1

Similar questions have been asked before but the answers received were not satisfying or didn't apply to my situation.

I have a transparent squid proxy that filters all the http and , for some machines only, https traffic of my network.I achieved this with the following iptables rules:

  iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.100 -m tcp --dport 443 -j REDIRECT --to-ports 3127
    iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.101 -m tcp --dport 443 -j REDIRECT --to-ports 3127
    iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.102 -m tcp --dport 443 -j REDIRECT --to-ports 3127

I would like however to bypass squid for certain domains: when a client makes a request to mydomain.com it should directly go to the network's gateway.

I tried inserting the following rules BEFORE the others, mentioned above.

iptables -t nat -A PREROUTING -i eth0 -d $IP_OF_MYDOMAIN.COM -j DNAT --to-destination $IP_OF_ROUTER
iptables -t nat -A PREROUTING -i eth0 -s $IP_OF_ROUTER -j RETURN

This setup however is not working. What am I missing? Is there a better way of doing this?

edit

The order of the rules is the following:

        iptables -t nat -A PREROUTING -i eth0 -d $IP_OF_MYDOMAIN.COM -j DNAT --to-destination $IP_OF_ROUTER
        iptables -t nat -A PREROUTING -i eth0 -s $IP_OF_ROUTER -j RETURN
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
        iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.100 -m tcp --dport 443 -j REDIRECT --to-ports 3127
        iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.101 -m tcp --dport 443 -j REDIRECT --to-ports 3127
        iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.102 -m tcp --dport 443 -j REDIRECT --to-ports 3127
Aaron Ullal
  • 163
  • 1
  • 2
  • 10

1 Answers1

2

If I understand correctly, you want to exempt traffic to a certain IP address from forcible redirection. Is so, you're going about it the wrong way.

Replace the first two lines in the iptables config above with

iptables -t nat -A PREROUTING -d a.b.c.d -j ACCEPT

where a.b.c.d is the ip address to be exempted from compulsory redirection. Note that like your current pair of rules, this rule will need to come before the compulsory redirection code.

MadHatter
  • 79,770
  • 20
  • 184
  • 232