[Chilli] Coovachilli and Squid Transparent on the same host
Germano Paciocco
germano.paciocco at gmail.com
Sun May 20 16:23:40 UTC 2012
/*Venkatesh K <kaevee at gmail.com>*/ wrote:
> Why don't you revisit the postauthproxy use 127.0.0.1/3128.
when I use 127.0.0.1 as postauthproxy, i can't see log in
/var/squid/access.log
(consider that when I set postauthproxy=127.0.0.1, I modified also
squid.conf from this:
http_port 10.0.0.1:3128 transparent
to this
http_port 127.0.0.1:3128 transparent
unlike the previous case, the rule that blocks Squid's traffic is the
last one (#6) of FORWARD chain of filter table (see rules
below). So to allow the traffic I should insert this new rule:
iptables -I FORWARD 6 -i eth0 -j ACCEPT
This works, but as i said before, I can't see any log
on /var/log/squid/access.log, so I don't know if Squid is
processing the traffic (and I'm doing all this only to have
Squid logs)!
So if I use 10.0.0.1 as POSTAUTHPROXY, I get a security hole; if I use
127.0.0.1 I can't get traffic log.
In both case I have to add a rule to make all working POSTAUTHPROXY
(unlike of what David Bird wrote).
> Make sure your firewall rules don't block input traffic from/to lo0.
Why my firewall should do this?
However, to try I added the following rules
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
iptables -I FORWARD -i lo -j ACCEPT
iptables -I FORWARD -o lo -j ACCEPT
but nothing changes...
I know I'm doing some mistake, but I can't understand which...
This is the firewall as coovachilli did it, with no rules added:
--->>> FILTER <<<---
Chain INPUT (policy ACCEPT 339 packets, 19593 bytes)
num pkts bytes target prot opt in out source destination
1 3 458 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT icmp -- tun0 * 0.0.0.0/0 10.0.0.1
3 2 130 ACCEPT udp -- tun0 * 0.0.0.0/0 10.0.0.1 udp dpt:53
4 0 0 ACCEPT udp -- tun0 * 0.0.0.0/0 10.0.0.1 udp dpts:67:68
5 0 0 ACCEPT udp -- tun0 * 0.0.0.0/0 255.255.255.255 udp dpts:67:68
6 0 0 ACCEPT tcp -- tun0 * 0.0.0.0/0 10.0.0.1 tcp dpt:4990
7 0 0 ACCEPT tcp -- tun0 * 0.0.0.0/0 10.0.0.1 tcp dpt:3990
8 0 0 DROP all -- tun0 * 0.0.0.0/0 10.0.0.1
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- tun0 !eth1 0.0.0.0/0 0.0.0.0/0
2 18 1088 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02
TCPMSS clamp to PMTU
3 5 260 ACCEPT all -- * tun0 0.0.0.0/0 0.0.0.0/0
4 5 200 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
5 0 0 DROP all -- * eth0 0.0.0.0/0 0.0.0.0/0
6 23 1468 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 <<< *
* THIS ONE DROPS ME IF I USE 127.0.0.1 as POSTAUTHPROXY
Chain OUTPUT (policy ACCEPT 323 packets, 78326 bytes)
num pkts bytes target prot opt in out source destination
--->>> NAT <<<---
Chain PREROUTING (policy ACCEPT 24 packets, 1776 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 6 packets, 496 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6 packets, 496 bytes)
num pkts bytes target prot opt in out source destination
--->>> MANGLE <<<---
Chain PREROUTING (policy ACCEPT 377 packets, 22109 bytes)
num pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 344 packets, 20181 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 33 packets, 1928 bytes)
num pkts bytes target prot opt in out source destination
1 18 1088 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02
TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 323 packets, 78326 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 333 packets, 78786 bytes)
num pkts bytes target prot opt in out source destination
--
GP
More information about the Chilli
mailing list