Re: [squid-users] Bypasing squid for certain sites

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 16 Jun 2009 16:03:13 +1200

On Mon, 15 Jun 2009 21:44:21 -0400, Jamie Orzechowski
<jamie.orzechowski_at_gmail.com> wrote:
> I am having issues with a few sites like megavideo, hotmail, etc and
> looking to bypass them entirely via IPTables ... I have added some
> rules to IPTables but I still see the traffic hitting the caches. Any
> ideas?
>
> Strange thing is that when running an iptables --list it shows no
> rules configured at all ..

iptables -t mangle --list

;)

>
> Here is my iptables rules
>
> /usr/local/sbin/iptables -t mangle -N DIVERT
> /usr/local/sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1
> /usr/local/sbin/iptables -t mangle -A DIVERT -j ACCEPT
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j
DIVERT
>
> #Bypass These subnets
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport
> 80 -d 65.54.186.0/24 -j RETURN
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport
> 80 -d 65.54.165.0/24 -j RETURN
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport
> 80 -d 72.32.79.195/24 -j RETURN
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport
> 80 -d 64.4.20.0/24 -j RETURN
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport
> 80 -d 69.5.88.0/24 -j RETURN

Hmm, I'm not sure if RETURN works in a master level chain.

Perhapse a custom chain with the above and below rules all in it would
work?

Amos

>
> # Redirect to squid
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j
> TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
>
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
Received on Tue Jun 16 2009 - 04:03:17 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 16 2009 - 12:00:03 MDT