RE: Bypass transparent proxy(Squid)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 2004-04-01 at 13:04, Jerry Robles de Medina wrote:
> Thanks Anthony,
> Have you done this already in a situation?
> I'll try it out and let the list know how it went.
> Jerry
> 
I have done this, and it works.

> -----Original Message-----
> From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Antony Stone
> Sent: March 31, 2004 4:23 PM
> To: netfilter@xxxxxxxxxxxxxxxxxxx
> Subject: Re: Bypass transparent proxy(Squid)
> 
> On Wednesday 31 March 2004 7:29 pm, Jerry Robles de Medina wrote:
> 
> > Dear all,
> > I have read somewhere along the posts that it is possible to let 2 pc's
> > (ip's) bypass a transparent proxy server(squid cache). I have tried it in
> > the rc.firewall.up file but I cannot get it working. Can someone please
> > shed some light into my problem?I know it has to do with iptables but dunno
> > where and how.
> 
> The trick is to create a user-defined chain, match the addresses you want as 
> exceptions, then do the NAT at the end of the chain (after the exceptions 
> have been returned to the main chain).
> 
> Something like:
> 
> iptables -N mychain
> iptables -A PREROUTING -t nat -p tcp --dport 80 -j mychain
> iptables -A mychain -t nat -s a.b.c.d -j RETURN
> iptables -A mychain -t nat -s w.x.y.z -j RETURN
> iptables -A mychain -t nat -j DNAT --to my.squid.proxy.server:3128
> 
> The way this works is:
> 1. Only packets addressed to port 80 get processed by the user defined chain
> 2. The first exception source address a.b.c.d immediately returns (unchanged) 
> the to main PREROUTING chain.
> 3. The second exception address w.x.y.z returns to the main PREROUTING chain.
> 4. Any other addresses get redirected.
> 
> I'm sure you can adjust this to your own requirements now you see the trick 
> involved.   The important point is to recognise that the negation operator ! 
> cannot deal with more than one exception address, so there's no point trying 
> to force it to work.
> 
> Regards,
> 
> Antony.
-- 
--
Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux