I have a squid proxy running transparently, so in my firewall script I run the following fairly early:
iptables -A PREROUTING -t nat -i $LAN -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 3128
This is a multihomed server so after this change the masquerading was removed (as only web access on the lan side of this server was needed).
I now need to masq cleanly one device so that it can bypass the squid proxy. As order is important, would it be correct to put the following _in front_ of the PREROUTING command above:
iptables -A POSTROUTING -t nat -o $WAN -j MASQUERADE iptables -A FORWARD -i $LAN -o $WAN -m mac --mac-source <mac addr> -m state --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 443 -j ACCEPT iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
Where is the best place to filter for the mac in this scenario? I am hoping anything w/o this mac will skip the whole masq setup and enter the PREROUTING command below, resulting in the traffic being proxied through squid.
Thanks! jlc
Makes sense to me.
Is the host that you are wanting to bypass your proxy on the same segment as the $LAN interface defined in your rulesets?
On Wed, Dec 10, 2008 at 1:22 PM, Joseph L. Casale <JCasale@activenetwerx.com
wrote:
I have a squid proxy running transparently, so in my firewall script I run the following fairly early:
iptables -A PREROUTING -t nat -i $LAN -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 3128
This is a multihomed server so after this change the masquerading was removed (as only web access on the lan side of this server was needed).
I now need to masq cleanly one device so that it can bypass the squid proxy. As order is important, would it be correct to put the following _in front_ of the PREROUTING command above:
iptables -A POSTROUTING -t nat -o $WAN -j MASQUERADE iptables -A FORWARD -i $LAN -o $WAN -m mac --mac-source <mac addr> -m state --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 443 -j ACCEPT iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
Where is the best place to filter for the mac in this scenario? I am hoping anything w/o this mac will skip the whole masq setup and enter the PREROUTING command below, resulting in the traffic being proxied through squid.
Thanks! jlc _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Makes sense to me.
Yea, I just don't know technically speaking where the -m mac should appear, in the POSTROUTING line, or the first FORWARD line. Ultimately I would only masq'ing to be done for this one device on port 443.
Is the host that you are wanting to bypass your proxy on the same segment as the $LAN interface defined in your rulesets?
It is, how comes? I could filter by ip instead of mac but this is easier and although a non issue really, more secure.
Thanks! jlc
-
Joseph L. Casale -
Joshua Gimer