From: Ray Leach <raymondl@knowledgefactory.co.za>
To: Netfilter Mailing List <netfilter@lists.netfilter.org>
Subject: RE: Bypass transparent proxy(Squid)
Date: Thu, 01 Apr 2004 13:16:02 +0200 [thread overview]
Message-ID: <1080818161.1288.25.camel@raylinux.internal> (raw)
In-Reply-To: <040EAEDD7A465C4AA0350CB69A326D550C3943@backup2.GODO-2000>
[-- Attachment #1: Type: text/plain, Size: 2315 bytes --]
On Thu, 2004-04-01 at 13:04, Jerry Robles de Medina wrote:
> Thanks Anthony,
> Have you done this already in a situation?
> I'll try it out and let the list know how it went.
> Jerry
>
I have done this, and it works.
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
> Sent: March 31, 2004 4:23 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Bypass transparent proxy(Squid)
>
> On Wednesday 31 March 2004 7:29 pm, Jerry Robles de Medina wrote:
>
> > Dear all,
> > I have read somewhere along the posts that it is possible to let 2 pc's
> > (ip's) bypass a transparent proxy server(squid cache). I have tried it in
> > the rc.firewall.up file but I cannot get it working. Can someone please
> > shed some light into my problem?I know it has to do with iptables but dunno
> > where and how.
>
> The trick is to create a user-defined chain, match the addresses you want as
> exceptions, then do the NAT at the end of the chain (after the exceptions
> have been returned to the main chain).
>
> Something like:
>
> iptables -N mychain
> iptables -A PREROUTING -t nat -p tcp --dport 80 -j mychain
> iptables -A mychain -t nat -s a.b.c.d -j RETURN
> iptables -A mychain -t nat -s w.x.y.z -j RETURN
> iptables -A mychain -t nat -j DNAT --to my.squid.proxy.server:3128
>
> The way this works is:
> 1. Only packets addressed to port 80 get processed by the user defined chain
> 2. The first exception source address a.b.c.d immediately returns (unchanged)
> the to main PREROUTING chain.
> 3. The second exception address w.x.y.z returns to the main PREROUTING chain.
> 4. Any other addresses get redirected.
>
> I'm sure you can adjust this to your own requirements now you see the trick
> involved. The important point is to recognise that the negation operator !
> cannot deal with more than one exception address, so there's no point trying
> to force it to work.
>
> Regards,
>
> Antony.
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2004-04-01 11:16 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-01 11:04 Bypass transparent proxy(Squid) Jerry Robles de Medina
2004-04-01 11:16 ` Ray Leach [this message]
2004-04-01 12:12 ` Antony Stone
-- strict thread matches above, loose matches on Subject: below --
2004-03-31 18:52 Jerry Robles de Medina
2004-03-31 18:29 Jerry Robles de Medina
2004-03-31 18:40 ` David Cannings
2004-03-31 19:22 ` Antony Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1080818161.1288.25.camel@raylinux.internal \
--to=raymondl@knowledgefactory.co.za \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.