LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-23-2014, 03:24 PM   #1
Saaj
LQ Newbie
 
Registered: May 2014
Location: Pakistan
Distribution: Fedora
Posts: 8

Rep: Reputation: Disabled
Squid on Fedora Need to bypass some clients through squid


Hello All members.
Good day
I have a question regarding Squid. I have configured squid proxy server on Fedora to restrict Internet Access on some staff computers. to do so I placed some ACLs in squid.conf and stopped iptables to stop clients to bypass proxy. It worked fine for the scenario but now I need to exempt some clients from the proxy server means to allow them direct access to the router.
Please help.
 
Old 05-23-2014, 05:40 PM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,886

Rep: Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608
Hi,

You can use the always_direct option in squid.conf:
Code:
acl foo src x.x.x.x y.y.y.y
always_direct allow foo
Regards
 
Old 05-24-2014, 04:48 AM   #3
Saaj
LQ Newbie
 
Registered: May 2014
Location: Pakistan
Distribution: Fedora
Posts: 8

Original Poster
Rep: Reputation: Disabled
Thank you for the quick response.

But it is not working I allowed an IP address 192.168.0.10 as you suggested but is still been restricted by the squid.

Please help.
 
Old 05-24-2014, 09:23 AM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,886

Rep: Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608
If you want to bypass the squid server, so you can connect directly to the net, you should use an iptables rule like this:
Code:
iptables -t nat -I PREROUTING -i eth0 -p tcp -s 192.168.0.10 --dport 80 -j ACCEPT
 
Old 05-28-2014, 02:21 AM   #5
Saaj
LQ Newbie
 
Registered: May 2014
Location: Pakistan
Distribution: Fedora
Posts: 8

Original Poster
Rep: Reputation: Disabled
Okay, this will allow traffic from 192.168.0.10 to bypass. How would I restrict traffic of all other nodes?
 
Old 05-28-2014, 02:22 AM   #6
Saaj
LQ Newbie
 
Registered: May 2014
Location: Pakistan
Distribution: Fedora
Posts: 8

Original Poster
Rep: Reputation: Disabled
Please note that iptables service is stopped right now on my squid. If I start it every user is allowed to bypass squid rules.
 
Old 05-28-2014, 04:07 AM   #7
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,886

Rep: Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608
Quote:
Originally Posted by Saaj View Post
Please note that iptables service is stopped right now on my squid. If I start it every user is allowed to bypass squid rules.
Huh, it's supposed to work the other way around. You use iptables forward port 80 traffic to squid.
So I really don't get your setup. How do you block users to go out to the net with iptables stopped? And they can bypass squid when iptables is running?
 
Old 05-28-2014, 04:19 AM   #8
Saaj
LQ Newbie
 
Registered: May 2014
Location: Pakistan
Distribution: Fedora
Posts: 8

Original Poster
Rep: Reputation: Disabled
Let me explain you the scenario.

I am using proxy on client computers. by going through that proxy the users are forced to use squid server as gateway for web.
ACLs are implemented in squid.conf file and the users are restricted by these ACLs.

IPtables service is not running only squid is forwarding/blocking all clients access.
 
Old 05-28-2014, 04:23 AM   #9
Saaj
LQ Newbie
 
Registered: May 2014
Location: Pakistan
Distribution: Fedora
Posts: 8

Original Poster
Rep: Reputation: Disabled
Following are the iptables rules which are permitting all users to bypass squid when IPtables service is started.

:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth2 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
 
Old 05-28-2014, 07:16 AM   #10
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,886

Rep: Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608
Quote:
Originally Posted by Saaj View Post
Let me explain you the scenario.

I am using proxy on client computers. by going through that proxy the users are forced to use squid server as gateway for web.
ACLs are implemented in squid.conf file and the users are restricted by these ACLs.

IPtables service is not running only squid is forwarding/blocking all clients access.
You may need to setup squid as a transparent proxy, using iptables to forward requests for port80 and thus you can allow the specific IP to bypass squid and go directly out to the net
 
Old 05-28-2014, 08:04 AM   #11
Saaj
LQ Newbie
 
Registered: May 2014
Location: Pakistan
Distribution: Fedora
Posts: 8

Original Poster
Rep: Reputation: Disabled
Is there any other option. Can anyone help in this scenario?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid on Fedora Need to bypass some clients through squid Saaj Linux - Newbie 1 05-23-2014 03:44 PM
How to bypass squid for accessing website. gardenair Linux - Networking 19 05-11-2011 02:07 PM
bypass website through squid hareen729 Red Hat 3 01-24-2011 09:24 PM
squid bypass some domains nima0102 Linux - Server 6 02-27-2009 04:40 AM
bypass traffic through squid sapheroth Linux - Networking 1 02-14-2007 02:59 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:16 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration