Squid on Fedora Need to bypass some clients through squid

Saaj · 05-23-2014, 02:24 PM

Hello All members.
Good day
I have a question regarding Squid. I have configured squid proxy server on Fedora to restrict Internet Access on some staff computers. to do so I placed some ACLs in squid.conf and stopped iptables to stop clients to bypass proxy. It worked fine for the scenario but now I need to exempt some clients from the proxy server means to allow them direct access to the router.
Please help.

bathory · 05-23-2014, 04:40 PM

Hi,

You can use the always_direct option in squid.conf:

Code:

acl foo src x.x.x.x y.y.y.y
always_direct allow foo

Regards

Saaj · 05-24-2014, 03:48 AM

Thank you for the quick response.

But it is not working I allowed an IP address 192.168.0.10 as you suggested but is still been restricted by the squid.

Please help.

bathory · 05-24-2014, 08:23 AM

If you want to bypass the squid server, so you can connect directly to the net, you should use an iptables rule like this:

Code:

iptables -t nat -I PREROUTING -i eth0 -p tcp -s 192.168.0.10 --dport 80 -j ACCEPT

Saaj · 05-28-2014, 01:21 AM

Okay, this will allow traffic from 192.168.0.10 to bypass. How would I restrict traffic of all other nodes?

Saaj · 05-28-2014, 01:22 AM

Please note that iptables service is stopped right now on my squid. If I start it every user is allowed to bypass squid rules.

bathory · 05-28-2014, 03:07 AM

Quote:

Originally Posted by Saaj

Please note that iptables service is stopped right now on my squid. If I start it every user is allowed to bypass squid rules.

Huh, it's supposed to work the other way around. You use iptables forward port 80 traffic to squid.
So I really don't get your setup. How do you block users to go out to the net with iptables stopped? And they can bypass squid when iptables is running?

Saaj · 05-28-2014, 03:19 AM

Let me explain you the scenario.

I am using proxy on client computers. by going through that proxy the users are forced to use squid server as gateway for web.
ACLs are implemented in squid.conf file and the users are restricted by these ACLs.

IPtables service is not running only squid is forwarding/blocking all clients access.

Saaj · 05-28-2014, 03:23 AM

Following are the iptables rules which are permitting all users to bypass squid when IPtables service is started.

:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth2 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

bathory · 05-28-2014, 06:16 AM

Quote:

Originally Posted by Saaj

Let me explain you the scenario.

I am using proxy on client computers. by going through that proxy the users are forced to use squid server as gateway for web.
ACLs are implemented in squid.conf file and the users are restricted by these ACLs.

IPtables service is not running only squid is forwarding/blocking all clients access.

You may need to setup squid as a transparent proxy, using iptables to forward requests for port80 and thus you can allow the specific IP to bypass squid and go directly out to the net

Saaj · 05-28-2014, 07:04 AM

Is there any other option. Can anyone help in this scenario?