Jamie Orzechowski wrote:
> I am having issues with a few sites like megavideo, hotmail, etc and
> looking to bypass them entirely via IPTables ... I have added some
> rules to IPTables but I still see the traffic hitting the caches. Any
> ideas?
>
> Strange thing is that when running an iptables --list it shows no
> rules configured at all ..
>
"iptables --list" only shows the INPUT, FORWARD and OUTPUT tables.
You'll need to run "iptables -t mangle --list" to see the mangle table.
> Here is my iptables rules
>
> /usr/local/sbin/iptables -t mangle -N DIVERT
> /usr/local/sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1
> /usr/local/sbin/iptables -t mangle -A DIVERT -j ACCEPT
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>
> #Bypass These subnets
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport
> 80 -d 65.54.186.0/24 -j RETURN
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport
> 80 -d 65.54.165.0/24 -j RETURN
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport
> 80 -d 72.32.79.195/24 -j RETURN
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport
> 80 -d 64.4.20.0/24 -j RETURN
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp --dport
> 80 -d 69.5.88.0/24 -j RETURN
>
> # Redirect to squid
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j
> TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
>
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
You might need to add "/usr/local/sbin/iptables -t mangle -F" to the top
of those rules to flush the mangle table before adding any other rules.
Chris
Received on Tue Jun 16 2009 - 18:22:53 MDT
This archive was generated by hypermail 2.2.0 : Wed Jun 17 2009 - 12:00:04 MDT