[Chilli] Transparent proxying and forwarding loop detected

Peter Smith pete at linuxbox.co.uk
Fri Jul 11 10:51:42 UTC 2014


Well it *was* working, anyway. I decided to add dansguardian into the
equation, so now I need to redirect any port 80 traffic to 8080.
Dansguardian (listening on 8080) then proxies out through squid on
3128.

I thought it would be as simple as changing this:

iptables -A PREROUTING -t nat -s 10.0.0.0/8 -p tcp --dport 80 ! -d
10.0.0.0/8 -j REDIRECT --to-port 3128

, to redirect to 8080.

When I try this, I see hits in the dansguardian log, and in the squid
log, but then squid complains about 'forwarding loop detected' again.

This is giving me a real headache now. Any ideas please?



> Hi from babajaga (squid).
> Three issues:
> 1) chilli/config: Get rid of these ones, as you want to do use
> transparent squid (I commented them)
> #HS_POSTAUTH_PROXY=10.0.0.1
> #HS_POSTAUTH_PROXYPORT=3128
> 2)squid.conf: http_port 3128 intercept #changed between squid 2.7
and
> 3.x: looks like still tolerated for compatibility
> 3) iptables. Now the question is, where/how NAT to be done.
> As I have routing, NAT, squid, chilli on same system (WAN interface
+
> WLAN with chilli), I do the following
> /etc/chilli/ipup.sh:
> # force-add the final rule necessary to fix routing tables
> iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE
> CLIENT_NET=192.168.182.0/24
> #Redirect all non-local http traffic to squid
> iptables -A PREROUTING -t nat -s $CLIENT_NET -p tcp --dport 80 ! -d
$CLIENT_NET

> -j REDIRECT --to-port 3128
> #Block direct external access to the internal receiving port. This
has
> to be don
e
> in the mangle part of iptables
> #before NAT happens so that intercepted traffic does not get
dropped.
> iptables -A PREROUTING -t mangle -p tcp --dport 3128 -j DROP
> #Only allow client access to the squid intercept port from tun0, ie
AFTER its be

> en through the chilli gatekeeper
> iptables -I INPUT -i tun0 -p tcp --dport 3128  -j ACCEPT






More information about the Chilli mailing list