Shifting to a site that does not pass by the squid authenticated

gariani · 07-21-2009, 02:35 PM

Hello everyone.
First of all, I would say that my English is not the best, so excuse anything.

I am facing the following situation:

I'm building a server squid authenticated with a server firewall, the structure would be the INTERNET <---> (eth0) FIREWALL / SQUID Authenticate (eth1 )<---> internal network.

- Eth0 is the card that connects to the modem, but it has static ip (192.168.1.2) and the internet real ip is dynamic.
- Eth1 (192.168.2.0/24) is to provide the internal network ips through DHCP server.

Need, through iptables divert a particular site so that it does not pass by the squid, because it uses port 80 but not for http, and when he passes through the squid, the application site does not work, and also making use of that rule the squid, to direct it, it also does not work.

Searching on the net, I saw that if you use "iptables-t nat-A POSTROUTING-s 192.168.2.0/24-j MASQUERADE", my users will access the site normally, but if I shot the configuration of proxy in the browser, the users can navigate normally, how can I avoid this and release only the specific site I want, where he makes use of ips 200201166200, 200201174207 ...

I'm seeing really crazy over this problem, as I do not have much knowledge of iptables, that makes my situation even more.

If anyone has any ideas, I am grateful.

Att.

win32sux · 07-21-2009, 02:46 PM

Quote:

Originally Posted by gariani

Hello everyone.
First of all, I would say that my English is not the best, so excuse anything.

I am facing the following situation:

I'm building a server squid authenticated with a server firewall, the structure would be the INTERNET <---> (eth0) FIREWALL / SQUID Authenticate (eth1 )<---> internal network.

- Eth0 is the card that connects to the modem, but it has static ip (192.168.1.2) and the internet real ip is dynamic.
- Eth1 (192.168.2.0/24) is to provide the internal network ips through DHCP server.

Need, through iptables divert a particular site so that it does not pass by the squid, because it uses port 80 but not for http, and when he passes through the squid, the application site does not work, and also making use of that rule the squid, to direct it, it also does not work.

Searching on the net, I saw that if you use "iptables-t nat-A POSTROUTING-s 192.168.2.0/24-j MASQUERADE", my users will access the site normally, but if I shot the configuration of proxy in the browser, the users can navigate normally, how can I avoid this and release only the specific site I want, where he makes use of ips 200201166200, 200201174207 ...

I'm seeing really crazy over this problem, as I do not have much knowledge of iptables, that makes my situation even more.

If anyone has any ideas, I am grateful.

Att.

Welcome to LQ!

You could do something like this:

Code:

iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 -s 192.168.2.0/24 -d 200.201.166.200 --dport 80 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 -s 192.168.2.0/24 -d 200.201.174.207 --dport 80 -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This makes sure packets are only forwarded if the destination IP is one of the two.