Hello Amos, For clarification, I'm running an AP-Hotspot server(coovachilli, freeradius, squid, etc.) with two NIC(eth0 and eth1). eth0 is for WAN(internet) and eth1 is for managing LAN(APs). Coovachilli is created tun0 under the eth1 interface. I'm using squid-3.4.8 as an HTTP transparent proxy. # Hardware Setup Diagram <https://i.stack.imgur.com/sKF9e.png> # ifconfig: eth0 Link encap:Ethernet HWaddr d8:cb:8a:53:b5:ff inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0 RX bytes:145897 (142.4 KiB) TX bytes:86949 (84.9 KiB) eth1 Link encap:Ethernet HWaddr 00:e0:4c:53:44:58 inet6 addr: fe80::2e0:4cff:fe53:4458/64 Scope:Link RX bytes:178346 (174.1 KiB) TX bytes:366000 (357.4 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 RX bytes:15724 (15.3 KiB) TX bytes:15724 (15.3 KiB) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00 inet addr:10.1.0.1 P-t-P:10.1.0.1 Mask:255.255.255.0 RX bytes:111251 (108.6 KiB) TX bytes:347971 (339.8 KiB) # This is my updated squid.conf as your suggestion, 3129 for forward-proxy and 3130 for intercepting HTTP: http_port 3129 http_port 3130 intercept # Squid is listening on expected ports; netstat -tunlp: tcp6 0 0 :::3129 :::* LISTEN 1754/(squid-1) tcp6 0 0 :::3130 :::* LISTEN 1754/(squid-1) udp6 0 0 :::41845 :::* 1754/(squid-1) #Squid is not throwing any error; tail -4 /etc/squid3/cache.log: Accepting HTTP Socket connections at local=[::]:3129 remote=[::] FD 11 flags=9 Accepting NAT intercepted HTTP Socket connections at local=[::]:3130 remote=[::] FD 12 flags=41 ICMP socket opened. storeLateRelease: released 0 objects # No response, if I do SquidClient under SSH to server; squidclient -p 3129 http://www.example.com Sending HTTP request ... done. I've tried removing all "-i" options and updating mangle rules as your suggestion from iptables; no effects on it. I've opened intercept port also. This is my original iptables with adjusted rules: #nat -A PREROUTING -s 10.1.0.0/24 ! -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3130 #redirect http to squid intercept port -A POSTROUTING -o eth0 -j MASQUERADE #mangle -A PREROUTING -s 10.1.0.0/24 -d 10.1.0.1/32 -p tcp -m tcp --dport 3130 -j DROP #drop direct attempts to proxy intercept port -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #filters -A INPUT -i eth1 -j DROP -A INPUT -d 10.1.0.1/32 -i tun0 -p icmp -j ACCEPT -A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT -A INPUT -d 255.255.255.255/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3130 -j ACCEPT #squid intercept -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3129 -j ACCEPT #squid forward -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT #chilli controller -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 2812 -j ACCEPT # freeradius -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 443 -j ACCEPT # https -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT #http -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 4990 -j ACCEPT #hotspot UAM -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT -A INPUT -d 10.1.0.1/32 -i tun0 -j DROP -A FORWARD -i tun0 -o eth0 -j ACCEPT -A FORWARD -i tun0 ! -o eth0 -j DROP -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -o tun0 -j ACCEPT -A FORWARD -i tun0 -j ACCEPT -A FORWARD -o eth1 -j DROP -A FORWARD -i eth1 -j DROP So from here, all I can do HTTPS connection, no HTTP connection allowed from AP side. -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
