[squid-users] Squid Transparent Proxy with Coovachilli is not working

Thu, 12 Sep 2019 21:28:08 -0700 

I'm running an AP-Hotspot server(coovachilli, freeradius, squid, etc.) with
two NIC(eth0 and eth1). eth0 is for WAN(internet) and eth1 is for managing
LAN(APs). Coovachilli is created tun0 under the eth1 interface. I'm using
squid3 as an HTTP transparent proxy.

Hardware Setup Diagram <https://i.stack.imgur.com/sKF9e.png>  

*SQUID.CONF:*
http_port 3128
http_port 3127 intercept

*IPTABLES Filter & Nat Rules(similar):*
-A PREROUTING -s 10.1.0.0/24 ! -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport
80 -j REDIRECT --to-ports 3127 #redirect http to squid intercept port
-A POSTROUTING -o eth0 -j MASQUERADE

-A PREROUTING -s 10.1.0.0/24 -d 10.1.0.1/32 -p tcp -m tcp --dport 3127 -j
DROP #drop direct attempts to proxy intercept port
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu

-A INPUT -i eth1 -j DROP
-A INPUT -d 10.1.0.1/32 -i tun0 -p icmp -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3128 -j ACCEPT #
opening squid port
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3127 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -j DROP
-A FORWARD -i tun0 -o eth0 -j ACCEPT                                            
                                                                                
-A FORWARD -i tun0 ! -o eth0 -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
-A FORWARD -o tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o eth1 -j DROP
-A FORWARD -i eth1 -j DROP

HTTPS connection from AP side is working as in squid don't intercept it, but
HTTP connection doesn't work. Squid_3.4.8_Debian starts
normally(active/running), no error in cache.log. If I change squid
configuration(http_port 3127 accel vhost allow-direct) to reverse proxy, it
works. I need a transparent proxy to work. Please help me to figure it out.
Thanks.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to