Transparent proxy to remote squid box

Transparent proxy to remote squid box

[ro0ot]

Hi,

I have a working "transparent proxy to remote squid box" rules as below: -

$IPTABLES -t nat -A PREROUTING -i eth1 -s ! 10.59.2.4 -p tcp --dport 80 
-j DNAT --to 10.59.2.4:3128
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 10.59.2.0/24 -d 10.59.2.4 -j 
SNAT --to 10.59.2.1
$IPTABLES -t filter -A FORWARD -s 10.59.2.0/24 -d 10.59.2.4 -i eth1 -o 
eth1 -p tcp --dport 3128 -j ACCEPT

How can I not route the following network "1.1.1.0/24" to the remote 
squid box using IPTABLES?

Regards,
ro0ot

Re: Transparent proxy to remote squid box

[Georgi Alexandrov]

ro0ot wrote:

> Hi,
>
> I have a working "transparent proxy to remote squid box" rules as 
> below: -
>
> $IPTABLES -t nat -A PREROUTING -i eth1 -s ! 10.59.2.4 -p tcp --dport 
> 80 -j DNAT --to 10.59.2.4:3128
> $IPTABLES -t nat -A POSTROUTING -o eth1 -s 10.59.2.0/24 -d 10.59.2.4 
> -j SNAT --to 10.59.2.1
> $IPTABLES -t filter -A FORWARD -s 10.59.2.0/24 -d 10.59.2.4 -i eth1 -o 
> eth1 -p tcp --dport 3128 -j ACCEPT
>
> How can I not route the following network "1.1.1.0/24" to the remote 
> squid box using IPTABLES?
>
> Regards,
> ro0ot
>
>
Hello,

U can put 1 rule above the DNAT like this:

$IPTABLES -t nat -A PREROUTING -i eth1 -s 1.1.1.0/24 -p tcp --dport 80 
-j ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth1 -s ! 10.59.2.4 -p tcp --dport 80 
-j DNAT --to 10.59.2.4:3128

The first rule matches the requests coming from 1.1.1.0/24 to tcp port 
80 and accepts them, e.g. the packets won't hit the next rule.

P.S.
you probably meant 10.1.1.0/24 ?

regards,
Georgi Alexandrov

Re: Transparent proxy to remote squid box

[Georgi Alexandrov]

Georgi Alexandrov wrote:

> ro0ot wrote:
>
>> Hi,
>>
>> I have a working "transparent proxy to remote squid box" rules as 
>> below: -
>>
>> $IPTABLES -t nat -A PREROUTING -i eth1 -s ! 10.59.2.4 -p tcp --dport 
>> 80 -j DNAT --to 10.59.2.4:3128
>> $IPTABLES -t nat -A POSTROUTING -o eth1 -s 10.59.2.0/24 -d 10.59.2.4 
>> -j SNAT --to 10.59.2.1
>> $IPTABLES -t filter -A FORWARD -s 10.59.2.0/24 -d 10.59.2.4 -i eth1 
>> -o eth1 -p tcp --dport 3128 -j ACCEPT
>>
>> How can I not route the following network "1.1.1.0/24" to the remote 
>> squid box using IPTABLES?
>>
>> Regards,
>> ro0ot
>>
>>
> Hello,
>
> U can put 1 rule above the DNAT like this:
>
> $IPTABLES -t nat -A PREROUTING -i eth1 -s 1.1.1.0/24 -p tcp --dport 80 
> -j ACCEPT
> $IPTABLES -t nat -A PREROUTING -i eth1 -s ! 10.59.2.4 -p tcp --dport 
> 80 -j DNAT --to 10.59.2.4:3128
>
> The first rule matches the requests coming from 1.1.1.0/24 to tcp port 
> 80 and accepts them, e.g. the packets won't hit the next rule.
>
> P.S.
> you probably meant 10.1.1.0/24 ?
>
> regards,
> Georgi Alexandrov
>
>
For the sake of completeness - you can also you the RETURN target in the 
first rule, that will cause packets not to travel this chain anymore and 
hit the chain's default policy. In most cases it's "ACCEPT" so the 
RETURN target will do, if the chain's policy is DROP you should use the 
ACCEPT target in the first rule.

regards,
Georgi Alexandrov