Squid on Fedora Need to bypass some clients through squid
Hello All members.
Good day I have a question regarding Squid. I have configured squid proxy server on Fedora to restrict Internet Access on some staff computers. to do so I placed some ACLs in squid.conf and stopped iptables to stop clients to bypass proxy. It worked fine for the scenario but now I need to exempt some clients from the proxy server means to allow them direct access to the router. Please help. |
Hi,
You can use the always_direct option in squid.conf: Code:
acl foo src x.x.x.x y.y.y.y |
Thank you for the quick response.
But it is not working I allowed an IP address 192.168.0.10 as you suggested but is still been restricted by the squid. Please help. |
If you want to bypass the squid server, so you can connect directly to the net, you should use an iptables rule like this:
Code:
iptables -t nat -I PREROUTING -i eth0 -p tcp -s 192.168.0.10 --dport 80 -j ACCEPT |
Okay, this will allow traffic from 192.168.0.10 to bypass. How would I restrict traffic of all other nodes?
|
Please note that iptables service is stopped right now on my squid. If I start it every user is allowed to bypass squid rules.
|
Quote:
So I really don't get your setup. How do you block users to go out to the net with iptables stopped? And they can bypass squid when iptables is running? |
Let me explain you the scenario.
I am using proxy on client computers. by going through that proxy the users are forced to use squid server as gateway for web. ACLs are implemented in squid.conf file and the users are restricted by these ACLs. IPtables service is not running only squid is forwarding/blocking all clients access. |
Following are the iptables rules which are permitting all users to bypass squid when IPtables service is started.
:PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth2 -j MASQUERADE -A POSTROUTING -o eth1 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT |
Quote:
|
Is there any other option. Can anyone help in this scenario?
|
All times are GMT -5. The time now is 12:23 PM. |