* Bypass transparent proxy(Squid)
@ 2004-03-31 18:29 Jerry Robles de Medina
2004-03-31 18:40 ` David Cannings
2004-03-31 19:22 ` Antony Stone
0 siblings, 2 replies; 7+ messages in thread
From: Jerry Robles de Medina @ 2004-03-31 18:29 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 343 bytes --]
Dear all,
I have read somewhere along the posts that it is possible to let 2 pc's (ip's) bypass a transparent proxy server(squid cache).
I have tried it in the rc.firewall.up file but I cannot get it working.
Can someone please shed some light into my problem?I know it has to do with iptables but dunno where and how.
Regards,
Jerry
[-- Attachment #2: Type: text/html, Size: 3897 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Bypass transparent proxy(Squid)
2004-03-31 18:29 Jerry Robles de Medina
@ 2004-03-31 18:40 ` David Cannings
2004-03-31 19:22 ` Antony Stone
1 sibling, 0 replies; 7+ messages in thread
From: David Cannings @ 2004-03-31 18:40 UTC (permalink / raw)
To: netfilter
On Wednesday 31 March 2004 19:29, Jerry Robles de Medina wrote:,
> I have read somewhere along the posts that it is possible to let 2 pc's
> (ip's) bypass a transparent proxy server(squid cache). I have tried it
> in the rc.firewall.up file but I cannot get it working.
Please explain what you have tried, including the output of your chains
from:
iptables -L -nvx; iptables -L -t nat -nvx
David
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Bypass transparent proxy(Squid)
@ 2004-03-31 18:52 Jerry Robles de Medina
0 siblings, 0 replies; 7+ messages in thread
From: Jerry Robles de Medina @ 2004-03-31 18:52 UTC (permalink / raw)
To: David Cannings, netfilter
I am using smoothwall 2.0 and in it's adminpage you can set the proxy to be transparent.
And in the rc.firewall.up file I put in
/sbin/iptables -t nat -I squid -p tcp -s ! 192.168.0.45 --dport 80 -j REDIRECT --to-ports 800
But I have no idea if this is good or bad.
Jerry
-----Original Message-----
From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of David Cannings
Sent: March 31, 2004 3:40 PM
To: netfilter@lists.netfilter.org
Subject: Re: Bypass transparent proxy(Squid)
On Wednesday 31 March 2004 19:29, Jerry Robles de Medina wrote:,
> I have read somewhere along the posts that it is possible to let 2 pc's
> (ip's) bypass a transparent proxy server(squid cache). I have tried it
> in the rc.firewall.up file but I cannot get it working.
Please explain what you have tried, including the output of your chains
from:
iptables -L -nvx; iptables -L -t nat -nvx
David
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Bypass transparent proxy(Squid)
2004-03-31 18:29 Jerry Robles de Medina
2004-03-31 18:40 ` David Cannings
@ 2004-03-31 19:22 ` Antony Stone
1 sibling, 0 replies; 7+ messages in thread
From: Antony Stone @ 2004-03-31 19:22 UTC (permalink / raw)
To: netfilter
On Wednesday 31 March 2004 7:29 pm, Jerry Robles de Medina wrote:
> Dear all,
> I have read somewhere along the posts that it is possible to let 2 pc's
> (ip's) bypass a transparent proxy server(squid cache). I have tried it in
> the rc.firewall.up file but I cannot get it working. Can someone please
> shed some light into my problem?I know it has to do with iptables but dunno
> where and how.
The trick is to create a user-defined chain, match the addresses you want as
exceptions, then do the NAT at the end of the chain (after the exceptions
have been returned to the main chain).
Something like:
iptables -N mychain
iptables -A PREROUTING -t nat -p tcp --dport 80 -j mychain
iptables -A mychain -t nat -s a.b.c.d -j RETURN
iptables -A mychain -t nat -s w.x.y.z -j RETURN
iptables -A mychain -t nat -j DNAT --to my.squid.proxy.server:3128
The way this works is:
1. Only packets addressed to port 80 get processed by the user defined chain
2. The first exception source address a.b.c.d immediately returns (unchanged)
the to main PREROUTING chain.
3. The second exception address w.x.y.z returns to the main PREROUTING chain.
4. Any other addresses get redirected.
I'm sure you can adjust this to your own requirements now you see the trick
involved. The important point is to recognise that the negation operator !
cannot deal with more than one exception address, so there's no point trying
to force it to work.
Regards,
Antony.
--
The words "e pluribus unum" on the Great Seal of the United States are from a
poem by Virgil entitled "Moretum", which is about cheese and garlic salad
dressing.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Bypass transparent proxy(Squid)
@ 2004-04-01 11:04 Jerry Robles de Medina
2004-04-01 11:16 ` Ray Leach
2004-04-01 12:12 ` Antony Stone
0 siblings, 2 replies; 7+ messages in thread
From: Jerry Robles de Medina @ 2004-04-01 11:04 UTC (permalink / raw)
To: netfilter
Thanks Anthony,
Have you done this already in a situation?
I'll try it out and let the list know how it went.
