Topic: chillispot on same server as squid proxy

Hello,

Got chillispot, freeradius working on Debian etch box.
All seems to be working well.

If a user connects to the wireless, and then tries to access the internet, with http, or ssh, or whatever,
they are blocked, all good. Once they authenticate, the ports open and they can do stuff.

Except, if they connect to the wireless, do not authenticate, they still get access to the linux box.
They can ssh to it, and most importantly, they can manually enter proxy settings and get internet.

Is there anyway to block access to the server, before they authenticate to chillispot?

Thanks!

Re: chillispot on same server as squid proxy

you can add this line to your Chillispot Iptables firewall

##Allow transparent proxy (wiboon 1/2)
$IPTABLES -A INPUT -p tcp -m tcp --dport 3128 --syn -j ACCEPT

##Allow transparent proxy (wiboon 2/2)

$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

3128 is your squid port

Re: chillispot on same server as squid proxy

Thanks!

I added the PREROUTING rule and it works.
I also decided to just bind squid to the external nic, so it can't be used directly from the lan side.

Re: chillispot on same server as squid proxy

************* wrote:

you can add this line to your Chillispot Iptables firewall

##Allow transparent proxy (wiboon 1/2)
$IPTABLES -A INPUT -p tcp -m tcp --dport 3128 --syn -j ACCEPT

##Allow transparent proxy (wiboon 2/2)

$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

3128 is your squid port

It's still not working. If i setup in browser on computer client with "Manual Proxy configuration: HTTP Proxy: 192.168.1.1 Port: 80". It still bypass the chillispot login on computer client and get internet. 192.168.1.1 is my server ip number. Sorry for my bad english smile.

Re: chillispot on same server as squid proxy

9dra wrote:
************* wrote:

you can add this line to your Chillispot Iptables firewall

##Allow transparent proxy (wiboon 1/2)
$IPTABLES -A INPUT -p tcp -m tcp --dport 3128 --syn -j ACCEPT

##Allow transparent proxy (wiboon 2/2)

$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

3128 is your squid port

It's still not working. If i setup in browser on computer client with "Manual Proxy configuration: HTTP Proxy: 192.168.1.1 Port: 80". It still bypass the chillispot login on computer client and get internet. 192.168.1.1 is my server ip number. Sorry for my bad english smile.

What your squid port? i will consider it.

Re: chillispot on same server as squid proxy

************* wrote:
9dra wrote:
************* wrote:

you can add this line to your Chillispot Iptables firewall

##Allow transparent proxy (wiboon 1/2)
$IPTABLES -A INPUT -p tcp -m tcp --dport 3128 --syn -j ACCEPT

##Allow transparent proxy (wiboon 2/2)

$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

3128 is your squid port

It's still not working. If i setup in browser on computer client with "Manual Proxy configuration: HTTP Proxy: 192.168.1.1 Port: 80". It still bypass the chillispot login on computer client and get internet. 192.168.1.1 is my server ip number. Sorry for my bad english smile.

What your squid port? i will consider it.

Thanks for your respond.
This my squid.conf

# ============================================== #
# NETWORK OPTIONS
# ============================================== #
http_port 8080 transparent
icp_port 0
# ============================================== #
# OPTIONS WHICH AFFECT THE NEIGHBOUR SELECTION ALGORITHM
# ============================================== #
dead_peer_timeout 30 seconds
mcast_icp_query_timeout 10
log_icp_queries on
connect_timeout 2 minutes
peer_connect_timeout 30 seconds
request_timeout 30 seconds
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
# ============================================== #
# OPTIONS WHICH AFFECT THE CACHE SIZE
# ============================================== #
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
maximum_object_size_in_memory 8 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
# =============================================== #
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# =============================================== #
cache_dir diskd /cache1 12600 29 256 Q1=64 Q2=72
cache_dir diskd /cache2 12600 29 256 Q1=64 Q2=72
cache_dir diskd /cache3 12600 29 256 Q1=64 Q2=72
cache_dir diskd /cache4 12600 29 256 Q1=64 Q2=72
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /dev/null
mime_table /usr/local/etc/squid/mime.conf
# =============================================== #
# HTTPD-ACCELERATOR OPTIONS
# =============================================== #
log_ip_on_direct on
dns_nameservers 202.134.0.155 202.134.1.10 203.130.209.242 202.134.2.5
# =============================================== #
# MISCELLANEOUS
# =============================================== #
logfile_rotate 7
digest_generation on
digest_bits_per_entry 10
digest_rebuild_period 30 minute
digest_rewrite_period 30 minute
digest_swapout_chunk_size 6000 bytes
client_persistent_connections on
server_persistent_connections on
pipeline_prefetch on
store_dir_select_algorithm round-robin
nonhierarchical_direct off
prefer_direct off
# =============================================== #
# ADMINISTRATIVE PARAMETERS
# =============================================== #
cache_mgr nindra.dw@gmail.com
cache_effective_user squid
cache_effective_group squid
visible_hostname proxy.omega.net
# ============================================== #
# ACCESS CONTROLS
# ============================================== #
acl all src 0/0
acl omeganet src 172.16.0.0/24
acl localhost src 127.0.0.0/8
# ============================================== #
# ACL Different access
# ============================================== #
acl SSL_ports port 443 563
acl Safe_ports port 21 80 280 448 591 777 443 563 808 70 210 4190-65535
acl CONNECT method CONNECT
acl manager proto cache_object
# ============================================== #
# Access Denied
# ============================================== #
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# ============================================== #
# Internet Access
# ============================================== #
http_access allow manager !localhost
http_access allow localhost
http_access allow omeganet
http_access deny all
# =============================================== #

