[Chilli] Coovachilli and Squid Transparent on the same host

Germano Paciocco germano.paciocco at gmail.com
Sun May 20 10:22:54 UTC 2012


David Bird wrote:

> A couple things to try:

> - Try either the postauthproxy or the iptables REDIRECT, both shouldn't
> be needed.

> - Try using 10.0.0.1 instead of 127.0.0.1 for the squid listen and for the
> postauthproxy.

Thank you for interesting.

Maybe I'm close to the goal:  if I use postauthproxy rather than redirect
iptables rules, and I set 10.0.0.1 in the config file instead of 127.0.0.1 as
you suggested, my traffic is dropped by the rule #8 in the INPUT chain
in  filter table!

Chain INPUT (policy ACCEPT 77 packets, 5364 bytes)
num pkts bytes target prot opt in out source destination
1 139 19658 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT icmp -- tun0 * 0.0.0.0/0 10.0.0.1
3 1 82 ACCEPT udp -- tun0 * 0.0.0.0/0 10.0.0.1 udp dpt:53
4 0 0 ACCEPT udp -- tun0 * 0.0.0.0/0 10.0.0.1 udp dpts:67:68
5 0 0 ACCEPT udp -- tun0 * 0.0.0.0/0 255.255.255.255 udp dpts:67:68
6 77 9558 ACCEPT tcp -- tun0 * 0.0.0.0/0 10.0.0.1 tcp dpt:4990
7 80 11894 ACCEPT tcp -- tun0 * 0.0.0.0/0 10.0.0.1 tcp dpt:3990
8 14 896 DROP all -- tun0 * 0.0.0.0/0 10.0.0.1 <<< THIS ONE DROPS SQUID!

If I add this rule
iptables -I INPUT 8 -i tun0 -p tcp -m tcp --dport 3128 -j ACCEPT

all works fine, but users will be able to surf setting explicit proxy,
bypassing authentication!!!!!

This is the reason why I find more logic to set postauthproxy to 127.0.0.1,
but doing this, i can't get any way traffic processed by Squid...

Any idea?

Kind regards.

-- 
GP


More information about the Chilli mailing list