Jerry
-----Original Message-----
From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: March 31, 2004 4:23 PM
To: netfilter@lists.netfilter.org
Subject: Re: Bypass transparent proxy(Squid)
On Wednesday 31 March 2004 7:29 pm, Jerry Robles de Medina wrote:
> Dear all,
> I have read somewhere along the posts that it is possible to let 2 pc's
> (ip's) bypass a transparent proxy server(squid cache). I have tried it in
> the rc.firewall.up file but I cannot get it working. Can someone please
> shed some light into my problem?I know it has to do with iptables but dunno
> where and how.
The trick is to create a user-defined chain, match the addresses you want as
exceptions, then do the NAT at the end of the chain (after the exceptions
have been returned to the main chain).
Something like:
iptables -N mychain
iptables -A PREROUTING -t nat -p tcp --dport 80 -j mychain
iptables -A mychain -t nat -s a.b.c.d -j RETURN
iptables -A mychain -t nat -s w.x.y.z -j RETURN
iptables -A mychain -t nat -j DNAT --to my.squid.proxy.server:3128
The way this works is:
1. Only packets addressed to port 80 get processed by the user defined chain
2. The first exception source address a.b.c.d immediately returns (unchanged)
the to main PREROUTING chain.
3. The second exception address w.x.y.z returns to the main PREROUTING chain.
4. Any other addresses get redirected.
I'm sure you can adjust this to your own requirements now you see the trick
involved. The important point is to recognise that the negation operator !
cannot deal with more than one exception address, so there's no point trying
to force it to work.
Regards,
Antony.
--
The words "e pluribus unum" on the Great Seal of the United States are from a
poem by Virgil entitled "Moretum", which is about cheese and garlic salad
dressing.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Bypass transparent proxy(Squid)
2004-04-01 11:04 Bypass transparent proxy(Squid) Jerry Robles de Medina
@ 2004-04-01 11:16 ` Ray Leach
2004-04-01 12:12 ` Antony Stone
1 sibling, 0 replies; 7+ messages in thread
From: Ray Leach @ 2004-04-01 11:16 UTC (permalink / raw)
To: Netfilter Mailing List
[-- Attachment #1: Type: text/plain, Size: 2315 bytes --]
On Thu, 2004-04-01 at 13:04, Jerry Robles de Medina wrote:
> Thanks Anthony,
> Have you done this already in a situation?
> I'll try it out and let the list know how it went.
> Jerry
>
I have done this, and it works.
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
> Sent: March 31, 2004 4:23 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Bypass transparent proxy(Squid)
>
> On Wednesday 31 March 2004 7:29 pm, Jerry Robles de Medina wrote:
>
> > Dear all,
> > I have read somewhere along the posts that it is possible to let 2 pc's
> > (ip's) bypass a transparent proxy server(squid cache). I have tried it in
> > the rc.firewall.up file but I cannot get it working. Can someone please
> > shed some light into my problem?I know it has to do with iptables but dunno
> > where and how.
>
> The trick is to create a user-defined chain, match the addresses you want as
> exceptions, then do the NAT at the end of the chain (after the exceptions
> have been returned to the main chain).
>
> Something like:
>
> iptables -N mychain
> iptables -A PREROUTING -t nat -p tcp --dport 80 -j mychain
> iptables -A mychain -t nat -s a.b.c.d -j RETURN
> iptables -A mychain -t nat -s w.x.y.z -j RETURN
> iptables -A mychain -t nat -j DNAT --to my.squid.proxy.server:3128
>
> The way this works is:
> 1. Only packets addressed to port 80 get processed by the user defined chain
> 2. The first exception source address a.b.c.d immediately returns (unchanged)
> the to main PREROUTING chain.
> 3. The second exception address w.x.y.z returns to the main PREROUTING chain.
> 4. Any other addresses get redirected.
>
> I'm sure you can adjust this to your own requirements now you see the trick
> involved. The important point is to recognise that the negation operator !
> cannot deal with more than one exception address, so there's no point trying
> to force it to work.
>
> Regards,
>
> Antony.
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Bypass transparent proxy(Squid)
2004-04-01 11:04 Bypass transparent proxy(Squid) Jerry Robles de Medina
2004-04-01 11:16 ` Ray Leach
@ 2004-04-01 12:12 ` Antony Stone
1 sibling, 0 replies; 7+ messages in thread
From: Antony Stone @ 2004-04-01 12:12 UTC (permalink / raw)
To: netfilter
On Thursday 01 April 2004 12:04 pm, Jerry Robles de Medina wrote:
> Thanks Antony,
> Have you done this already in a situation?
The exception rule trick? Yes - several times.
With Squid specifically? No, but it shouldn't make any difference.
> I'll try it out and let the list know how it went.
Glad to see it did.
Regards,
Antony.
--
If at first you don't succeed, destroy all the evidence that you tried.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2004-04-01 12:12 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-01 11:04 Bypass transparent proxy(Squid) Jerry Robles de Medina
2004-04-01 11:16 ` Ray Leach
2004-04-01 12:12 ` Antony Stone
-- strict thread matches above, loose matches on Subject: below --
2004-03-31 18:52 Jerry Robles de Medina
2004-03-31 18:29 Jerry Robles de Medina
2004-03-31 18:40 ` David Cannings
2004-03-31 19:22 ` Antony Stone
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.