Makes sense to me.
Is the host that you are wanting to bypass your proxy on the same segment as
the $LAN interface defined in your rulesets?
On Wed, Dec 10, 2008 at 1:22 PM, Joseph L. Casale <JCasale at
activenetwerx.com> wrote:
> I have a squid proxy running transparently, so in my firewall script
> I run the following fairly early:
>
> iptables -A PREROUTING -t nat -i $LAN -p tcp -m multiport --dports 80,443
> -j REDIRECT --to-port 3128
>
> This is a multihomed server so after this change the masquerading was
> removed (as only web access on the lan side of this server was needed).
>
> I now need to masq cleanly one device so that it can bypass the squid
> proxy. As order is important, would it be correct to put the following
> _in front_ of the PREROUTING command above:
>
> iptables -A POSTROUTING -t nat -o $WAN -j MASQUERADE
> iptables -A FORWARD -i $LAN -o $WAN -m mac --mac-source <mac addr> -m
state
> --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 443 -j ACCEPT
> iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j
> ACCEPT
>
> Where is the best place to filter for the mac in this scenario? I am hoping
> anything w/o this mac will skip the whole masq setup and enter the
> PREROUTING
> command below, resulting in the traffic being proxied through squid.
>
> Thanks!
> jlc
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
--
Thx
Joshua Gimer
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20081210/c69aa48e/attachment-0003.html>