Bypass Transparent Squid With IPTables
Similar questions have been asked before but the answers received were not satisfying or didn't apply to my situation.
I have a transparent squid proxy that filters all the http and , for some machines only, https traffic of my network.I achieved this with the following iptables rules:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.100 -m tcp --dport 443 -j REDIRECT --to-ports 3127
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.101 -m tcp --dport 443 -j REDIRECT --to-ports 3127
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.102 -m tcp --dport 443 -j REDIRECT --to-ports 3127
I would like however to bypass squid for certain domains: when a client makes a request to mydomain.com it should directly go to the network's gateway.
I tried inserting the following rules BEFORE the others, mentioned above.
iptables -t nat -A PREROUTING -i eth0 -d $IP_OF_MYDOMAIN.COM -j DNAT --to-destination $IP_OF_ROUTER
iptables -t nat -A PREROUTING -i eth0 -s $IP_OF_ROUTER -j RETURN
This setup however is not working. What am I missing? Is there a better way of doing this?
edit
The order of the rules is the following:
iptables -t nat -A PREROUTING -i eth0 -d $IP_OF_MYDOMAIN.COM -j DNAT --to-destination $IP_OF_ROUTER
iptables -t nat -A PREROUTING -i eth0 -s $IP_OF_ROUTER -j RETURN
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.100 -m tcp --dport 443 -j REDIRECT --to-ports 3127
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.101 -m tcp --dport 443 -j REDIRECT --to-ports 3127
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.102 -m tcp --dport 443 -j REDIRECT --to-ports 3127
Solution 1:
If I understand correctly, you want to exempt traffic to a certain IP address from forcible redirection. Is so, you're going about it the wrong way.
Replace the first two lines in the iptables
config above with
iptables -t nat -A PREROUTING -d a.b.c.d -j ACCEPT
where a.b.c.d
is the ip address to be exempted from compulsory redirection. Note that like your current pair of rules, this rule will need to come before the compulsory redirection code.