[squid-users] bypass squid for second address range

From: greylake <[email protected]>
Date: Mon, 24 Jan 2005 17:44:26 +1300

hello

lan_one|-------------|gateway|---------|lan_two
           | |
        squidbox |
    (member of lan_one) |
                         |
                      (world)

question 1.

at the moment traffic from BOTH lans seems to be prerouted to the squid
box
but i want lan_two traffic to bypass the squidbox and go direct ( for
now...)

i'm sure its iptables syntax but i cant seem to get it to work
any advice or examples greatly appreciated

-----s--------n------------i--------------------p--------------------

drop lan_one - force them to use the squid box
$IPTABLES -A INPUT -i $NIC_ONE -s ! $SQUIDBOX -p tcp --dport 80 -j DROP

$IPTABLES -A INPUT -i $NIC_TWO -s $LAN_TWO -d 0/0 -p tcp --dport 80 -j
ACCEPT

$IPTABLES -A PREROUTING -t nat -i $NIC_ONE -s ! $SQUIDBOX -p tcp --dport
80 -j DNAT --to-destination $SQUIDBOX:3128
$IPTABLES -A POSTROUTING -t nat -o $NIC_ONE -s $LAN_ONE -d $SQUIDBOX -j
SNAT --to-source $GATEWAY
$IPTABLES -A FORWARD -s $LAN_ONE -d $SQUIDBOX -i $NIC_ONE -o $NIC_ONE -p
tcp --dport 3128 -j ACCEPT

# lan_one to world

$IPTABLES -A lan-world -s $SQUIDBOX -p tcp --dport 80 -j ACCEPT
$IPTABLES -A lan-world -p tcp --dport 22 -j ACCEPT
$IPTABLES -A lan-world -p tcp --dport 664 -j ACCEPT
$IPTABLES -A lan-world -p tcp --dport 995 -j ACCEPT
$IPTABLES -A lan-world -p tcp --dport 465 -j ACCEPT
 etc etc

# lan_two to world ... simple for now

$IPTABLES -A lan-fax -p tcp -j ACCEPT
$IPTABLES -A lan-fax -p udp -j ACCEPT
$IPTABLES -A lan-fax -p icmp -j ACCEPT
$IPTABLES -A lan-fax -j DROP

$IPTABLES -A FORWARD -i $NIC_ONE -o $WORLD -s $LAN_ONE -j lan-world
$IPTABLES -A FORWARD -i $NIC_TWO -o $WORLD -s $LAN_TWO -j fax-world

---------------------------------------------------------------------------------

question 2.

if both lans do use the cache ( with a tighter iptables in place ) is it
possible to cache but not log lan_two traffic ?

thanks in advance

greylake
Received on Sun Jan 23 2005 - 21:44:31 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:36 MST