Hi Ken,
Quite simple...Assuming your squid box is doing the port redirect
internally, and is acting as a gateway, and ip_forward is turned on, you
can simply put an ACCEPT rule before the REDIRECT rule in your ipchains
list. If the squid box is not doing the 80 -> 3128 REDIRECT then there
is no easy way I know of to do this, aside from doing it in the L4
switch (why can't you do it there anyway, they're built for just such
things?).
A sanitized example to bypass the cache for 172.16.1.1:
ipchains -I input 1 -s 0/0 -d 172.16.1.1 80 -p tcp -j ACCEPT
ipchains -A input -s 192.168.1.0/24 -d 0/0 80 -p tcp -j REDIRECT 3128
Seems to work in the cases I've seen.
Ken Kirchner wrote:
>
> Hey all,
>
> We are using a layer 4 switch to pump all port 80 TCP/IP traffic to two
> squid servers. This is all warm and fuzzy and working wonderfully.
>
> The problem we are having is that we are transparently proxying our
> customers and this "breaks" a few of their applications. Since there is
> no "forward" acl operator in squid (only "allow" or "deny"), I am looking
> for ways to selectively eliminate an IP or group of IP's from squid's
> proxying. I've just finished reading over squid's documentation and I cant
> find anything that will work with transparent proxying (The switch only
> has 1 ACL if you can believe it).
>
> What I'm now looking into is a way to add rules to ipchains on the squid
> boxes. These rules would forward packets from the selected IP's straight
> to our border router for direct processing and bypass squid all together.
>
> Am I mad? Am I insane? Is anyone else doing something like this? Will
> it even work??
>
> The lists will hopefully be very short (and static of course).
--
Joe Cooper <joe@swelltech.com>
Affordable Web Caching Proxy Appliances
http://www.swelltech.com
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Wed Aug 23 2000 - 02:16:27 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:04 MST