ipfilter and transparent proxy through squid

Jim Klimov

2011-05-11 10:36:05 UTC

rdr igb0 0.0.0.0/0 port 80 -> 127.0.0.1 port 8080
how can I decide to "transparent proxy" just specific clients?
also, I may want to NOT "transparent proxy" when going to specific
destinations (such as
internal web servers).
thanx for any help.
Gabriele.

Well, on a different occasion we have a NAT ruleset with
many exceptions, which may serve as a syntax exapmle:

# Local IPs go unchanged
map elxl1 from 192.168.129.0/24 to 192.168.186.0/24 -> 0.0.0.0/0
map elxl1 from 192.168.129.0/24 to 192.168.187.0/24 -> 0.0.0.0/0
map elxl1 from 192.168.129.0/24 to 192.168.188.0/24 -> 0.0.0.0/0

map elxl1 from 192.168.119.0/24 to 192.168.186.0/24 -> 0.0.0.0/0
map elxl1 from 192.168.119.0/24 to 192.168.187.0/24 -> 0.0.0.0/0
map elxl1 from 192.168.119.0/24 to 192.168.188.0/24 -> 0.0.0.0/0

# NAT for a specific subnet going to default route
map elxl1 from 192.168.129.224/28 ! to 192.168.186.0/22 -> 93.175.31.10/32

I think when you use the rules like the last one,
only the first line for a given source IP/net
actually matters. If you have other exclusions
this way, they may get "shadowed" by the first.

And you can't use pools (as of IPF4 at least)
in NAT configs, so the setup file gets very big.
--
+============================================================+
| |
| Êëèìîâ Åâãåíèé, Jim Klimov |
| òåõíè÷åñêèé äèðåêòîð CTO |
| ÇÀÎ "ÖÎÑ è ÂÒ" JSC COS&HT |
| |
| +7-903-7705859 (cellular) mailto:***@cos.ru |
| CC:***@cos.ru,***@mail.ru |
+============================================================+
| () ascii ribbon campaign - against html mail |
| /\ - against microsoft attachments |
+============================================================+