Bypass transparent Squid proxy on Tomato USB for specific sites

Question

I'm using a router with Tomato USB to forward port 80 requests to a Ubuntu Server with Squid 3 in transparent mode. Someone on the Tomato forum adapted these instructions for Tomato:

#!/bin/sh
INTERNAL_NETWORK="192.168.1.0/24"
ROUTER_IP="192.168.1.1"
PROXY_SERVER="192.168.1.3"
PROXY_PORT="3128"

/usr/sbin/iptables -t nat -A PREROUTING -i br0 -s $INTERNAL_NETWORK -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp --dport 80 -j DNAT --to $PROXY_SERVER:$PROXY_PORT
/usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s $INTERNAL_NETWORK -p tcp -d $PROXY_SERVER -j SNAT --to $ROUTER_IP
/usr/sbin/iptables -t filter -I FORWARD -s $INTERNAL_NETWORK -d $PROXY_SERVER -i br0 -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT

Forwarding works as it should, the requests are processed by Squid. The instructions show the rule to bypass certain machines on the network. My problem is that I need to bypass some sites that have problems with proxies, not a specific machine. I tried adding this:

/usr/sbin/iptables -t nat -A PREROUTING -d caixa.gov.br -j ACCEPT

This rule doesn't work. I don't want caixa.gov.br (and a few others) to be forwarded to the proxy at all. But Tomato is still forwarding all sites.

Is it possible to add a rule for each site I don't want to forward?

What is the difference between "some site" and "a specific machine"? — Hauke Laging, Apr 28 '13 at 09:01
Thanks for answering, I need all users on my local network to always use the transparent proxy, but have sites like caixa.gov.br to bypass the proxy. As I mentioned, the linked instructions show how to make a specific IP on my network not to use the proxy at all (by using `iptables -t nat -I PREROUTING -i br0 -s [IPADDRESS] -j ACCEPT`), but I need all of them to skip just a fews sites instead of not using the proxy. — kircheis, Apr 28 '13 at 14:29
Have you tried the code from my answer or have you just looked at it? — Hauke Laging, Apr 28 '13 at 14:41
Yes, but caixa.gov.br is still giving me problems. I cleaned the browser cache to be sure, and it takes a long time to load. After loading it shows on squid log. If I turn off the proxy forwarding it works without problem. I probably couldn't follow your instructions correctly, because it should not show on log anymore, right? — kircheis, Apr 28 '13 at 14:59
I edited my answer so that you can easily run the script now. Do that and if accesses to caixa.gov.br still get forwarded to the proxy then post the output of `iptables -t nat -L -nv`. — Hauke Laging, Apr 28 '13 at 15:36

Hauke Laging · Answer 1 · 2013-04-28T15:33:45.370

iptables -A ... puts the rule at the end of a chain. Thus your one never matches (or at least with no effect) because the second (-s ! $PROXY_SERVER) already got those packets / connections.

Instead of iptables -A PREROUTING you need iptables -I PREROUTING 2. Or you create chains to make the structure easier to understand:

#!/bin/bash
INTERNAL_NETWORK="192.168.1.0/24"
ROUTER_IP="192.168.1.1"
PROXY_SERVER="192.168.1.3"
PROXY_PORT="3128"


if iptables -L prerouting_exceptions -n &>/dev/null; then
  iptables -t nat -F prerouting_exceptions
else
  iptables -t nat -N prerouting_exceptions
fi
# this prevents the same rule being inserted with each script call
if ! iptables -L FORWARD -n | grep -q proxy; then
  iptables -t filter -I FORWARD -s $INTERNAL_NETWORK -d $PROXY_SERVER -i br0 \
    -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT -m comment --comment proxy
fi
iptables -t nat -F PREROUTING
iptables -t nat -A PREROUTING -j prerouting_exceptions
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp \
  --dport 80 -j DNAT --to $PROXY_SERVER:$PROXY_PORT

iptables -t nat -A prerouting_exceptions -i br0 -s $INTERNAL_NETWORK \
  -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT
iptables -t nat -A prerouting_exceptions -d caixa.gov.br -j ACCEPT

score 0 · Answer 2 · answered Apr 28 '13 at 16:26

I tried your answer. I added www1.caixa.gov.br besides caixa.gov.br because it was also showing on Squid log.

Squid log:

1367165802.899 151455 192.168.1.1 TCP_MISS/503 4261 GET http://www.caixa.gov.br/ - DIRECT/www.caixa.gov.br text/html

Result of iptables -t nat -L -nv on Tomato USB:

Chain PREROUTING (policy ACCEPT 117 packets, 10457 bytes)
 pkts bytes target     prot opt in     out     source               destination
  155 12613 prerouting_exceptions  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   12   660 DNAT       tcp  --  br0    *      !192.168.1.103         0.0.0.0/0           tcp dpt:80 to:192.168.1.103:3128

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  169 12403 MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
   12   660 SNAT       all  --  *      br0     192.168.1.0/24        192.168.1.0/24       to:192.168.1.1

Chain OUTPUT (policy ACCEPT 73 packets, 5279 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain WANPREROUTING (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           to:192.168.1.1
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:9740 to:192.168.1.117:9740
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5740 to:192.168.1.101:5740
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:34184 to:192.168.1.117:34184
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:14983 to:192.168.1.117:14983
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:54184 to:192.168.1.101:54184
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:51413 to:192.168.1.103:51413
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:42020 to:192.168.1.100:42020

Chain prerouting_exceptions (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  br0    *       192.168.1.0/24        192.168.1.0/24       tcp dpt:80
   14   800 ACCEPT     all  --  *      *       0.0.0.0/0            200.201.166.106
   12   696 ACCEPT     all  --  *      *       0.0.0.0/0            200.201.166.240

Ip address of caixa.gov.br:

#host caixa.gov.br
aixa.gov.br has address 200.201.166.106
caixa.gov.br mail is handled by 0 bootes1.caixa.gov.br.
caixa.gov.br mail is handled by 0 bootes.caixa.gov.br.

Bypass transparent Squid proxy on Tomato USB for specific sites

2 Answers2