On Mon, 15 Jun 2009 21:44:21 -0400, Jamie Orzechowski <jamie.orzechowski@xxxxxxxxx> wrote: > I am having issues with a few sites like megavideo, hotmail, etc and > looking to bypass them entirely via IPTables ... I have added some > rules to IPTables but I still see the traffic hitting the caches. Any > ideas? > > Strange thing is that when running an iptables --list it shows no > rules configured at all .. iptables -t mangle --list ;) > > Here is my iptables rules > > /usr/local/sbin/iptables -t mangle -N DIVERT > /usr/local/sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1 > /usr/local/sbin/iptables -t mangle -A DIVERT -j ACCEPT > /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > > #Bypass These subnets > /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport > 80 -d 65.54.186.0/24 -j RETURN > /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport > 80 -d 65.54.165.0/24 -j RETURN > /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport > 80 -d 72.32.79.195/24 -j RETURN > /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport > 80 -d 64.4.20.0/24 -j RETURN > /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport > 80 -d 69.5.88.0/24 -j RETURN Hmm, I'm not sure if RETURN works in a master level chain. Perhapse a custom chain with the above and below rules all in it would work? Amos > > # Redirect to squid > /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j > TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 > > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table 100
