[Chilli] Transparent proxying and forwarding loop detected

reiner otto augustus_meyer at yahoo.de
Fri Jul 11 11:50:55 UTC 2014


Used DG myself, and AFAIK, DG does not work in transparent mode. Which means, your last working setup (squid only) has to be modified again for explicit proxy usage. Never did this one, so you need somebody else for further help.
However, you might "sandwich" DG, that's what I usually did: client-transparent_squid_proxy_only-DG-squid_caching.
Or, just chain DG AFTER the transparent squid, which you already have. Simplest solution. Advantage: Only NON-BLOCKED traffic is cached. So the setup would be client-squid-DG




Peter Smith <pete at linuxbox.co.uk> schrieb am 12:51 Freitag, 11.Juli 2014:
 


Well it *was* working, anyway. I decided to add dansguardian into the
equation, so now I need to redirect any port 80 traffic to 8080.
Dansguardian (listening on 8080) then proxies out through squid on
3128.

I thought it would be as simple as changing this:

iptables -A PREROUTING -t nat -s 10.0.0.0/8 -p tcp --dport 80 ! -d
10.0.0.0/8 -j REDIRECT --to-port 3128

, to redirect to 8080.

When I try this, I see hits in the dansguardian log, and in the squid
log, but then squid complains about 'forwarding loop detected' again.

This is giving me a real headache now. Any ideas please?



> Hi from babajaga (squid).
> Three issues:
> 1) chilli/config: Get rid of these ones, as you want to do use
> transparent squid (I commented them)
> #HS_POSTAUTH_PROXY=10.0.0.1
> #HS_POSTAUTH_PROXYPORT=3128
> 2)squid.conf: http_port 3128 intercept #changed between squid 2.7
and
> 3.x: looks like still tolerated for compatibility
> 3) iptables. Now the question is, where/how NAT to be done.
> As I have routing, NAT, squid, chilli on same system (WAN interface
+
> WLAN with chilli), I do the following
> /etc/chilli/ipup.sh:
> # force-add the final rule necessary to fix routing tables
> iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE
> CLIENT_NET=192.168.182.0/24
> #Redirect all non-local http traffic to squid
> iptables -A PREROUTING -t nat -s $CLIENT_NET -p tcp --dport 80 ! -d
$CLIENT_NET

> -j REDIRECT --to-port 3128
> #Block direct external access to the internal receiving port. This
has
> to be don
e
> in the mangle part of iptables
> #before NAT happens so that intercepted traffic does not get
dropped.
> iptables -A PREROUTING -t mangle -p tcp --dport 3128 -j DROP
> #Only allow client access to the squid intercept port from tun0, ie
AFTER its be

> en through the chilli gatekeeper
> iptables -I INPUT -i tun0 -p tcp --dport 3128  -j ACCEPT




_______________________________________________
Chilli mailing list
Chilli at coova.org
http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20140711/f8bbdf4f/attachment.html>


More information about the Chilli mailing list