subject:"Re\: \[squid\-users\] Squid Transparent Proxy with Coovachilli is not working"

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

2019-09-15 Thread Matus UHLAR - fantomas


On 14.09.19 23:57, sknz wrote:

eht1 is not useless really, Coovachilli created tun0 under eth1. Yes, I've
heard about stateful firewall, though this is not my domain of expertise.


it's very hard to guess what's the problem and how should the solution look
like, when someone does this to passing network traffic. Correct solutions
may work, incorrect may not, when someone does modify traffic like this.


/CoovaChilli takes control of the internal interface (eth1) using a raw
promiscuous socket. It then uses the vtun kernel module to bring up a
virtual interface tun0 to pass and receive packets to and from the
eth0(WAN). In fact, the vtun kernel module is used to move IP packets from
the kernel to user mode, in such a way that CoovaChilli can function without
any non-standard kernel modules. CoovaChilli then provides DHCP, ARP, and
HTTP Hijacking on the "dhcpif" interface, in our case that's eth0/


I believe you should ask in coovachilli forums/lists for proper solutions.

However, from packet capture it seems that requests are really getting to
squid (they are being responded to), so squid logs shouls show.

Or, it may be the coovachilli manipulating them. Try asking coovchilli.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

2019-09-14 Thread sknz

So I was testing from a client device(10.1.0.2) which is connected over WiFi
to an AP and that AP is connected to eth1 physically. In case you're
wondering, eth1 is connected to the server physically. Trying to connect an
HTTP website from the above-mentioned client device...



https://paste.grasehotspot.org/view/raw/4bdf03c0

So in eth1, we received the request from the client.



https://paste.grasehotspot.org/view/raw/b5db07c0

So tun0 also received it from eth1. Now, tun0 is supposed to send it to
eth0(WAN)...



https://paste.grasehotspot.org/view/raw/0b69d9db

But we don't receive anything at all in eth0(WAN)... Now let's see what
we've got back from tun0/eth1 to client device.



https://paste.grasehotspot.org/view/raw/9ad866a5

tun0 is passing back the acknowledgment to eth1 and eth1 is also doing same
to client device... and it stops here. So no actual data!



I guess from here tun0 is supposed to send it to squid and squid is suppose
to send it to eth0(WAN). Correct me if I'm wrong. I have got a Perl script
which shows TOP like interface for real-time packets. So the moment client
device tries to connect to HTTP, port 3127 gets GREEN which means something
sent/received. But it never gets green for forward-proxy port 3128.

Perl Script Screenshot: https://ibb.co/5nc0rWb









--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

2019-09-14 Thread sknz

eht1 is not useless really, Coovachilli created tun0 under eth1. Yes, I've
heard about stateful firewall, though this is not my domain of expertise.

/CoovaChilli takes control of the internal interface (eth1) using a raw
promiscuous socket. It then uses the vtun kernel module to bring up a
virtual interface tun0 to pass and receive packets to and from the
eth0(WAN). In fact, the vtun kernel module is used to move IP packets from
the kernel to user mode, in such a way that CoovaChilli can function without
any non-standard kernel modules. CoovaChilli then provides DHCP, ARP, and
HTTP Hijacking on the "dhcpif" interface, in our case that's eth0/



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

2019-09-14 Thread Matus UHLAR - fantomas


On 14.09.19 06:01, sknz wrote:

Sorry if I make it more puzzled.

Here full packets and config :
https://paste.grasehotspot.org/view/raw/384d2a8b

Here full iptable rules : https://paste.grasehotspot.org/view/raw/eaf29a16


- do you really use IP to IP tunelling ? Does not look like it.

- from your config I can only guess that eth1 is useless because all traffic
 is dropped. Yet your tcpdump shows packets entering eth1.

- have you ever heard about statefull firewall?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

2019-09-14 Thread sknz

Sorry if I make it more puzzled.

