[Chilli] Transparent proxying and forwarding loop detected

reiner otto augustus_meyer at yahoo.de
Thu Jul 10 14:45:08 UTC 2014


Hi from babajaga (squid).
Three issues:
1) chilli/config: Get rid of these ones, as you want to do use transparent squid (I commented them)

#HS_POSTAUTH_PROXY=10.0.0.1
#HS_POSTAUTH_PROXYPORT=3128

2)squid.conf: http_port 3128 intercept #changed between squid 2.7 and 3.x: looks like still tolerated for compatibility 

3) iptables. Now the question is, where/how NAT to be done. 
As I have routing, NAT, squid, chilli on same system (WAN interface + WLAN with chilli), I do the following
/etc/chilli/ipup.sh:
# force-add the final rule necessary to fix routing tables
iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE
CLIENT_NET=192.168.182.0/24
#Redirect all non-local http traffic to squid
iptables -A PREROUTING -t nat -s $CLIENT_NET -p tcp --dport 80 ! -d $CLIENT_NET                                                            -j REDIRECT --to-port 3128
#Block direct external access to the internal receiving port. This has to be don                                                           e in the mangle part of iptables
#before NAT happens so that intercepted traffic does not get dropped.
iptables -A PREROUTING -t mangle -p tcp --dport 3128 -j DROP
#Only allow client access to the squid intercept port from tun0, ie AFTER its be                                                           en through the chilli gatekeeper
iptables -I INPUT -i tun0 -p tcp --dport 3128  -j ACCEPT


BTW: Are you running a payed hotspot, or free ?



Peter Smith <pete at linuxbox.co.uk> schrieb am 16:16 Donnerstag, 10.Juli 2014:
 


Hi list,

I'm running Squid 3.3 and CoovaChilli 1.3.0 on Linux as part of a
wireless hotspot solution.

The box has two network interfaces: one to the outside world, the
other a private LAN with IP 10.0.0.1. On the LAN I'm using CoovaChilli
as an active portal.

I'd like to transparently intercept and cache web traffic from wifi
clients. Coova has a configuration option for the IP and port of an
optional proxy - all web traffic from wireless clients will be routed
through this. I've set it to 10.0.0.1:3128

Here's my squid config:

acl localnet src 10.0.0.0/255.0.0.0   # RFC1918 possible internal
network acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow localnet
http_access deny all

http_port 10.0.0.1:3128 transparent
http_port 10.0.0.1:3127

coredump_dir /var/spool/squid3
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

Unfortunately this throws "WARNING: Forwarding loop detected" warnings
(and in the client's browser an "Access Denied" error from Squid) and
I can't figure out why.

Running Squid in debugging mode (level 2), here's what I see when one
of the clients generates some Windows-related traffic


2014/07/10 13:43:57.438| client_side.cc(2316) parseHttpRequest: HTTP
Client local=10.0.0.1:3128 remote=10.0.0.4:60976 FD 8 flags=33
2014/07/10 13:43:57.438| client_side.cc(2317) parseHttpRequest: HTTP
Client REQUEST:
---------
GET /ncsi.txt HTTP/1.1
Connection: Close
User-Agent: Microsoft NCSI
Host: www.msftncsi.com


----------
2014/07/10 13:43:57.449| client_side_request.cc(786)
clientAccessCheckDone: The request GET
http://www.msftncsi.com/ncsi.txt is ALLOWED, because it matched
'localnet'
2014/07/10 13:43:57.449| client_side_request.cc(760)
clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2014/07/10 13:43:57.449| client_side_request.cc(786)
clientAccessCheckDone: The request GET
http://www.msftncsi.com/ncsi.txt is ALLOWED, because it matched
'localnet'
2014/07/10 13:43:57.450| forward.cc(121) FwdState: Forwarding client
request local=10.0.0.1:3128 remote=10.0.0.4:60976 FD 8 flags=33,
url=http://www.msftncsi.com/ncsi.txt
2014/07/10 13:43:57.451| peer_select.cc(289) peerSelectDnsPaths: Found
sources for 'http://www.msftncsi.com/ncsi.txt'
2014/07/10 13:43:57.451| peer_select.cc(290) peerSelectDnsPaths:  
always_direct = DENIED
2014/07/10 13:43:57.451| peer_select.cc(291) peerSelectDnsPaths:  
never_direct = DENIED
2014/07/10 13:43:57.451| peer_select.cc(295) peerSelectDnsPaths:
   DIRECT = local=0.0.0.0 remote=10.0.0.1:3128 flags=1
2014/07/10 13:43:57.451| peer_select.cc(304) peerSelectDnsPaths:
timedout = 0
2014/07/10 13:43:57.454| http.cc(2204) sendRequest: HTTP Server
local=10.0.0.1:35439 remote=10.0.0.1:3128 FD 11 flags=1
2014/07/10 13:43:57.455| http.cc(2205) sendRequest: HTTP Server
REQUEST: ---------
GET /ncsi.txt HTTP/1.1
User-Agent: Microsoft NCSI
Host: www.msftncsi.com
Via: 1.1 c3me-pete (squid/3.3.8)
X-Forwarded-For: 10.0.0.4
Cache-Control: max-age=259200
Connection: keep-alive


