[CentOS] Squid vs. iptables redirection: exception for certain domains ?

Nicolas Kovacs info at microlinux.fr
Sun Mar 11 12:18:06 UTC 2018


Le 11/03/2018 à 13:09, Leon Fauster a écrit :
> It is not a good practice to place domain names into iptables rules. Define 
> a custom table, place this table into your rule list (to stick at the right 
> place) and feed that table with the resolved domain names. This can be altered 
> while running in the case of changes (check resolving results periodically).

I admit I've never worked with custom tables, so I don't know how to do
this.

In the meantime, I found the following working solution.

# Exceptions
EXCEPTIONS=$(egrep -v '(^\#)|(^\s+$)' /usr/local/sbin/no-proxy.txt)
for EXCEPTION in $EXCEPTIONS; do
  $IPT -A PREROUTING -t nat -i $IFACE_LAN -d $EXCEPTION -j ACCEPT
done

# Squid
$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3128 -j ACCEPT
$IPT -A INPUT -p udp -i $IFACE_LAN --dport 3128 -j ACCEPT
$IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \
  --dport 80 -j REDIRECT --to-port 3128
$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3129 -j ACCEPT
$IPT -A INPUT -p udp -i $IFACE_LAN --dport 3129 -j ACCEPT
$IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \
  --dport 443 -j REDIRECT --to-port 3129
$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3130 -j ACCEPT
$IPT -A INPUT -p udp -i $IFACE_LAN --dport 3130 -j ACCEPT

And my no-proxy.txt file looks like this:

# Ne pas utiliser le proxy pour les domaines suivants
#
# Crédit Agricole
www.credit-agricole.fr
# Crédit Coopératif
www.credit-cooperatif.coop
# Github
github.com
# Microlinux
microlinux.fr
microlinux.eu
# Squid
squid-cache.org
# Thunderbird
start.thunderbird.net

Note that I can put either domain names or IP addresses in this file.

And it's only supposed to keep a list of a handful of URLs that don't
play well with a transparent Squid for HTTPS.

Cheers,

Niki


-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32



More information about the CentOS mailing list