[tproxy] bypassing squid via iptables

hugo at gigared.com hugo at gigared.com
Thu Oct 21 02:48:39 CEST 2010 

hi all!
im using tproxy on fedora 12 
(kernel 2.6.31-6) with squid 3.1.8
on a wccp configuration using a cisco 3560.

everything works really fine , except for
some newly appeared web sites (or something like that)
that abuses on http 1.1, and cause many customers requests.
failed. 

in short: can i really bypass squid and send 
these requests directly to the internet?
i believe that this is possible changing
the pre-post routings rules of iptables and
, giving the ip of the websites 

Thank you in advance.

my sh executing iptables actual config :

#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.250.9"
# Interface connected to LAN
LAN_IN="eth5"
# Interface connected to Internet
INTERNET="eth7"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
#
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
#
# Setting default filter policy
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
#

###############################################
#
# TPROXY 4 Rules - router
#
##############################################

#
#Setup a chain DIVERT to mark packets
#
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
###############################################
#
#  TPROXY 4 Rules - bridge
#
##############################################
#
# Use DIVERT to prevent existing connections
# going through TPROXY twice:
#
#
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
#
# Mark all other (new) packets and use TPROXY to pass into Squid:
#
#
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3129
#
#
iptables -A INPUT -i gre0 -j ACCEPT
#
iptables -A INPUT -p gre -j ACCEPT
#
#
#
ebtables -t broute -A BROUTING -i $LAN_IN -p ipv4 --ip-proto tcp --ip-dport 80
-j redirect --redirect-target DROP
#
#
ebtables -t broute -A BROUTING -i $INTERNET -p ipv4 --ip-proto tcp --ip-sport 80
-j redirect --redirect-target DROP
#
#
#
#
#
cd /proc/sys/net/bridge/
 for i in *
 do
   echo 0 > $i
 done
 unset i
#
ip ro flu ca


-------------------------
    www.gigared.com

More information about the tproxy mailing list