[Chilli] Coovachilli and Squid Transparent on the same host
David Bird
david at coova.com
Sat May 19 15:09:59 UTC 2012
A couple things to try:
- Try either the postauthproxy or the iptables REDIRECT, both shouldn't
be needed.
- Try using 10.0.0.1 instead of 127.0.0.1 for the squid listen and for
the postauthproxy.
- If using the REDIRECT method, try without the postauthproxy and will
out a destination match in your iptables rule.
Cheers,
David
On Sat, 2012-05-19 at 12:33 +0200, Germano Paciocco wrote:
> I can't understand the reason why, but it still not working for me.
> I noticed that your firewall rules ar not matching in my configuration.
> On my next hop I can't see packets coming from HS network.
> I attach all my configuration files here, including the complete list
> of iptables rule: please help me I'm going crazy!
>
> [iptables rules]
>
> # iptables -L -t nat --line-number -n -v && iptables -L --line-numbers
> -n -v
>
> Chain PREROUTING (policy ACCEPT 2526 packets, 161K bytes)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 REDIRECT tcp -- tun0 * 0.0.0.0/0
> 10.0.0.1 tcp dpt:443 redir ports 3128 <<<< NOT MATCHING
> 2 0 0 REDIRECT tcp -- tun0 * 0.0.0.0/0
> 10.0.0.1 tcp dpt:80 redir ports 3128 <<<< NOT MATCHING
>
> Chain INPUT (policy ACCEPT 61 packets, 4220 bytes)
> num pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 8 packets, 2134 bytes)
> num pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 112 packets, 9055 bytes)
> num pkts bytes target prot opt in out source
> destination
> Chain INPUT (policy ACCEPT 1793 packets, 94754 bytes)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:3128flags: 0x17/0x02 <<<< NOT MATCHING
> 2 1 328 DROP all -- eth1 * 0.0.0.0/0
> 0.0.0.0/0
> 3 0 0 ACCEPT icmp -- tun0 * 0.0.0.0/0
> 10.0.0.1
> 4 48 3195 ACCEPT udp -- tun0 * 0.0.0.0/0
> 10.0.0.1 udp dpt:53
> 5 0 0 ACCEPT udp -- tun0 * 0.0.0.0/0
> 10.0.0.1 udp dpts:67:68
> 6 0 0 ACCEPT udp -- tun0 * 0.0.0.0/0
> 255.255.255.255 udp dpts:67:68
> 7 0 0 ACCEPT tcp -- tun0 * 0.0.0.0/0
> 10.0.0.1 tcp dpt:443
> 8 0 0 ACCEPT tcp -- tun0 * 0.0.0.0/0
> 10.0.0.1 tcp dpt:80
> 9 80 9751 ACCEPT tcp -- tun0 * 0.0.0.0/0
> 10.0.0.1 tcp dpt:4990
> 10 122 15651 ACCEPT tcp -- tun0 * 0.0.0.0/0
> 10.0.0.1 tcp dpt:3990
> 11 2 64 DROP all -- tun0 * 0.0.0.0/0
> 10.0.0.1
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 DROP all -- tun0 !eth0 0.0.0.0/0
> 0.0.0.0/0
> 2 136 8324 TCPMSS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
> 3 654 137K ACCEPT all -- * tun0 0.0.0.0/0
> 0.0.0.0/0
> 4 879 99006 ACCEPT all -- tun0 * 0.0.0.0/0
> 0.0.0.0/0
> 5 0 0 DROP all -- * eth1 0.0.0.0/0
> 0.0.0.0/0
> 6 0 0 DROP all -- eth1 * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 2017 packets, 470K bytes)
> num pkts bytes target prot opt in out source
> destination
>
> [main.conf]
> cmdsocket /var/run/chilli.eth1.sock
> unixipc chilli.eth1.ipc
> pidfile /var/run/chilli.eth1.pid
> net 10.0.0.0/255.255.255.0
> uamlisten 10.0.0.1
> uamport 3990
> dhcpif eth1
> uamallowed "www.coova.org,10.0.0.1,www.coova.org"
> uamanydns
> statip 10.0.0.1/255.255.255.0
> domain "lan"
> dns1 "10.0.0.1"
> dns2 "192.168.196.1"
> uamhomepage http://10.0.0.1:3990/www/coova.html
> wwwdir /etc/chilli/www
> wwwbin /etc/chilli/wwwsh
> uamuiport 4990
> locationname "GePs Spot"
> radiuslocationname "GePs_Spot"
> radiuslocationid "isocc=,cc=,ac=,network=Coova,"
>
> [hs.conf]
> radiusserver1 "localhost"
> radiusserver2 "localhost"
> radiussecret "testing123"
> radiusauthport 1812
> radiusacctport 1813
> uamserver "http://10.0.0.1:4990/www/login.chi"
> radiusnasid "nas01"
> papalwaysok
> uamaliasname "chilli"
> adminupdatefile "/etc/chilli/local.conf"
> uamsecret "uamsecret"
> postauthproxy 127.0.0.1
> postauthproxyport 3128
>
> [ipup.conf]
> iptables -I INPUT -p tcp -m tcp --dport 3128 --tcp-flags
> FIN,SYN,RST,ACK SYN -j ACCEPT
> iptables -t nat -A PREROUTING -d 10.0.0.1 -i tun0 -p tcp -m tcp
> --dport 443 -j REDIRECT --to-ports 3128
> iptables -t nat -A PREROUTING -d 10.0.0.1 -i tun0 -p tcp -m tcp
> --dport 80 -j REDIRECT --to-ports 3128
>
> [squid.conf]
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl localnet src 10.0.0.0/24 # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> always_direct allow all
> http_port 3128 transparent
> coredump_dir /var/spool/squid3
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
> refresh_pattern . 0 20% 4320
>
>
>
> > That rules works fine. I setup it on the multiple box on different location.
> > no. i used route. I don't link bridge mode.
>
>
More information about the Chilli
mailing list