Using iptables to bypass squid proxy for a specific domain
We're running SmartFilter (an Internet content filter) on RedHat Linux Enterprise and squid. Traffic is directied to our proxy from our member schools through a variety of means (router policy based rules, Windows profiles, firewall appliance proxy configurations).
There are a few destination sites that do not work well when traffic goes through our proxy so we would like to bypass squid totally for specific domains (IPs). The iptables line redirecting traffic to squid is: -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 After MUCH research, we have tried placing the line below just ahead of it in iptables. -A PREROUTING -p tcp -m tcp -d a.b.c.d -j ACCEPT (where a.b.c.d is the destination domain we would like to bypass squid for.) After editing iptables and restarting that service, web traffic to the a.b.c.d domain still shows up in /usr/local/squid/var/logs/access.log so traffic to a.b.c.d is still going through squid. Ideas? Thanks in advance! |
Never tried it via iptable rules, but can you not simply create an acl within squid telling it to never cache certain domains? That's how I get around sites not working properly through the proxy - this way Squid simply forwards the requests directly the net and back to the appropriate client.
|
@jcopley:
Could you post your full ruleset for us? Make sure to remove any public IPs. Also if you do iptables -vnL do you see the rule you've added in the right place? |
That's the way I've done squid bypassing for a local net:
Code:
-A PREROUTING -i eth0 -d 192.168.0.0/16 -j ACCEPT |
Our system is in gateway mode with 2 NICs here is my bypass of Squid & Dansguardian.
iptables -t nat -I PREROUTING -d apple.com -p tcp --dport 80 -j ACCEPT |
All times are GMT -5. The time now is 09:54 PM. |