Re: Squid vs. iptables redirection: exception for certain domains ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hi,

Another idea - but this gets complicated and with that, prone to faults - use a simple shell script to resolve the desired domains and keep their IPs in an ipset, then use the ipset in your firewall rules, this way you can keep your iptables rules static, your squid config static and simply add or remove IPs from the ipset.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Nicolas Kovacs" <info@xxxxxxxxxxxxx>
> To: "CentOS mailing list" <centos@xxxxxxxxxx>
> Sent: Sunday, 11 March, 2018 12:18:06
> Subject: Re:  Squid vs. iptables redirection: exception for certain domains ?

> Le 11/03/2018 à 13:09, Leon Fauster a écrit :
>> It is not a good practice to place domain names into iptables rules. Define
>> a custom table, place this table into your rule list (to stick at the right
>> place) and feed that table with the resolved domain names. This can be altered
>> while running in the case of changes (check resolving results periodically).
> 
> I admit I've never worked with custom tables, so I don't know how to do
> this.
> 
> In the meantime, I found the following working solution.
> 
> # Exceptions
> EXCEPTIONS=$(egrep -v '(^\#)|(^\s+$)' /usr/local/sbin/no-proxy.txt)
> for EXCEPTION in $EXCEPTIONS; do
>  $IPT -A PREROUTING -t nat -i $IFACE_LAN -d $EXCEPTION -j ACCEPT
> done
> 
> # Squid
> $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3128 -j ACCEPT
> $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3128 -j ACCEPT
> $IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \
>  --dport 80 -j REDIRECT --to-port 3128
> $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3129 -j ACCEPT
> $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3129 -j ACCEPT
> $IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \
>  --dport 443 -j REDIRECT --to-port 3129
> $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3130 -j ACCEPT
> $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3130 -j ACCEPT
> 
> And my no-proxy.txt file looks like this:
> 
> # Ne pas utiliser le proxy pour les domaines suivants
> #
> # Crédit Agricole
> www.credit-agricole.fr
> # Crédit Coopératif
> www.credit-cooperatif.coop
> # Github
> github.com
> # Microlinux
> microlinux.fr
> microlinux.eu
> # Squid
> squid-cache.org
> # Thunderbird
> start.thunderbird.net
> 
> Note that I can put either domain names or IP addresses in this file.
> 
> And it's only supposed to keep a list of a handful of URLs that don't
> play well with a transparent Squid for HTTPS.
> 
> Cheers,
> 
> Niki
> 
> 
> --
> Microlinux - Solutions informatiques durables
> 7, place de l'église - 30730 Montpezat
> Site : https://www.microlinux.fr
> Blog : https://blog.microlinux.fr
> Mail : info@xxxxxxxxxxxxx
> Tél. : 04 66 63 10 32
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux