Jamie Orzechowski wrote:
I am having issues with a few sites like megavideo, hotmail, etc and looking to bypass them entirely via IPTables ... I have added some rules to IPTables but I still see the traffic hitting the caches. Any ideas? Strange thing is that when running an iptables --list it shows no rules configured at all ..
"iptables --list" only shows the INPUT, FORWARD and OUTPUT tables. You'll need to run "iptables -t mangle --list" to see the mangle table.
Here is my iptables rules /usr/local/sbin/iptables -t mangle -N DIVERT /usr/local/sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1 /usr/local/sbin/iptables -t mangle -A DIVERT -j ACCEPT /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT #Bypass These subnets /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -d 65.54.186.0/24 -j RETURN /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -d 65.54.165.0/24 -j RETURN /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -d 72.32.79.195/24 -j RETURN /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -d 64.4.20.0/24 -j RETURN /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -d 69.5.88.0/24 -j RETURN # Redirect to squid /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
You might need to add "/usr/local/sbin/iptables -t mangle -F" to the top of those rules to flush the mangle table before adding any other rules.
Chris