I am using Gentoo Linux, Squid-2.6.19-r1, freeradius-1.1.7 dan chillispot-1.1.0. I have used port 3128 and 8080 for squid.

Re: chillispot on same server as squid proxy

9dra wrote:
************* wrote:
9dra wrote:

It's still not working. If i setup in browser on computer client with "Manual Proxy configuration: HTTP Proxy: 192.168.1.1 Port: 80". It still bypass the chillispot login on computer client and get internet. 192.168.1.1 is my server ip number. Sorry for my bad english smile.

What your squid port? i will consider it.

Thanks for your respond.
This my squid.conf

# ============================================== #
# NETWORK OPTIONS
# ============================================== #
http_port 8080 transparent
icp_port 0
# ============================================== #
# OPTIONS WHICH AFFECT THE NEIGHBOUR SELECTION ALGORITHM
# ============================================== #
dead_peer_timeout 30 seconds
mcast_icp_query_timeout 10
log_icp_queries on
connect_timeout 2 minutes
peer_connect_timeout 30 seconds
request_timeout 30 seconds
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
# ============================================== #
# OPTIONS WHICH AFFECT THE CACHE SIZE
# ============================================== #
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
maximum_object_size_in_memory 8 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
# =============================================== #
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# =============================================== #
cache_dir diskd /cache1 12600 29 256 Q1=64 Q2=72
cache_dir diskd /cache2 12600 29 256 Q1=64 Q2=72
cache_dir diskd /cache3 12600 29 256 Q1=64 Q2=72
cache_dir diskd /cache4 12600 29 256 Q1=64 Q2=72
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /dev/null
mime_table /usr/local/etc/squid/mime.conf
# =============================================== #
# HTTPD-ACCELERATOR OPTIONS
# =============================================== #
log_ip_on_direct on
dns_nameservers 202.134.0.155 202.134.1.10 203.130.209.242 202.134.2.5
# =============================================== #
# MISCELLANEOUS
# =============================================== #
logfile_rotate 7
digest_generation on
digest_bits_per_entry 10
digest_rebuild_period 30 minute
digest_rewrite_period 30 minute
digest_swapout_chunk_size 6000 bytes
client_persistent_connections on
server_persistent_connections on
pipeline_prefetch on
store_dir_select_algorithm round-robin
nonhierarchical_direct off
prefer_direct off
# =============================================== #
# ADMINISTRATIVE PARAMETERS
# =============================================== #
cache_mgr nindra.dw@gmail.com
cache_effective_user squid
cache_effective_group squid
visible_hostname proxy.omega.net
# ============================================== #
# ACCESS CONTROLS
# ============================================== #
acl all src 0/0
acl omeganet src 172.16.0.0/24
acl localhost src 127.0.0.0/8
# ============================================== #
# ACL Different access
# ============================================== #
acl SSL_ports port 443 563
acl Safe_ports port 21 80 280 448 591 777 443 563 808 70 210 4190-65535
acl CONNECT method CONNECT
acl manager proto cache_object
# ============================================== #
# Access Denied
# ============================================== #
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# ============================================== #
# Internet Access
# ============================================== #
http_access allow manager !localhost
http_access allow localhost
http_access allow omeganet
http_access deny all
# =============================================== #

I am using Gentoo Linux, Squid-2.6.19-r1, freeradius-1.1.7 dan chillispot-1.1.0. I have used port 3128 and 8080 for squid.

Following to your squid.conf you are using port 8080 for squid . you can change the line http_port 8080 transparent  to http_port 3128 transparent

for me i set

icp_port 3130
http_port 3128 transparent

it  works with the iptables rules above.

regards

Re: chillispot on same server as squid proxy

Thank You. It Work now, with iptables rules above. smile