How to NOT redirect..

How to NOT redirect..

[Karina Gómez Salgado]

Hi, I'm using iptables for redirect requests to port 80 to port 3128 of
Squid.

But I have a problem, because some of the squid users have trouble
accessing certain services through the proxy, i want to this users
bypass the proxy when they try to reach certain sites.

So How can i deny the redirect ?

I've excluded certain users for their source address... making the
redirection to the remaining ip addresses.

But now i want to send all traffic to squid, all but certain
destinations...

Is there a way to do that ?

I appreciate any help,

Thanks,

Karina

Re: How to NOT redirect..

[Antony Stone]

On Thursday 07 November 2002 6:40 pm, Karina Gómez Salgado wrote:

> Hi, I'm using iptables for redirect requests to port 80 to port 3128 of
> Squid.
>
> But I have a problem, because some of the squid users have trouble
> accessing certain services through the proxy, i want to this users
> bypass the proxy when they try to reach certain sites.
>
> So How can i deny the redirect ?
>
> I've excluded certain users for their source address... making the
> redirection to the remaining ip addresses.
>
> But now i want to send all traffic to squid, all but certain
> destinations...
>
> Is there a way to do that ?

Yes.   Depending on how many destination address you do / don't want to 
redirect, you could use any of the following three methods (there are almost 
certainly others as well):

1. Add a "-d a.b.c.d" to your DNAT rule so that only packets matching the 
destination address get DNATted.   You then need one of these rules for each 
destination you want the DNAT to apply to.

2. Add a "-d ! a.b.c.d" if you want to stop a single destination from being 
DNATted.   You can only use one of these rules, otherwise two of them in 
combination will have the same effect as not using "-d ! a.b.c.d" at all.

3. Use your existing DNAT rule in the PREROUTING nat chain, but insert some 
rules before it which match a destination address using "-d a.b.c.d" and use 
the target "-j ACCEPT" so that these packets bypass the DNAT rule.

Basically suggestion 1 allows you to apply DNAT to as many destination 
addresses as you like; suggestion 2 allows you to exclude one address or 
address range from being DNATted; and suggestion 3 allows you to exclude as 
many addresses or ranges as you want.

Somewhere in this you should be able to achieve your goal.

Antony.

-- 

Software development can be quick, high-quality, or low-cost.

The customer gets to pick any two out of three.

Re: How to NOT redirect..

[Anders Fugmann]

Karina Gómez Salgado wrote:
> Hi, I'm using iptables for redirect requests to port 80 to port 3128 of
> Squid.
> 
> But I have a problem, because some of the squid users have trouble
> accessing certain services through the proxy, i want to this users
> bypass the proxy when they try to reach certain sites.
> 
I had a simillar problem where clients could access sites directly, but 
not when the transparent quid was setup. The problem was that the server 
had ECN enabled. Some brain-dead routers/firewalls filter out all 
packets with the ECN bit set. Disabling ECN on the firewall solved the 
problems.
Try to look at the value of /proc/sys/net/ipv4/tcp_ecn. If the value is 
'1', then do an 'echo 0 > /proc/sys/net/ipv4/tcp_ecn' on the machine 
running the squid and see if the problem persists.

This might be an easier way to solve the problem rather than adding 
specific rules to let machines bypass the proxy.

Regards
Anders Fugmann
--
Author of FIAIF
FIAIF is an intelligent firewall
http://fiaif.fugmann.dhs.org

Re: How to NOT redirect..

[Karina]

Thank's a lot...

Now my problem is solved, and it was so easy!!

Regards,

Karina


Antony Stone wrote:

> On Thursday 07 November 2002 6:40 pm, Karina Gómez Salgado wrote:
>
> > Hi, I'm using iptables for redirect requests to port 80 to port 3128 of
> > Squid.
> >
> > But I have a problem, because some of the squid users have trouble
> > accessing certain services through the proxy, i want to this users
> > bypass the proxy when they try to reach certain sites.
> >
> > So How can i deny the redirect ?
> >
> > I've excluded certain users for their source address... making the
> > redirection to the remaining ip addresses.
> >
> > But now i want to send all traffic to squid, all but certain
> > destinations...
> >
> > Is there a way to do that ?
>
> Yes.   Depending on how many destination address you do / don't want to
> redirect, you could use any of the following three methods (there are almost
> certainly others as well):
>
> 1. Add a "-d a.b.c.d" to your DNAT rule so that only packets matching the
> destination address get DNATted.   You then need one of these rules for each
> destination you want the DNAT to apply to.
>
> 2. Add a "-d ! a.b.c.d" if you want to stop a single destination from being
> DNATted.   You can only use one of these rules, otherwise two of them in
> combination will have the same effect as not using "-d ! a.b.c.d" at all.
>
> 3. Use your existing DNAT rule in the PREROUTING nat chain, but insert some
> rules before it which match a destination address using "-d a.b.c.d" and use
> the target "-j ACCEPT" so that these packets bypass the DNAT rule.
>
> Basically suggestion 1 allows you to apply DNAT to as many destination
> addresses as you like; suggestion 2 allows you to exclude one address or
> address range from being DNATted; and suggestion 3 allows you to exclude as
> many addresses or ranges as you want.
>
> Somewhere in this you should be able to achieve your goal.
>
> Antony.
>
> --
>
> Software development can be quick, high-quality, or low-cost.
>
> The customer gets to pick any two out of three.

--
LSCI Karina Gómez Salgado
mailto:kgs@acabtu.com.mx
Systems Administrator & Web Projects Manager

BTU Comunicación, S.A. de C.V.