LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Using iptables to bypass squid proxy for a specific domain (http://www.linuxquestions.org/questions/linux-security-4/using-iptables-to-bypass-squid-proxy-for-a-specific-domain-384847/)

jcopley 11-20-2005 06:58 AM

Using iptables to bypass squid proxy for a specific domain
 
We're running SmartFilter (an Internet content filter) on RedHat Linux Enterprise and squid. Traffic is directied to our proxy from our member schools through a variety of means (router policy based rules, Windows profiles, firewall appliance proxy configurations).

There are a few destination sites that do not work well when traffic goes through our proxy so we would like to bypass squid totally for specific domains (IPs).

The iptables line redirecting traffic to squid is:

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128

After MUCH research, we have tried placing the line below just ahead of it in iptables.

-A PREROUTING -p tcp -m tcp -d a.b.c.d -j ACCEPT

(where a.b.c.d is the destination domain we would like to bypass squid for.)

After editing iptables and restarting that service, web traffic to the a.b.c.d domain still shows up in /usr/local/squid/var/logs/access.log so traffic to a.b.c.d is still going through squid.

Ideas?
Thanks in advance!

fouldsy 11-20-2005 08:41 AM

Never tried it via iptable rules, but can you not simply create an acl within squid telling it to never cache certain domains? That's how I get around sites not working properly through the proxy - this way Squid simply forwards the requests directly the net and back to the appropriate client.

Capt_Caveman 11-20-2005 09:34 AM

@jcopley:
Could you post your full ruleset for us? Make sure to remove any public IPs. Also if you do iptables -vnL do you see the rule you've added in the right place?

GSMD 07-18-2007 12:50 PM

That's the way I've done squid bypassing for a local net:
Code:

-A PREROUTING -i eth0 -d 192.168.0.0/16 -j ACCEPT
-A PREROUTING -i eth0 -d 10.0.0.0/8    -j ACCEPT
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

with eth0 being a local net (172.20.1.0/24) and the other private subnets mentioned being outside.


All times are GMT -5. The time now is 04:57 PM.