Allow traffic through a server using iptables.

Allow traffic through a server using iptables.

[Tony]

I need some advice on allowing traffic to just pass through a server.
The traffic is all web traffic from users connected to our network.

What we have is a Cisco 7204 terminating DSL connections and we force all
web traffic to our squid proxy server.
The proxy server has the following iptables entries to forward port 80 to
the squid port 3128.

/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j
MASQUERADE
/sbin/iptables -A PREROUTING -t nat -p tcp -s 192.168.1.0/20 --dport 80 -j
DNAT --to <IP ETH0:1>:3128


Requests from the Cisco come in on eth0 and we have another IP address on
eth1 that Squid listens on.
This all works fine and users can browse web.
However because of a couple of problems with some web sites, some that user
NTLM authentication that squid can't handle so the site fails and some
gaming sites, some users need to bypass the proxy.
Now I could do this via the Cisco by adding an entry for each IP address
that needs to be forwarded to squid and not add one for those that don't.
However that would be a lot of config to put on the router and will create a
lot of load as each packet will have to be inspected to see if it matches an
IP address in the access-list. Where at the moment it doesn't care what the
source IP address is and just forwards all web traffic to the squid server.

The best way to do this is on the squid server using iptables, but my
knowledge of iptables is limited and I can't find out how to do this.
How do I tell iptables that IP address should just be passed through the
server and not sent to squid?
Currently if I take an IP address out of the ip rule for forwarding to squid
the web requests from that IP address just fail since the server doesn't run
web and doesn't know that it should just forwarded out into the Internet.

Thanks
Tony



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Allow traffic through a server using iptables.

[Martijn Lievaart]

Tony wrote:

>The best way to do this is on the squid server using iptables, but my
>knowledge of iptables is limited and I can't find out how to do this.
>How do I tell iptables that IP address should just be passed through the
>server and not sent to squid?
>Currently if I take an IP address out of the ip rule for forwarding to squid
>the web requests from that IP address just fail since the server doesn't run
>web and doesn't know that it should just forwarded out into the Internet.
>
>
>  
>

Maybe something like:

/sbin/iptables -A PREROUTING -t nat -p tcp -s 192.168.1.0/20 --dport 80 -j SQUID
/sbin/iptables -A SQUID -d <some ip> -j RETURN
/sbin/iptables -A SQUID -d <some ip> -j RETURN
/sbin/iptables -A SQUID -d <some ip> -j RETURN
/sbin/iptables -A SQUID -j DNAT --to <IP ETH0:1>:3128


does what you want?

M4