Re: Squid Redirection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06.01.2010 10:41, Mart Frauenlob wrote:
> On 06.01.2010 00:24, Kenneth Sande wrote:
>> Aaron Clausen wrote:
>>> On Mon, Jan 4, 2010 at 10:38, Kenneth Sande <sandekt@xxxxxxxxxx> wrote:
>>>  
>>>> I do it this way for my one internal subnet. There may be more and
>>>> better
>>>> options, but this works for me.
>>>>
>>>> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK}
>>>> -p tcp
>>>> --dport 80 --sport 1024:65535 -m state --state
>>>> NEW,ESTABLISHED,RELATED -j
>>>> REDIRECT --to-port 3128"
>>>>
>>>> Squid must also be set up to accept transparent connections.
>>>>     
>>>
>>> Thanks.  Now for another question.  I have about a dozen workstations
>>> that I want to bypass squid (they are in the same subnet as the
>>> workstations that I want traffic sent through squid).  Reading squid's
>>> documentation, they recommend that this be done at the client end or
>>> via iptables.  What's the rule to allow these hosts to bypass squid?
>>>
>>>   
>> What I do is have a special portion of my subnet set aside for
>> "unfiltered" access, and I just put an ACCEPT chain in for that portion
>> before the REDIRECT for the whole subnet.
>> So it looks similar to this:
>>
>> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s
>> ${INT_NOSQUID-NETWORK} -p tcp
>> --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED
>> -j ACCEPT"
>>
>> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp
>> --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j
>> REDIRECT --to-port 3128"
>>
> 
> nat table rules 'see' only state 'NEW' packets.
> Better do filtering in the filter table.
> 
> You could use the 'iprange' if the hosts are not in a complete subnet.
> If that does not match, you could use ipset and the set match.
> 
> ipset -N no_squid ipmap
> 
> ...add hosts to ipset: ipset --add no_squid ...
> 
> iptables -t nat -A PREROUTING -i ... -m set ! --match-set no_squid -j
> REDIRECT ...
> 

sorry, forgot the set flag :/
iptables -t nat -A PREROUTING -i ... -m set ! --match-set no_squid src
-j REDIRECT ...

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux