Aaron Clausen wrote:
On Mon, Jan 4, 2010 at 10:38, Kenneth Sande <sandekt@xxxxxxxxxx> wrote:
I do it this way for my one internal subnet. There may be more and better
options, but this works for me.
"iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp
--dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j
REDIRECT --to-port 3128"
Squid must also be set up to accept transparent connections.
Thanks. Now for another question. I have about a dozen workstations
that I want to bypass squid (they are in the same subnet as the
workstations that I want traffic sent through squid). Reading squid's
documentation, they recommend that this be done at the client end or
via iptables. What's the rule to allow these hosts to bypass squid?
What I do is have a special portion of my subnet set aside for
"unfiltered" access, and I just put an ACCEPT chain in for that portion
before the REDIRECT for the whole subnet.
So it looks similar to this:
"iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s
${INT_NOSQUID-NETWORK} -p tcp
--dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED
-j ACCEPT"
"iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp
--dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j
REDIRECT --to-port 3128"
In my case the INT-NOSQUID-NETWORK is 192.168.0.32/28, which gives me 16
addresses that can bypass this--which I assign manually.
I believe that you can also set up squid so that it makes these
computers bypass the cache. I think it's the "always_direct [allow|deny]
'acl list'" directive. I haven't played with that too much, and not
entirely sure if that is working right for my WSUS server.
(Sending reply to the list this time)
-Ken Sande/KC8QNI
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
