LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Squid on Fedora Need to bypass some clients through squid (https://www.linuxquestions.org/questions/linux-newbie-8/squid-on-fedora-need-to-bypass-some-clients-through-squid-4175505908/)

Saaj 05-23-2014 02:24 PM
Squid on Fedora Need to bypass some clients through squid
 
Hello All members.
Good day
I have a question regarding Squid. I have configured squid proxy server on Fedora to restrict Internet Access on some staff computers. to do so I placed some ACLs in squid.conf and stopped iptables to stop clients to bypass proxy. It worked fine for the scenario but now I need to exempt some clients from the proxy server means to allow them direct access to the router.
Please help.

bathory 05-23-2014 04:40 PM
Hi,

You can use the always_direct option in squid.conf:
Code:
acl foo src x.x.x.x y.y.y.y
always_direct allow foo
Regards

Saaj 05-24-2014 03:48 AM
Thank you for the quick response.

But it is not working I allowed an IP address 192.168.0.10 as you suggested but is still been restricted by the squid.

Please help.

bathory 05-24-2014 08:23 AM
If you want to bypass the squid server, so you can connect directly to the net, you should use an iptables rule like this:
Code:
iptables -t nat -I PREROUTING -i eth0 -p tcp -s 192.168.0.10 --dport 80 -j ACCEPT

Saaj 05-28-2014 01:21 AM
Okay, this will allow traffic from 192.168.0.10 to bypass. How would I restrict traffic of all other nodes?

Saaj 05-28-2014 01:22 AM
Please note that iptables service is stopped right now on my squid. If I start it every user is allowed to bypass squid rules.

bathory 05-28-2014 03:07 AM
Quote:
Originally Posted by Saaj (Post 5177921)
Please note that iptables service is stopped right now on my squid. If I start it every user is allowed to bypass squid rules.
Huh, it's supposed to work the other way around. You use iptables forward port 80 traffic to squid.
So I really don't get your setup. How do you block users to go out to the net with iptables stopped? And they can bypass squid when iptables is running?

Saaj 05-28-2014 03:19 AM
Let me explain you the scenario.

I am using proxy on client computers. by going through that proxy the users are forced to use squid server as gateway for web.
ACLs are implemented in squid.conf file and the users are restricted by these ACLs.

IPtables service is not running only squid is forwarding/blocking all clients access.

Saaj 05-28-2014 03:23 AM
Following are the iptables rules which are permitting all users to bypass squid when IPtables service is started.

:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth2 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

bathory 05-28-2014 06:16 AM
Quote:
Originally Posted by Saaj (Post 5177954)
Let me explain you the scenario.

I am using proxy on client computers. by going through that proxy the users are forced to use squid server as gateway for web.
ACLs are implemented in squid.conf file and the users are restricted by these ACLs.

IPtables service is not running only squid is forwarding/blocking all clients access.
You may need to setup squid as a transparent proxy, using iptables to forward requests for port80 and thus you can allow the specific IP to bypass squid and go directly out to the net

Saaj 05-28-2014 07:04 AM
Is there any other option. Can anyone help in this scenario?


All times are GMT -5. The time now is 12:23 PM.