firewalld + squid : how-to setup a proxy

infra-server with IP x.x.x.x (with no internet connectivity) does the following request: $ wget http://google.com --2016-11-04 09:32:55-- http://google.com/ Resolving google.com (google.com)... 172.217.22.110, 2a00:1450:4001:81d::200e Connecting to google.com (google.com)|172.217.22.110|:8888... failed: Connection timed out. proxy-server (squid listening on 8888) has the following interfaces: eth1: 1.1.1.1 where all incoming requests from infra-server are coming in eth2: 2.2.2.2 which has internet connectivity with a default route (80,443) because its address is translated in the firewall (gateway) By doing a tcpdump on proxy-server and eth1 (incoming interface) I see correctly the traffic arriving: 09:49:10.033951 IP x.x.x.x.45977 > 1.1.1.1.8888: Flags [S], seq 258250387, win 29200, options [mss 1460,sackOK,TS val 3204336400 ecr 0,nop,wscale 7], length 0 09:49:11.034310 IP x.x.x.x.45977 > 1.1.1.1.8888: Flags [S], seq 258250387, win 29200, options [mss 1460,sackOK,TS val 3204337402 ecr 0,nop,wscale 7], length 0 09:49:13.042720 IP x.x.x.x.45977 > 1.1.1.1.8888: Flags [S], seq 258250387, win 29200, options [mss 1460,sackOK,TS val 3204339408 ecr 0,nop,wscale 7], length 0 09:49:17.047283 IP x.x.x.x.45977 > 1.1.1.1.8888: Flags [S], seq 258250387, win 29200, options [mss 1460,sackOK,TS val 3204343416 ecr 0,nop,wscale 7], length 0 09:49:22.303238 IP x.x.x.x.45977 > 1.1.1.1.8888: Flags [R], seq 258250387, win 1400, length 0 09:49:25.060419 IP x.x.x.x.45977 > 1.1.1.1.8888: Flags [S], seq 258250387, win 29200, options [mss 1460,sackOK,TS val 3204351424 ecr 0,nop,wscale 7], length 0 09:49:30.321096 IP x.x.x.x.45977 > 1.1.1.1.8888: Flags [R], seq 258250387, win 1400, length 0 By doing a tcpdump on the proxy-server and eth2 (outgoing interface) I do not see any outgoing http traffic What I have changed in the configuration of squid is only the following: acl infra-server src x.x.x.x/32 http_access allow infra-server http_port 1.1.1.1:8888 System-wise, SElinux is set to permissive: # getenforce Permissive and how firewalld is configured is: # firewall-cmd --list-all --zone=internal internal (active) interfaces: eth1 sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: 8888/tcp masquerade: no forward-ports: icmp-blocks: rich rules: # firewall-cmd --list-all --zone=external external (active) interfaces: eth2 sources: services: http https ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: I just need the rule to forward traffic from eth1 to eth2 (I think).