----------
2014/07/10 13:43:57.456| client_side.cc(2316) parseHttpRequest: HTTP
Client local=10.0.0.1:3128 remote=10.0.0.1:35439 FD 13 flags=33
2014/07/10 13:43:57.456| client_side.cc(2317) parseHttpRequest: HTTP
Client REQUEST:
---------
GET /ncsi.txt HTTP/1.1
User-Agent: Microsoft NCSI
Host: www.msftncsi.com
Via: 1.1 c3me-pete (squid/3.3.8)
X-Forwarded-For: 10.0.0.4
Cache-Control: max-age=259200
Connection: keep-alive


----------
2014/07/10 13:43:57.459| client_side_request.cc(786)
clientAccessCheckDone: The request GET
http://www.msftncsi.com/ncsi.txt is ALLOWED, because it matched
'localnet'
2014/07/10 13:43:57.459| client_side_request.cc(760)
clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2014/07/10 13:43:57.459| client_side_request.cc(786)
clientAccessCheckDone: The request GET
http://www.msftncsi.com/ncsi.txt is ALLOWED, because it matched
'localnet'
2014/07/10 13:43:57.459| WARNING: Forwarding loop detected for:
GET /ncsi.txt HTTP/1.1
User-Agent: Microsoft NCSI
Host: www.msftncsi.com
Via: 1.1 c3me-pete (squid/3.3.8)
X-Forwarded-For: 10.0.0.4
Cache-Control: max-age=259200
Connection: keep-alive


2014/07/10 13:43:57.460| errorpage.cc(1281) BuildContent: No existing
error page language negotiated for ERR_ACCESS_DENIED. Using default
error file.
2014/07/10 13:43:57.463| client_side_reply.cc(1974)
processReplyAccessResult: The reply for GET
http://www.msftncsi.com/ncsi.txt is ALLOWED, because it matched
'localnet'
2014/07/10 13:43:57.463| client_side.cc(1377) sendStartOfMessage: HTTP
Client local=10.0.0.1:3128 remote=10.0.0.1:35439 FD 13 flags=33
2014/07/10 13:43:57.463| client_side.cc(1378) sendStartOfMessage: HTTP
Client REPLY:
---------
HTTP/1.1 403 Forbidden
Server: squid/3.3.8
Mime-Version: 1.0
Date: Thu, 10 Jul 2014 12:43:57 GMT
Content-Type: text/html
Content-Length: 3279
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from c3me-pete
X-Cache-Lookup: MISS from c3me-pete:3127
Via: 1.1 c3me-pete (squid/3.3.8)
Connection: keep-alive


My firewall looks like so:


Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            10.0.0.1
ACCEPT     udp  --  0.0.0.0/0            10.0.0.1             udp
dpt:53 ACCEPT     udp  --  0.0.0.0/0            10.0.0.1            
udp
dpts:67:68
ACCEPT     udp  --  0.0.0.0/0            255.255.255.255      udp
dpts:67:68
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.1             tcp
dpt:3128
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.1             tcp
dpt:4990
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.1             tcp
dpt:3990
DROP       all  --  0.0.0.0/0            10.0.0.1

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp
flags:0x06/0x02 TCPMSS clamp to PMTU
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

---


Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0


In my chilli config I have:

HS_POSTAUTH_PROXY=10.0.0.1
HS_POSTAUTH_PROXYPORT=3128


Thanks,
Pete






_______________________________________________
Chilli mailing list
Chilli at coova.org
http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20140710/b1aba43d/attachment-0001.html>


More information about the Chilli mailing list