By passing squid for few hosts using iptables
You are not going to be able to achieve this unless you are using a transparent proxy - which you are not. With an explicitly configured proxy iptables would only be able to see the conversation between the the client host, and the squid proxy. That would make traffic manipulation impossible because iptables would have no idea what website/IP address you are trying to get to.
You can do it fairly easily the other way around with a transparent proxy however. That is to say have iptables redirect all www traffic to the proxy unless it meets certain criteria.
If using your proxy in transparent mode is an option for you then you can achieve your goal if you follow the guide below, but modify the prerouting stage in iptables to have exceptions just above the proxy redirect. Like so:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -s $PROXY_BYPASS_HOST -j RETURN
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port $SQUID-SERVER:$SQUID_PORT
SQUID/iptables transparent proxy howto
tollboy
Updated on September 18, 2022Comments
-
tollboy over 1 year
We have a squid proxy setup which listens on default port(3128): on eht0 (192.x.x.x).
It has another interface eth1 (10.x.x.x) used to connect to external world. It is doing good quality content filtering using squidguard.
But now we want some of the host in the network to bypass the squid. providing full access to few people.
I am thinking of some thing using iptables: Any packet from those specific host(for which proxy to be by passed) hitting eth0 on port 3128 of the proxy should redirected to eth1 and should be able to access anything.
Will this work? If yes, then please help me with rules?
I know this can be done in good manner using squidgaurd but want to do it with iptables only.
-
Khaled over 12 yearsYou did not tell us whether you are using transparent proxying or configured all browsers to use squid as proxy.
-
tollboy over 12 yearsIts not a transparent proxy. Need to configure proxy in browsers or globally on system.
-
-
tollboy over 12 yearsHTTP chat? Could you please explain this. I dont know any thing about it. :(
-
migabi over 12 yearsHTTP chat = HTTP protocol
-
ghm1014 over 12 yearsThat's right, if the proxy is no transparent it wont work. Iptables won't be able to manage the proxy headers.
-
tollboy over 12 yearsAny other way then? I dont want to tocuh squidgaurd configuration..and cant make tranparent.
-
tollboy over 12 yearsPlease dont laugh if I am asking totally insane thing. You said: "With an explicitly configured proxy iptables would only be able to see the conversation between the the client host, and the squid proxy." Thats what Iptables just have to see that packet is coming from specific client machine and then it has to redirect it to other interface. Cant it be done?
-
paulos over 12 yearsWhen the client has the proxy configured then it sends the request to the proxy and the proxy then fetches the requested resource on its behalf. That is to say the packet leaving the client has a source IP of the client, and a destination IP of the proxy. If you redirected these requests past the proxy engine, or out of another interface the destination of the packet would still be the proxy server. You could not have iptables rewrite the destination field because it has no visibility of what the requested resource was. Hope that makes sense!
-
tollboy over 12 yearsSo you mean to say. If I have configured a global system proxy on the client system (for every thing). then every communication from the client will be kinda wrapped up with a proxy header which will be containing the address of proxy as a destination. Rest all information is in that wrapper actual destination and protocol etc. am i right?