Here full packets and config :
https://paste.grasehotspot.org/view/raw/384d2a8b

Here full iptable rules : https://paste.grasehotspot.org/view/raw/eaf29a16



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

2019-09-14 Thread Amos Jeffries

On 14/09/19 7:43 pm, sknz wrote:
> Hello Amos,
> Okay, ports are fixed from here and forwarded 80 to 3127 in iptables.
> 
> http_port 3128 # for proxy client
> http_port 3127 intercept # for http intercept
> 

This does not match the config suggested.

Can you please re-post the config used with the below captures.

> 
> When a user tries to connect an HTTP site,
> 
> tcpdump -vv -ni eth1 port 80 >>>
> https://paste.grasehotspot.org/view/raw/f81a60e4
> 
> tcpdump -vv -ni tun0 port 80 >>>
> https://paste.grasehotspot.org/view/raw/bb0a4bc1
> 
> tcpdump -vv -ni eth0 port 80 >>>
> https://paste.grasehotspot.org/view/raw/563912fd
> 
> ... and the user never sees any output in the browser window. It's not
> working somewhere in between tun0 <--> eth0. eth0 is WAN here.

The thing is - Squid, four layers of NAT, one more trip through the
Chilli portal engine, and two cycles through the firewall all sit in
that problem area. That is a LOT of complexity - figuring out what is
going on is difficult enough before you go changing the settings in
unexpected ways with every post to the mailing list.

What we are doing here is working through those carefully checking what
the traffic is doing until the exact problem point is found.

So far the traces show one trip through Chilli is working okay.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

2019-09-14 Thread sknz

Hello Amos,
Okay, ports are fixed from here and forwarded 80 to 3127 in iptables.

http_port 3128 # for proxy client
http_port 3127 intercept # for http intercept


When a user tries to connect an HTTP site,

tcpdump -vv -ni eth1 port 80 >>>
https://paste.grasehotspot.org/view/raw/f81a60e4

tcpdump -vv -ni tun0 port 80 >>>
https://paste.grasehotspot.org/view/raw/bb0a4bc1

tcpdump -vv -ni eth0 port 80 >>>
https://paste.grasehotspot.org/view/raw/563912fd

... and the user never sees any output in the browser window. It's not
working somewhere in between tun0 <--> eth0. eth0 is WAN here. When I use a
forward proxy(http_port 3127 accel allow-direct), I can see the data passing
through all three interfaces, and it works.


### For an HTTPS site - Only 1st 5 packets(though squid is not handling
https),

tcpdump -vv -ni eth1 port 443 >>>
https://paste.grasehotspot.org/view/raw/11120563

tcpdump -vv -ni tun0 port 443 >>>
https://paste.grasehotspot.org/view/raw/2d38b62b

tcpdump -vv -ni eth0 port 443 >>>
https://paste.grasehotspot.org/view/raw/1a62299b









--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

2019-09-13 Thread Amos Jeffries

On 14/09/19 4:48 am, sknz wrote:
> Hello reinerotto,
>  I've been stuck here for 3 days! This is complete iptable rules after
> coova-chilli starts : https://paste.grasehotspot.org/view/raw/529efd6c
> 

Each time you have posted details about your situation the ports used
have been different from the ones the question prompting your response
were asking about and/or suggesting you try. Perhapse it is time to
start methodical debugging instead of experiments based on guesses and
partial information.

Reset your config to match this known working config:

Then start with looking at your test. What tool are you using to test,
how is it configured, and what is your exact test command to it?

What output does your test tool deliver to the Chilli box?
Is there anything coming out from Squid in response to that?

Both TCP packet details and if possible HTTP message syntax for those
last two questions. Do a tcpdump packet capture to get all that in one
place.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

2019-09-13 Thread sknz

Hello reinerotto,
 I've been stuck here for 3 days! This is complete iptable rules after
coova-chilli starts : https://paste.grasehotspot.org/view/raw/529efd6c

Please have a look at it.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

2019-09-13 Thread reinerotto

Looks like an issue regarding iptables. Because coova-chilli modifies the
rules, during start-up.
So I doubt, the rules in your post are incomplete, _not_ after start of
coova.
Definitely, this is not a squid issue.
BTW: I  have squid intercept running on openwrt devices. For commercial
hotspots.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

10 matches

Site Navigation

Mail list logo

Footer information