Is the host that you are wanting to bypass your proxy on the same segment as the $LAN interface defined in your rulesets?
On Wed, Dec 10, 2008 at 1:22 PM, Joseph L. Casale <JCasale@xxxxxxxxxxxxxxxxx> wrote:
I have a squid proxy running transparently, so in my firewall script
I run the following fairly early:
iptables -A PREROUTING -t nat -i $LAN -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 3128
This is a multihomed server so after this change the masquerading was
removed (as only web access on the lan side of this server was needed).
I now need to masq cleanly one device so that it can bypass the squid
proxy. As order is important, would it be correct to put the following
_in front_ of the PREROUTING command above:
iptables -A POSTROUTING -t nat -o $WAN -j MASQUERADE
iptables -A FORWARD -i $LAN -o $WAN -m mac --mac-source <mac addr> -m state --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 443 -j ACCEPT
iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
Where is the best place to filter for the mac in this scenario? I am hoping
anything w/o this mac will skip the whole masq setup and enter the PREROUTING
command below, resulting in the traffic being proxied through squid.
Thanks!
jlc
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
--
Thx
Joshua Gimer
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
