I have the typical transparent proxy redirect in rules: REDIRECT loc 3128 tcp www - !200.36.106.0/24 How do I add another network to the exceptions in the original destination? I tried comma-separating them, but that didn''t seem to work (!200.36.106.0/24,200.36.174.0/24), but that doesn''t seem to work, shorewall seems to attempt to give the whole thing as a single network to iptables. Maybe I''m missing something obvious, but I have checked the docs, etc... -- Joakim Ziegler <joakim@abargon.com> Abargon
On 28 May 2003 13:00:46 -0500, Joakim Ziegler <joakim@abargon.com> wrote:> I have the typical transparent proxy redirect in rules: > > REDIRECT loc 3128 tcp www - !200.36.106.0/24 > > How do I add another network to the exceptions in the original > destination?You don''t. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On 29 May 2003 09:09:42 -0500, Joakim Ziegler <joakim@abargon.com> wrote:> On Wed, 2003-05-28 at 22:11, Tom Eastep wrote: >> On 28 May 2003 13:00:46 -0500, Joakim Ziegler <joakim@abargon.com> >> wrote: > >> > I have the typical transparent proxy redirect in rules: > >> > REDIRECT loc 3128 tcp www - !200.36.106.0/24 > >> > How do I add another network to the exceptions in the original >> > destination? > >> You don''t. > > Um, ok, is there any other good way to achieve what I want to do? > Basically, we have some colocated servers in two different places, that > people need to bypass the transparent proxy when they see. I''m not sure > if this is a horribly unusual need or what, but I''d appreciate any > pointers to how I could do it.Try this: Leave your DNAT rule the way it is then in /etc/shorewall/start: run_iptables -t nat -I loc_dnat -p tcp --dport www -d <other network> -j RETURN ... -Tom PS: I apologize for replying off-list earlier. -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On 29 May 2003 09:53:35 -0500, Joakim Ziegler <joakim@abargon.com> wrote:> On Thu, 2003-05-29 at 09:32, Tom Eastep wrote: >> On 29 May 2003 09:09:42 -0500, Joakim Ziegler <joakim@abargon.com> >> wrote: > >> > Um, ok, is there any other good way to achieve what I want to do? >> > Basically, we have some colocated servers in two different places, >> that >> > people need to bypass the transparent proxy when they see. I''m not >> sure >> > if this is a horribly unusual need or what, but I''d appreciate any >> > pointers to how I could do it. > >> Try this: Leave your DNAT rule the way it is then in >> /etc/shorewall/start: > >> run_iptables -t nat -I loc_dnat -p tcp --dport www -d <other network> -j >> RETURN >> ... > > This worked, thanks a lot. > > You might want to add this to the FAQ, I guess. Well, unless I''m the > only person who ever asked for this. :) >I''ve updated the Shorewall Squid documentation to mention this technique.> Shorewall is a wonderful project, by the way, thanks a lot. Both because > of the program itself, but maybe just as much because of the extremely > nice documentation. >Thanks! -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net