On Thursday 07 November 2002 6:40 pm, Karina Gómez Salgado wrote: > Hi, I'm using iptables for redirect requests to port 80 to port 3128 of > Squid. > > But I have a problem, because some of the squid users have trouble > accessing certain services through the proxy, i want to this users > bypass the proxy when they try to reach certain sites. > > So How can i deny the redirect ? > > I've excluded certain users for their source address... making the > redirection to the remaining ip addresses. > > But now i want to send all traffic to squid, all but certain > destinations... > > Is there a way to do that ? Yes. Depending on how many destination address you do / don't want to redirect, you could use any of the following three methods (there are almost certainly others as well): 1. Add a "-d a.b.c.d" to your DNAT rule so that only packets matching the destination address get DNATted. You then need one of these rules for each destination you want the DNAT to apply to. 2. Add a "-d ! a.b.c.d" if you want to stop a single destination from being DNATted. You can only use one of these rules, otherwise two of them in combination will have the same effect as not using "-d ! a.b.c.d" at all. 3. Use your existing DNAT rule in the PREROUTING nat chain, but insert some rules before it which match a destination address using "-d a.b.c.d" and use the target "-j ACCEPT" so that these packets bypass the DNAT rule. Basically suggestion 1 allows you to apply DNAT to as many destination addresses as you like; suggestion 2 allows you to exclude one address or address range from being DNATted; and suggestion 3 allows you to exclude as many addresses or ranges as you want. Somewhere in this you should be able to achieve your goal. Antony. -- Software development can be quick, high-quality, or low-cost. The customer gets to pick any two out of three.
