mempools \
--with-filedescriptors=65536 \
--enable-ssl \
--enable-x-accelerator-var
#2.2.安装make install-pinger-启用--enable-icmp以后需要执行
make&make -j2&make install-pinger
#2.3.squid.conf
http_access allow all
http_port 0.0.0.0:3128
http_port 0.0.0.0:3129 intercept
https_port 0.0.0.0:3130 intercept ssl-bump tls-cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump stare step2
ssl_bump bump step3
cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
coredump_dir /usr/local/squid/var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname tcdnetwork.com
#2.4.生成证书
openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 -keyout myCA.pem -out myCA.pem
openssl x509 -in myCA.pem -outform DER -out myCA.der
#2.5.初始化，看报错，主要解决文件夹权限问题
/usr/local/squid/sbin/squid -z
#2.6.前台启动主要看有没有报错，后台启动看cache也行
/usr/local/squid/sbin/squid -NCd1
#3.防火墙部分
#3.1.外网卡
firewall-cmd --zone=external --add-interface=team0 --permanent
#3.2.内网卡
firewall-cmd --zone=internal --add-interface=enp3s0 --permanent
#3.3.先让3128网络代理功能启动看是否正常，执行以下三条命令后，浏览器设置代理应该可以访问网页
firewall-cmd --permanent --add-forward-port=port=3128:proto=tcp:toaddr=192.168.1.30:toport=3128
firewall-cmd --permanent --zone=internal --add-port=3128/tcp
firewall-cmd --reload
#3.4.让双网卡数据可以流动起来-透明代理部分
firewall-cmd --permanent --new-policy intToExt
firewall-cmd --permanent --policy intToExt --add-ingress-zone internal
firewall-cmd --permanent --policy intToExt --add-egress-zone external
firewall-cmd --permanent --policy intToExt --set-target ACCEPT
#3.5.NAT策略，不等同于http端口号转换，网卡enp3s0进入数据的80端口转为192.168.1.30的3129端口(不同网卡)
firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i enp3s0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.30:3129
firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i enp3s0 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.30:3130
firewall-cmd --reload
#4.收尾做个squid启动服务吧,用法应该不用多说了
cat /usr/lib/systemd/system/squid.service
[Unit]
After=network.target network-online.target nss-lookup.target
[Service]
Type=forking
ExecStart=/usr/local/squid/sbin/squid -s
ExecStop=/usr/local/squid/sbin/squid -k shutdown
PIDFile=/usr/local/squid/var/run/squid.pid
[Install]
WantedBy=multi-user.target