Tuesday, September 1, 2015

Bypass Transparent Squid With IPTables



Similar questions have been asked before but the answers received were not satisfying or didn't apply to my situation.




I have a transparent squid proxy that filters all the http and , for some machines only, https traffic of my network.I achieved this with the following iptables rules:



  iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.100 -m tcp --dport 443 -j REDIRECT --to-ports 3127
    iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.101 -m tcp --dport 443 -j REDIRECT --to-ports 3127
    iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.102 -m tcp --dport 443 -j REDIRECT --to-ports 3127


I would like however to bypass squid for certain domains:
when a client makes a request to mydomain.com it should directly go to the network's gateway.




I tried inserting the following rules BEFORE the others, mentioned above.



iptables -t nat -A PREROUTING -i eth0 -d $IP_OF_MYDOMAIN.COM -j DNAT --to-destination $IP_OF_ROUTER
iptables -t nat -A PREROUTING -i eth0 -s $IP_OF_ROUTER -j RETURN


This setup however is not working. What am I missing? Is there a better way of doing this?



edit




The order of the rules is the following:



        iptables -t nat -A PREROUTING -i eth0 -d $IP_OF_MYDOMAIN.COM -j DNAT --to-destination $IP_OF_ROUTER
        iptables -t nat -A PREROUTING -i eth0 -s $IP_OF_ROUTER -j RETURN
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
        iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.100 -m tcp --dport 443 -j REDIRECT --to-ports 3127
        iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.101 -m tcp --dport 443 -j REDIRECT --to-ports 3127
        iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.102 -m tcp --dport 443 -j REDIRECT --to-ports 3127


Answer



If I understand correctly, you want to exempt traffic to a certain IP address from forcible redirection. Is so, you're going about it the wrong way.



Replace the first two lines in the iptables config above with



iptables -t nat -A PREROUTING -d a.b.c.d -j ACCEPT


where a.b.c.d is the ip address to be exempted from compulsory redirection. Note that like your current pair of rules, this rule will need to come before the compulsory redirection code.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...