[Chilli] Coovachilli and Squid Transparent on the same host
Venkatesh K
kaevee at gmail.com
Sun May 20 11:47:27 UTC 2012
Why don't you revisit the postauthproxy use 127.0.0.1/3128. Make sure your
firewall rules don't block input traffic from/to lo0.
Thanks,
Venkatesh. K
On Sun, May 20, 2012 at 3:52 PM, Germano Paciocco <
germano.paciocco at gmail.com> wrote:
> David Bird wrote:
>
> > A couple things to try:
>
> > - Try either the postauthproxy or the iptables REDIRECT, both shouldn't
> > be needed.
>
> > - Try using 10.0.0.1 instead of 127.0.0.1 for the squid listen and for
> the
> > postauthproxy.
>
> Thank you for interesting.
>
> Maybe I'm close to the goal: if I use postauthproxy rather than redirect
> iptables rules, and I set 10.0.0.1 in the config file instead of 127.0.0.1
> as
> you suggested, my traffic is dropped by the rule #8 in the INPUT chain
> in filter table!
>
> Chain INPUT (policy ACCEPT 77 packets, 5364 bytes)
> num pkts bytes target prot opt in out source destination
> 1 139 19658 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
> 2 0 0 ACCEPT icmp -- tun0 * 0.0.0.0/0 10.0.0.1
> 3 1 82 ACCEPT udp -- tun0 * 0.0.0.0/0 10.0.0.1 udp dpt:53
> 4 0 0 ACCEPT udp -- tun0 * 0.0.0.0/0 10.0.0.1 udp dpts:67:68
> 5 0 0 ACCEPT udp -- tun0 * 0.0.0.0/0 255.255.255.255 udp dpts:67:68
> 6 77 9558 ACCEPT tcp -- tun0 * 0.0.0.0/0 10.0.0.1 tcp dpt:4990
> 7 80 11894 ACCEPT tcp -- tun0 * 0.0.0.0/0 10.0.0.1 tcp dpt:3990
> 8 14 896 DROP all -- tun0 * 0.0.0.0/0 10.0.0.1 <<< THIS ONE DROPS SQUID!
>
> If I add this rule
> iptables -I INPUT 8 -i tun0 -p tcp -m tcp --dport 3128 -j ACCEPT
>
> all works fine, but users will be able to surf setting explicit proxy,
> bypassing authentication!!!!!
>
> This is the reason why I find more logic to set postauthproxy to 127.0.0.1,
> but doing this, i can't get any way traffic processed by Squid...
>
> Any idea?
>
> Kind regards.
>
> --
> GP
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20120520/ff610520/attachment.html>
More information about the Chilli
mailing list