Nicolas Kovacs
2018-Mar-11 10:01 UTC
[CentOS] Squid vs. iptables redirection: exception for certain domains ?
Hi, I'm currently facing a quite tricky problem. Here goes. I have setup Squid as a transparent HTTP+HTTPS proxy in my local network. All web traffic gets handed over to Squid by an iptables script on the server. Here's the relevant section in /etc/squid/squid.conf: --8<------------------------------------------------------------- # Ports du proxy http_port 3130 http_port 3128 intercept https_port 3129 intercept ssl-bump \ cert=/etc/squid/ssl_cert/amandine.sandbox.lan.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB --8<------------------------------------------------------------- And here's the corresponding section of my firewall script: --8<------------------------------------------------------------- # Commandes IPT=/usr/sbin/iptables SYS=/usr/sbin/sysctl SERVICE=/usr/sbin/service # Internet IFACE_INET=enp2s0 # R?seau local IFACE_LAN=virbr0 IFACE_LAN_IP=192.168.2.0/24 # Serveur SERVER_IP=192.168.2.1 ... # Squid $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3128 -j ACCEPT $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3128 -j ACCEPT $IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \ --dport 80 -j REDIRECT --to-port 3128 $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3129 -j ACCEPT $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3129 -j ACCEPT $IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \ --dport 443 -j REDIRECT --to-port 3129 $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3130 -j ACCEPT $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3130 -j ACCEPT --8<------------------------------------------------------------- This setup works nicely for the vast majority of web sites. BUT: a handful of sites has some trouble with my local certificate. For example, I can't sync my local Github repo anymore. Or my local OwnCloud client spews back a warning message on every startup. I asked on the Squid mailing list if there was a possibility to create an exception for a list of domains, so that these can simply bypass the proxy. The problem is, according to one of the developers, I have to tackle that problem earlier in the process, e. g. in the firewall setup. So here's what I want to do, in plain words: 1. Redirect all HTTP traffic (port 80) to port 3128. So far so good. 2. Redirect all HTTPS traffic (port 443) to port 3129. Equally OK. AND... 3. DO NOT REDIRECT traffic that goes to certain domains, like: github.com credit-cooperatif.coop cloud.microlinux.fr squid-cache.org etc. Ideally, these domains should be read from a simple text file. Any idea how I could do that? I don't even know if this is theoretically possible. Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
Nicolas Kovacs
2018-Mar-11 10:53 UTC
[CentOS] Squid vs. iptables redirection: exception for certain domains ?
Le 11/03/2018 ? 11:01, Nicolas Kovacs a ?crit?:> So here's what I want to do, in plain words: > > 1. Redirect all HTTP traffic (port 80) to port 3128. So far so good. > > 2. Redirect all HTTPS traffic (port 443) to port 3129. Equally OK. > > AND... > > 3. DO NOT REDIRECT traffic that goes to certain domains, like: > > github.com > credit-cooperatif.coop > cloud.microlinux.fr > squid-cache.org > etc.I've experimented some more, and I have a partial success. Here, I'm redirecting all HTTPS traffic *except* the one that goes to my bank: iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d www.credit-cooperatif.coop --dport 443 -j REDIRECT --to-port 3129 This works because my bank is hosted on a single IP. As soon as I replace that with a domain that's hosted on multiple IP's, I get this: iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d www.google.com --dport 443 -j REDIRECT --to-port 3129 # firewall.sh iptables v1.4.21: ! not allowed with multiple source or destination IP addresses So my question is: how can I write an iptables rule (or series of rules) that redirect all traffic to my proxy, *except* the one going to <list_of_domains> ? Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
Leon Fauster
2018-Mar-11 12:09 UTC
[CentOS] Squid vs. iptables redirection: exception for certain domains ?
Am 11.03.2018 um 11:53 schrieb Nicolas Kovacs <info at microlinux.fr>:> > I've experimented some more, and I have a partial success. Here, I'm > redirecting all HTTPS traffic *except* the one that goes to my bank: > > iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d > www.credit-cooperatif.coop --dport 443 -j REDIRECT --to-port 3129 > > This works because my bank is hosted on a single IP. As soon as I > replace that with a domain that's hosted on multiple IP's, I get this: > > iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d www.google.com > --dport 443 -j REDIRECT --to-port 3129May I ask, after all it doesn't work with google.com, right?> # firewall.sh > iptables v1.4.21: ! not allowed with multiple source or destination IP > addresses > > So my question is: how can I write an iptables rule (or series of rules) > that redirect all traffic to my proxy, *except* the one going to > <list_of_domains> ?It is not a good practice to place domain names into iptables rules. Define a custom table, place this table into your rule list (to stick at the right place) and feed that table with the resolved domain names. This can be altered while running in the case of changes (check resolving results periodically). -- LF
Reasonably Related Threads
- Squid vs. iptables redirection: exception for certain domains ?
- Squid vs. iptables redirection: exception for certain domains ?
- Squid vs. iptables redirection: exception for certain domains ?
- Masquerading (packet forwarding) on CentOS 7
- Vsftpd vs. iptables firewall script