Re: Squid Redirection

[Kenneth Sande <sandekt@wow-ia.net>]

Aaron Clausen wrote:
> On Mon, Jan 4, 2010 at 10:38, Kenneth Sande <sandekt@wow-ia.net> wrote:
>   
>> I do it this way for my one internal subnet. There may be more and better
>> options, but this works for me.
>>
>> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp
>> --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j
>> REDIRECT --to-port 3128"
>>
>> Squid must also be set up to accept transparent connections.
>>     
>
> Thanks.  Now for another question.  I have about a dozen workstations
> that I want to bypass squid (they are in the same subnet as the
> workstations that I want traffic sent through squid).  Reading squid's
> documentation, they recommend that this be done at the client end or
> via iptables.  What's the rule to allow these hosts to bypass squid?
>
>   
What I do is have a special portion of my subnet set aside for 
"unfiltered" access, and I just put an ACCEPT chain in for that portion 
before the REDIRECT for the whole subnet.
So it looks similar to this:

"iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s 
${INT_NOSQUID-NETWORK} -p tcp
--dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED 
-j ACCEPT"

"iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp
--dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j
REDIRECT --to-port 3128"


In my case the INT-NOSQUID-NETWORK is 192.168.0.32/28, which gives me 16 
addresses that can bypass this--which I assign manually.
I believe that you can also set up squid so that it makes these 
computers bypass the cache. I think it's the "always_direct [allow|deny] 
'acl list'" directive. I haven't played with that too much, and not 
entirely sure if that is working right for my WSUS server.

(Sending reply to the list this time)
-Ken Sande/KC8QNI