This post is meant to be the sequel of the one I wrote one month ago about CentOS as router, transparent proxy, and much more. A big chunk of the precedent article is on how configure squid and squidGuard to act as a transparent proxy with URLs filtering capabilities. But there’s a problem with that: nowadays many sites (f4c3b00k.c0m just to name the most annoying one) are HTTPS. With HTTP one can really easily intercept a packet and read the payload (which contains the URL) but with HTTPS this is not possible anymore since the payload is encrypted. The only way to be able to read the payload of an HTTPS packet is doing a man-in-the-middle attack with a fake certificate, but that’s not advisable and you really don’t wanna do it. If, like in my case, we are not interested in what the users are doing but we just want them to not be able to access some sites/services/whatever ipset (combined with iptables) are the right tools for the job. iptables is a pretty powerful tool, the only real issue is that it doesn’t scale pretty well if the number of the rules is very big, and this is not a good thing since we probably want to blacklist thousands of IPs. And here comes ipset: with it it’s possible to manage huge blacklists without iptables slowing down. …

As usual, long story short: I’ve to setup a firewall to log traffic, block some stuff and do some other things. – epel repo is required – The system is made of a single CentOS machine with 2 physical network adapters: eth0, connected to WAN, static IP address 192.168.0.3 eth1, connected to LAN, static IP address 10.0.0.1/24 .:. Network adapters configuration WAN network adapter: [root@CentOS ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" BOOTPROTO="none" HWADDR="**:**:**:**:**:**" IPADDR=192.168.0.3 NETMASK=255.255.255.0 GATEWAY=192.168.0.1 DNS=192.168.0.1 IPV6INIT="yes" IPV6_AUTOCONF="yes" NM_CONTROLLED="yes" ONBOOT="yes" TYPE="Ethernet" UUID="***" LAN network adapter: …