Re: [squid-users] Bypassing certain IP/Subnet via IPTables from Amos Jeffries on 2009-07-22 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 23 Jul 2009 12:37:00 +1200

On Wed, 22 Jul 2009 10:57:11 -0400, Jamie Orzechowski
<jamie.orzechowski_at_gmail.com> wrote:
> Here is my problem. All port 80 traffic is being intercepted by the
> iptables configuration and redirecting to squid.
>
> Some of my users have static IP addresses and host their own
> webservers. When the Squid box is up and running none of their sites
> are accessible. If I shut down the squid box everything begins to
> work again .. so it looks like it's my iptables causing the issues
>
> I tried creating a rule to bypass interception for my local subnets
> but it does not seems to work. Can someone please have a look and let
> me know what might be wrong?
>
> Here are the rules.
>
> /usr/local/sbin/iptables -t mangle -N DIVERT
> /usr/local/sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1
> /usr/local/sbin/iptables -t mangle -A DIVERT -j ACCEPT
>
> # Local Subnets
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp -i eth1
> --dport 80 -d 66.78.96.0/255.255.255.0 -j ACCEPT
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp -i eth1
> --dport 80 -d 66.78.97.0/255.255.255.0 -j ACCEPT
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp -i eth1
> --dport 80 -d 66.78.98.0/255.255.255.0 -j ACCEPT
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp -i eth1
> --dport 80 -d 66.78.99.0/255.255.255.0 -j ACCEPT
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp -i eth1
> --dport 80 -d 66.78.100.0/255.255.255.0 -j ACCEPT
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp -i eth1
> --dport 80 -d 66.78.101.0/255.255.255.0 -j ACCEPT
>
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j
DIVERT
> /usr/local/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j
> TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 --on-ip 66.78.102.2

Is eth1 actually the external interface where traffic from the Internet is
coming from?

Do you have normal packet forwarding enabled on the squid box? to route the
packets bypassed?

Perhapse you should also add -i eth0 to the TPROXY catch rule to only catch
the internal traffic going out.

Amos
Received on Thu Jul 23 2009 - 00:37:04 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 23 2009 - 12:00:04 MDT