On 06.01.2010 00:24, Kenneth Sande wrote:
> Aaron Clausen wrote:
>> On Mon, Jan 4, 2010 at 10:38, Kenneth Sande <sandekt@xxxxxxxxxx> wrote:
>>
>>> I do it this way for my one internal subnet. There may be more and
>>> better
>>> options, but this works for me.
>>>
>>> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK}
>>> -p tcp
>>> --dport 80 --sport 1024:65535 -m state --state
>>> NEW,ESTABLISHED,RELATED -j
>>> REDIRECT --to-port 3128"
>>>
>>> Squid must also be set up to accept transparent connections.
>>>
>>
>> Thanks. Now for another question. I have about a dozen workstations
>> that I want to bypass squid (they are in the same subnet as the
>> workstations that I want traffic sent through squid). Reading squid's
>> documentation, they recommend that this be done at the client end or
>> via iptables. What's the rule to allow these hosts to bypass squid?
>>
>>
> What I do is have a special portion of my subnet set aside for
> "unfiltered" access, and I just put an ACCEPT chain in for that portion
> before the REDIRECT for the whole subnet.
> So it looks similar to this:
>
> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s
> ${INT_NOSQUID-NETWORK} -p tcp
> --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED
> -j ACCEPT"
>
> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp
> --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j
> REDIRECT --to-port 3128"
>
nat table rules 'see' only state 'NEW' packets.
Better do filtering in the filter table.
You could use the 'iprange' if the hosts are not in a complete subnet.
If that does not match, you could use ipset and the set match.
ipset -N no_squid ipmap
...add hosts to ipset: ipset --add no_squid ...
iptables -t nat -A PREROUTING -i ... -m set ! --match-set no_squid -j
REDIRECT ...
regards
Mart
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
