[Chilli] Transparent proxying and forwarding loop detected

Peter Smith pete at linuxbox.co.uk
Thu Jul 10 15:20:03 UTC 2014


Hello again, and thanks for your help sir. I followed your advice and
it is working great now :)


> Hi from babajaga (squid).
> Three issues:
> 1) chilli/config: Get rid of these ones, as you want to do use
> transparent squid (I commented them)
>
> #HS_POSTAUTH_PROXY=10.0.0.1
> #HS_POSTAUTH_PROXYPORT=3128
>
> 2)squid.conf: http_port 3128 intercept #changed between squid 2.7 and
> 3.x: looks like still tolerated for compatibility
>
> 3) iptables. Now the question is, where/how NAT to be done.
> As I have routing, NAT, squid, chilli on same system (WAN interface +
> WLAN with chilli), I do the following
> /etc/chilli/ipup.sh:
> # force-add the final rule necessary to fix routing tables
> iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE
> CLIENT_NET=192.168.182.0/24
> #Redirect all non-local http traffic to squid
> iptables -A PREROUTING -t nat -s $CLIENT_NET -p tcp --dport 80 ! -d
> $CLIENT_NET
> -j REDIRECT --to-port 3128
> #Block direct external access to the internal receiving port. This has
> to be don                                                           e
> in the mangle part of iptables
> #before NAT happens so that intercepted traffic does not get dropped.
> iptables -A PREROUTING -t mangle -p tcp --dport 3128 -j DROP
> #Only allow client access to the squid intercept port from tun0, ie
> AFTER its be
> en through the chilli gatekeeper
> iptables -I INPUT -i tun0 -p tcp --dport 3128  -j ACCEPT
>
>
> BTW: Are you running a payed hotspot, or free ?




More information about the Chilli mailing list