[CentOS] Iptables Question

Joshua Gimer jgimer at gmail.com
Wed Dec 10 21:22:36 UTC 2008


Makes sense to me.

Is the host that you are wanting to bypass your proxy on the same segment as
the $LAN interface defined in your rulesets?

On Wed, Dec 10, 2008 at 1:22 PM, Joseph L. Casale <JCasale at activenetwerx.com
> wrote:

> I have a squid proxy running transparently, so in my firewall script
> I run the following fairly early:
>
> iptables -A PREROUTING -t nat -i $LAN -p tcp -m multiport --dports 80,443
> -j REDIRECT --to-port 3128
>
> This is a multihomed server so after this change the masquerading was
> removed (as only web access on the lan side of this server was needed).
>
> I now need to masq cleanly one device so that it can bypass the squid
> proxy. As order is important, would it be correct to put the following
> _in front_ of the PREROUTING command above:
>
> iptables -A POSTROUTING -t nat -o $WAN -j MASQUERADE
> iptables -A FORWARD -i $LAN -o $WAN -m mac --mac-source <mac addr> -m state
> --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 443 -j ACCEPT
> iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j
> ACCEPT
>
> Where is the best place to filter for the mac in this scenario? I am hoping
> anything w/o this mac will skip the whole masq setup and enter the
> PREROUTING
> command below, resulting in the traffic being proxied through squid.
>
> Thanks!
> jlc
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
Thx
Joshua Gimer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.centos.org/pipermail/centos/attachments/20081210/c69aa48e/attachment.html 


More information about the CentOS mailing list