Shifting to a site that does not pass by the squid authenticated
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Shifting to a site that does not pass by the squid authenticated
Hello everyone.
First of all, I would say that my English is not the best, so excuse anything.
I am facing the following situation:
I'm building a server squid authenticated with a server firewall, the structure would be the INTERNET <---> (eth0) FIREWALL / SQUID Authenticate (eth1 )<---> internal network.
- Eth0 is the card that connects to the modem, but it has static ip (192.168.1.2) and the internet real ip is dynamic.
- Eth1 (192.168.2.0/24) is to provide the internal network ips through DHCP server.
Need, through iptables divert a particular site so that it does not pass by the squid, because it uses port 80 but not for http, and when he passes through the squid, the application site does not work, and also making use of that rule the squid, to direct it, it also does not work.
Searching on the net, I saw that if you use "iptables-t nat-A POSTROUTING-s 192.168.2.0/24-j MASQUERADE", my users will access the site normally, but if I shot the configuration of proxy in the browser, the users can navigate normally, how can I avoid this and release only the specific site I want, where he makes use of ips 200201166200, 200201174207 ...
I'm seeing really crazy over this problem, as I do not have much knowledge of iptables, that makes my situation even more.
Hello everyone.
First of all, I would say that my English is not the best, so excuse anything.
I am facing the following situation:
I'm building a server squid authenticated with a server firewall, the structure would be the INTERNET <---> (eth0) FIREWALL / SQUID Authenticate (eth1 )<---> internal network.
- Eth0 is the card that connects to the modem, but it has static ip (192.168.1.2) and the internet real ip is dynamic.
- Eth1 (192.168.2.0/24) is to provide the internal network ips through DHCP server.
Need, through iptables divert a particular site so that it does not pass by the squid, because it uses port 80 but not for http, and when he passes through the squid, the application site does not work, and also making use of that rule the squid, to direct it, it also does not work.
Searching on the net, I saw that if you use "iptables-t nat-A POSTROUTING-s 192.168.2.0/24-j MASQUERADE", my users will access the site normally, but if I shot the configuration of proxy in the browser, the users can navigate normally, how can I avoid this and release only the specific site I want, where he makes use of ips 200201166200, 200201174207 ...
I'm seeing really crazy over this problem, as I do not have much knowledge of iptables, that makes my situation even more.
If anyone has any ideas, I am grateful.
Att.
Welcome to LQ!
You could do something like this:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 -s 192.168.2.0/24 -d 200.201.166.200 --dport 80 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 -s 192.168.2.0/24 -d 200.201.174.207 --dport 80 -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
This makes sure packets are only forwarded if the destination IP is one of the two.
Last edited by win32sux; 07-21-2009 at 04:03 PM.
Reason: Realized it wasn't transparent mode.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.