[Chilli] Coovachilli and Squid Transparent on the same host

David Harrold david at dkxl.co.uk
Mon May 21 08:29:24 UTC 2012


You can use a mangle entry to prevent unauthenticated users having access to squid.


I use this combination of iptables rules:


#Redirect all non-local http traffic to squid
iptables -A PREROUTING -t nat -s $CLIENT_NET -p tcp --dport 80 ! -d $CLIENT_NET -j REDIRECT --to-port 3128


#Block direct external access to the internal receiving port. This has to be done in the mangle part of iptables 

#before NAT happens so that intercepted traffic does not get dropped. 
iptables -A PREROUTING -t mangle -p tcp --dport 3128 -j DROP

#Only allow client access to the squid intercept port from tun0, ie AFTER its been through the chilli gatekeeper
iptables -I INPUT -i tun0 -p tcp --dport 3128  -j ACCEPT   





Maybe I'm close to the goal:  if I use postauthproxy rather than redirect
iptables rules, and I set in the config file instead of as
you suggested, my traffic is dropped by the rule #8 in the INPUT chain
in  filter table!

Chain INPUT (policy ACCEPT 77 packets, 5364 bytes)
num pkts bytes target prot opt in out source destination
1 139 19658 DROP all -- eth0 *
2 0 0 ACCEPT icmp -- tun0 *
3 1 82 ACCEPT udp -- tun0 * udp dpt:53
4 0 0 ACCEPT udp -- tun0 * udp dpts:67:68
5 0 0 ACCEPT udp -- tun0 * udp dpts:67:68
6 77 9558 ACCEPT tcp -- tun0 * tcp dpt:4990
7 80 11894 ACCEPT tcp -- tun0 * tcp dpt:3990
8 14 896 DROP all -- tun0 * <<< THIS ONE DROPS SQUID!

If I add this rule
iptables -I INPUT 8 -i tun0 -p tcp -m tcp --dport 3128 -j ACCEPT

all works fine, but users will be able to surf setting explicit proxy,
bypassing authentication!!!!!

This is the reason why I find more logic to set postauthproxy to,
but doing this, i can't get any way traffic processed by Squid...

Any idea?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20120521/f0c53e73/attachment-0001.html>

More information about the Chilli mailing list