[Chilli] Coovachilli and Squid Transparent on the same host
David Harrold
david at dkxl.co.uk
Mon May 21 08:29:24 UTC 2012
You can use a mangle entry to prevent unauthenticated users having access to squid.
I use this combination of iptables rules:
#Redirect all non-local http traffic to squid
iptables -A PREROUTING -t nat -s $CLIENT_NET -p tcp --dport 80 ! -d $CLIENT_NET -j REDIRECT --to-port 3128
#Block direct external access to the internal receiving port. This has to be done in the mangle part of iptables
#before NAT happens so that intercepted traffic does not get dropped.
iptables -A PREROUTING -t mangle -p tcp --dport 3128 -j DROP
#Only allow client access to the squid intercept port from tun0, ie AFTER its been through the chilli gatekeeper
iptables -I INPUT -i tun0 -p tcp --dport 3128 -j ACCEPT
BR
-David
Maybe I'm close to the goal: if I use postauthproxy rather than redirect
iptables rules, and I set 10.0.0.1 in the config file instead of 127.0.0.1 as
you suggested, my traffic is dropped by the rule #8 in the INPUT chain
in filter table!
Chain INPUT (policy ACCEPT 77 packets, 5364 bytes)
num pkts bytes target prot opt in out source destination
1 139 19658 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT icmp -- tun0 * 0.0.0.0/0 10.0.0.1
3 1 82 ACCEPT udp -- tun0 * 0.0.0.0/0 10.0.0.1 udp dpt:53
4 0 0 ACCEPT udp -- tun0 * 0.0.0.0/0 10.0.0.1 udp dpts:67:68
5 0 0 ACCEPT udp -- tun0 * 0.0.0.0/0 255.255.255.255 udp dpts:67:68
6 77 9558 ACCEPT tcp -- tun0 * 0.0.0.0/0 10.0.0.1 tcp dpt:4990
7 80 11894 ACCEPT tcp -- tun0 * 0.0.0.0/0 10.0.0.1 tcp dpt:3990
8 14 896 DROP all -- tun0 * 0.0.0.0/0 10.0.0.1 <<< THIS ONE DROPS SQUID!
If I add this rule
iptables -I INPUT 8 -i tun0 -p tcp -m tcp --dport 3128 -j ACCEPT
all works fine, but users will be able to surf setting explicit proxy,
bypassing authentication!!!!!
This is the reason why I find more logic to set postauthproxy to 127.0.0.1,
but doing this, i can't get any way traffic processed by Squid...
Any idea?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20120521/f0c53e73/attachment-0001.html>
More information about the Chilli
mailing list