Just to keep google fed with good information I'll summerize what worked: You were dead on with the way to redirect the ports to only transparent proxy specific ip addresses , and dead on that I should use squid to do the actual proxying instead of putting it all through iptables. The start up time for my script before (WHen it was all iptables) was areound a minute, now between restarting squid and re-applying the iptables it's less than a second! The last thing that I had to do to bring all this together to make it work (Thanks Thomas Veldhouse) was make some minor modifications to my squid configuration to get it to accept iptables based port redirection as a transparent squid proxy: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Thank you all you gurus of network infrastructure, it took 4 sepearate points of view, but it came together :) -David Talbot -----Original Message----- From: lartc-admin@xxxxxxxxxxxxxxx [mailto:lartc-admin@xxxxxxxxxxxxxxx]On Behalf Of Adrian Chung Sent: Tuesday, June 05, 2001 11:40 AM To: David Talbot Cc: lartc@xxxxxxxxxxxxxxx Subject: Re: [LARTC] Redirecting wayward traffic On Tue, Jun 05, 2001 at 11:20:30AM -0500, David Talbot wrote: > I want 10.0.1.1 and 10.1.250.1 to have full unrestricted access to the > internet including FTP, Kazaa, etc. > All other IPS I want to only be able to use port 80 (web) through the > transparent proxy. The proxy I would configure to use the walled ACLs so all > these people have access to is amazon.com. > > Is that possible? With the transparent proxy iptables settings I've seen so > far the transparent proxy applies to everyone when it is done. How can I > make it so people on my unfettered access list don't get piped through the > proxy? You can do this by transparent proxying the entire 10.0.0.0 network, then inserting rules above this for the special cases, that just 'ACCEPTS' them: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -I PREROUTING -i eth0 -p tcp -s 10.0.1.1 -j ACCEPT iptables -t nat -I PREROUTING -i eth0 -p tcp -s 10.1.250.1 -j ACCEPT This is assuming the proxy server is on the NAT box, if not, you'll have to adjust the first rule. This will allow traffic from 10.0.1.1 and 10.1.250.1 straight through, and transparently proxy everything else. -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [rogue.enfusion-group.com] up 28 days, 23:48, 3 users _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/
