Re: [squid-users] Allowing hosts to bypass transparent proxy (squid+netfilter) to port 80 for a specific netmask

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Fri, 15 Dec 2006 00:10:13 +0100

tor 2006-12-14 klockan 18:52 -0200 skrev Bernardo Vieira:

> direct access to the domain .caixa.gov.br (200.201.160/20). All requests
> will go on port 80, tcp on the remote end but the protocol isn't http.
> To achieve this I tried adding the following rules to iptables:
>
> - -A FORWARD -s 192.168.1.0/255.255.255.0 -d 200.201.160.0/255.255.240.0\
> - -p tcp --sport 1024:65535 --dport 80 -j ACCEPT

Almost correct. The only thing is that it needs to be in the nat table,
before the PREROUTING REDIRECT rule, not filter FORWARD.

The packet flow in netfilter looks something like the following graph
(best viewed with a monospace fontface such as courier):

  [network] -> PREROUTING -> [routing] -> FORWARD -> POSTROUTING -> [network]
                                | ^
                                v |
                              INPUT --> [tcp/ip] --> OUTPUT
                                           ^
                                           |
                                           v
                                        [squid]

Regards
Henrik

Received on Thu Dec 14 2006 - 16:10:19 MST

This archive was generated by hypermail pre-2.1.9 : Mon Jan 01 2007 - 12:00:01 MST