[Chilli] Coovachilli and Squid Transparent on the same host

Venkatesh K kaevee at gmail.com
Sun May 20 17:11:51 UTC 2012 

Let's take one step at a time.

1. Setup Postauthproxy to IP address of eth0 and port 3128
2. Make sure you have added the chilli network to squid ACL
3. Disable the firewall to make sure the packets are not dropped in firewall

You can use "tcpdump -i eth0 port 3128" to check whether coova-chilli is
forwarding the packets.

Regards,

Venkatesh. K


On Sun, May 20, 2012 at 9:53 PM, Germano Paciocco <
germano.paciocco at gmail.com> wrote:

> /*Venkatesh K <kaevee at gmail.com>*/ wrote:
>
> > Why don't you revisit the postauthproxy use 127.0.0.1/3128.
>
> when I use 127.0.0.1 as postauthproxy, i can't see log in
> /var/squid/access.log
>
> (consider that when I set postauthproxy=127.0.0.1, I modified also
> squid.conf from this:
>
> http_port 10.0.0.1:3128 transparent
>
> to this
>
> http_port 127.0.0.1:3128 transparent
>
> unlike the previous case, the rule that blocks Squid's traffic is the
> last one (#6) of FORWARD chain of filter table (see rules
> below). So to allow the traffic I should  insert this new rule:
>
> iptables -I FORWARD 6 -i eth0 -j ACCEPT
>
> This works, but as i said before, I can't see any log
> on /var/log/squid/access.log, so I don't know if Squid is
> processing the traffic (and I'm doing all this only to have
> Squid logs)!
> So if I use 10.0.0.1 as POSTAUTHPROXY, I get a security hole; if I use
> 127.0.0.1 I can't get traffic log.
> In both case I have to add a rule to make all working POSTAUTHPROXY
> (unlike of what David Bird wrote).
>
> > Make sure your firewall rules don't block input traffic from/to lo0.
>
> Why my firewall should do this?
> However, to try I added the following rules
>
> iptables -I INPUT -i lo -j ACCEPT
> iptables -I OUTPUT -o lo -j ACCEPT
> iptables -I FORWARD -i lo -j ACCEPT
> iptables -I FORWARD -o lo -j ACCEPT
>
> but nothing changes...
>
> I know I'm doing some mistake, but I can't understand which...
>
> This is the firewall as coovachilli did it, with no rules added:
>
> --->>> FILTER <<<---
>
> Chain INPUT (policy ACCEPT 339 packets, 19593 bytes)
> num pkts bytes target prot opt in out source destination
> 1 3 458 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
> 2 0 0 ACCEPT icmp -- tun0 * 0.0.0.0/0 10.0.0.1
> 3 2 130 ACCEPT udp -- tun0 * 0.0.0.0/0 10.0.0.1 udp dpt:53
> 4 0 0 ACCEPT udp -- tun0 * 0.0.0.0/0 10.0.0.1 udp dpts:67:68
> 5 0 0 ACCEPT udp -- tun0 * 0.0.0.0/0 255.255.255.255 udp dpts:67:68
> 6 0 0 ACCEPT tcp -- tun0 * 0.0.0.0/0 10.0.0.1 tcp dpt:4990
> 7 0 0 ACCEPT tcp -- tun0 * 0.0.0.0/0 10.0.0.1 tcp dpt:3990
> 8 0 0 DROP all -- tun0 * 0.0.0.0/0 10.0.0.1
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> num pkts bytes target prot opt in out source destination
> 1 0 0 DROP all -- tun0 !eth1 0.0.0.0/0 0.0.0.0/0
> 2 18 1088 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02
> TCPMSS clamp to PMTU
> 3 5 260 ACCEPT all -- * tun0 0.0.0.0/0 0.0.0.0/0
> 4 5 200 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
> 5 0 0 DROP all -- * eth0 0.0.0.0/0 0.0.0.0/0
> 6 23 1468 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 <<< *
> * THIS ONE DROPS ME IF I USE 127.0.0.1 as POSTAUTHPROXY
>
> Chain OUTPUT (policy ACCEPT 323 packets, 78326 bytes)
> num pkts bytes target prot opt in out source destination
>
> --->>> NAT <<<---
>
> Chain PREROUTING (policy ACCEPT 24 packets, 1776 bytes)
> num pkts bytes target prot opt in out source destination
>
> Chain POSTROUTING (policy ACCEPT 6 packets, 496 bytes)
> num pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 6 packets, 496 bytes)
> num pkts bytes target prot opt in out source destination
>
> --->>> MANGLE <<<---
>
> Chain PREROUTING (policy ACCEPT 377 packets, 22109 bytes)
> num pkts bytes target prot opt in out source destination
>
> Chain INPUT (policy ACCEPT 344 packets, 20181 bytes)
> num pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy ACCEPT 33 packets, 1928 bytes)
> num pkts bytes target prot opt in out source destination
> 1 18 1088 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02
> TCPMSS clamp to PMTU
>
> Chain OUTPUT (policy ACCEPT 323 packets, 78326 bytes)
> num pkts bytes target prot opt in out source destination
>
> Chain POSTROUTING (policy ACCEPT 333 packets, 78786 bytes)
> num pkts bytes target prot opt in out source destination
>
>
> --
> GP
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20120520/ff2f2aa7/attachment.html>

More information about the Chilli mailing list