hello
lan_one|-------------|gateway|---------|lan_two
| |
squidbox |
(member of lan_one) |
|
(world)
question 1.
at the moment traffic from BOTH lans seems to be prerouted to the squid
box
but i want lan_two traffic to bypass the squidbox and go direct ( for
now...)
i'm sure its iptables syntax but i cant seem to get it to work
any advice or examples greatly appreciated
-----s--------n------------i--------------------p--------------------
drop lan_one - force them to use the squid box
$IPTABLES -A INPUT -i $NIC_ONE -s ! $SQUIDBOX -p tcp --dport 80 -j DROP
$IPTABLES -A INPUT -i $NIC_TWO -s $LAN_TWO -d 0/0 -p tcp --dport 80 -j
ACCEPT
$IPTABLES -A PREROUTING -t nat -i $NIC_ONE -s ! $SQUIDBOX -p tcp --dport
80 -j DNAT --to-destination $SQUIDBOX:3128
$IPTABLES -A POSTROUTING -t nat -o $NIC_ONE -s $LAN_ONE -d $SQUIDBOX -j
SNAT --to-source $GATEWAY
$IPTABLES -A FORWARD -s $LAN_ONE -d $SQUIDBOX -i $NIC_ONE -o $NIC_ONE -p
tcp --dport 3128 -j ACCEPT
# lan_one to world
$IPTABLES -A lan-world -s $SQUIDBOX -p tcp --dport 80 -j ACCEPT
$IPTABLES -A lan-world -p tcp --dport 22 -j ACCEPT
$IPTABLES -A lan-world -p tcp --dport 664 -j ACCEPT
$IPTABLES -A lan-world -p tcp --dport 995 -j ACCEPT
$IPTABLES -A lan-world -p tcp --dport 465 -j ACCEPT
etc etc
# lan_two to world ... simple for now
$IPTABLES -A lan-fax -p tcp -j ACCEPT
$IPTABLES -A lan-fax -p udp -j ACCEPT
$IPTABLES -A lan-fax -p icmp -j ACCEPT
$IPTABLES -A lan-fax -j DROP
$IPTABLES -A FORWARD -i $NIC_ONE -o $WORLD -s $LAN_ONE -j lan-world
$IPTABLES -A FORWARD -i $NIC_TWO -o $WORLD -s $LAN_TWO -j fax-world
---------------------------------------------------------------------------------
question 2.
if both lans do use the cache ( with a tighter iptables in place ) is it
possible to cache but not log lan_two traffic ?
thanks in advance
greylake
