Makes sense to me. Is the host that you are wanting to bypass your proxy on the same segment as the $LAN interface defined in your rulesets? On Wed, Dec 10, 2008 at 1:22 PM, Joseph L. Casale <JCasale at activenetwerx.com > wrote: > I have a squid proxy running transparently, so in my firewall script > I run the following fairly early: > > iptables -A PREROUTING -t nat -i $LAN -p tcp -m multiport --dports 80,443 > -j REDIRECT --to-port 3128 > > This is a multihomed server so after this change the masquerading was > removed (as only web access on the lan side of this server was needed). > > I now need to masq cleanly one device so that it can bypass the squid > proxy. As order is important, would it be correct to put the following > _in front_ of the PREROUTING command above: > > iptables -A POSTROUTING -t nat -o $WAN -j MASQUERADE > iptables -A FORWARD -i $LAN -o $WAN -m mac --mac-source <mac addr> -m state > --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 443 -j ACCEPT > iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j > ACCEPT > > Where is the best place to filter for the mac in this scenario? I am hoping > anything w/o this mac will skip the whole masq setup and enter the > PREROUTING > command below, resulting in the traffic being proxied through squid. > > Thanks! > jlc > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Thx Joshua Gimer -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20081210/c69aa48e/attachment-0005.html>