Re: [CentOS] Squid vs. iptables redirection: exception for certain domains ?
Le 12/03/2018 à 10:37, Nux! a écrit : > Another idea - but this gets complicated and with that, prone to > faults - use a simple shell script to resolve the desired domains and > keep their IPs in an ipset, then use the ipset in your firewall > rules, this way you can keep your iptables rules static, your squid > config static and simply add or remove IPs from the ipset. Following a suggestion from Yuri Voinov on the Squid mailing list, I've found a better solution that works perfectly. I've added it to my blog here: https://blog.microlinux.fr/squid-exceptions/#squid Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid vs. iptables redirection: exception for certain domains ?
Hi, Another idea - but this gets complicated and with that, prone to faults - use a simple shell script to resolve the desired domains and keep their IPs in an ipset, then use the ipset in your firewall rules, this way you can keep your iptables rules static, your squid config static and simply add or remove IPs from the ipset. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - > From: "Nicolas Kovacs" > To: "CentOS mailing list" > Sent: Sunday, 11 March, 2018 12:18:06 > Subject: Re: [CentOS] Squid vs. iptables redirection: exception for certain > domains ? > Le 11/03/2018 à 13:09, Leon Fauster a écrit : >> It is not a good practice to place domain names into iptables rules. Define >> a custom table, place this table into your rule list (to stick at the right >> place) and feed that table with the resolved domain names. This can be >> altered >> while running in the case of changes (check resolving results periodically). > > I admit I've never worked with custom tables, so I don't know how to do > this. > > In the meantime, I found the following working solution. > > # Exceptions > EXCEPTIONS=$(egrep -v '(^\#)|(^\s+$)' /usr/local/sbin/no-proxy.txt) > for EXCEPTION in $EXCEPTIONS; do > $IPT -A PREROUTING -t nat -i $IFACE_LAN -d $EXCEPTION -j ACCEPT > done > > # Squid > $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3128 -j ACCEPT > $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3128 -j ACCEPT > $IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \ > --dport 80 -j REDIRECT --to-port 3128 > $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3129 -j ACCEPT > $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3129 -j ACCEPT > $IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \ > --dport 443 -j REDIRECT --to-port 3129 > $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3130 -j ACCEPT > $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3130 -j ACCEPT > > And my no-proxy.txt file looks like this: > > # Ne pas utiliser le proxy pour les domaines suivants > # > # Crédit Agricole > www.credit-agricole.fr > # Crédit Coopératif > www.credit-cooperatif.coop > # Github > github.com > # Microlinux > microlinux.fr > microlinux.eu > # Squid > squid-cache.org > # Thunderbird > start.thunderbird.net > > Note that I can put either domain names or IP addresses in this file. > > And it's only supposed to keep a list of a handful of URLs that don't > play well with a transparent Squid for HTTPS. > > Cheers, > > Niki > > > -- > Microlinux - Solutions informatiques durables > 7, place de l'église - 30730 Montpezat > Site : https://www.microlinux.fr > Blog : https://blog.microlinux.fr > Mail : i...@microlinux.fr > Tél. : 04 66 63 10 32 > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid vs. iptables redirection: exception for certain domains ?
On Sun, March 11, 2018 7:09 am, Leon Fauster wrote: > Am 11.03.2018 um 11:53 schrieb Nicolas Kovacs : >> >> I've experimented some more, and I have a partial success. Here, I'm >> redirecting all HTTPS traffic *except* the one that goes to my bank: >> >> iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d >> www.credit-cooperatif.coop --dport 443 -j REDIRECT --to-port 3129 >> >> This works because my bank is hosted on a single IP. As soon as I >> replace that with a domain that's hosted on multiple IP's, I get this: >> >> iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d www.google.com >> --dport 443 -j REDIRECT --to-port 3129 > > > May I ask, after all it doesn't work with google.com, right? > I would also like to add: it is a bad practice IMHO to give preference to some particular search engine, unless it is single user personal machine. Many people prefer different search engines (duckduckgo.com just to mention one), some specifically avoid google. Valeri > > >> # firewall.sh >> iptables v1.4.21: ! not allowed with multiple source or destination IP >> addresses >> >> So my question is: how can I write an iptables rule (or series of rules) >> that redirect all traffic to my proxy, *except* the one going to >> ? > > > It is not a good practice to place domain names into iptables rules. > Define > a custom table, place this table into your rule list (to stick at the > right > place) and feed that table with the resolved domain names. This can be > altered > while running in the case of changes (check resolving results > periodically). > > > -- > LF > > > > > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid vs. iptables redirection: exception for certain domains ?
Le 11/03/2018 à 13:09, Leon Fauster a écrit : > It is not a good practice to place domain names into iptables rules. Define > a custom table, place this table into your rule list (to stick at the right > place) and feed that table with the resolved domain names. This can be > altered > while running in the case of changes (check resolving results periodically). I admit I've never worked with custom tables, so I don't know how to do this. In the meantime, I found the following working solution. # Exceptions EXCEPTIONS=$(egrep -v '(^\#)|(^\s+$)' /usr/local/sbin/no-proxy.txt) for EXCEPTION in $EXCEPTIONS; do $IPT -A PREROUTING -t nat -i $IFACE_LAN -d $EXCEPTION -j ACCEPT done # Squid $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3128 -j ACCEPT $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3128 -j ACCEPT $IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \ --dport 80 -j REDIRECT --to-port 3128 $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3129 -j ACCEPT $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3129 -j ACCEPT $IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \ --dport 443 -j REDIRECT --to-port 3129 $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3130 -j ACCEPT $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3130 -j ACCEPT And my no-proxy.txt file looks like this: # Ne pas utiliser le proxy pour les domaines suivants # # Crédit Agricole www.credit-agricole.fr # Crédit Coopératif www.credit-cooperatif.coop # Github github.com # Microlinux microlinux.fr microlinux.eu # Squid squid-cache.org # Thunderbird start.thunderbird.net Note that I can put either domain names or IP addresses in this file. And it's only supposed to keep a list of a handful of URLs that don't play well with a transparent Squid for HTTPS. Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid vs. iptables redirection: exception for certain domains ?
Am 11.03.2018 um 11:53 schrieb Nicolas Kovacs : > > I've experimented some more, and I have a partial success. Here, I'm > redirecting all HTTPS traffic *except* the one that goes to my bank: > > iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d > www.credit-cooperatif.coop --dport 443 -j REDIRECT --to-port 3129 > > This works because my bank is hosted on a single IP. As soon as I > replace that with a domain that's hosted on multiple IP's, I get this: > > iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d www.google.com > --dport 443 -j REDIRECT --to-port 3129 May I ask, after all it doesn't work with google.com, right? > # firewall.sh > iptables v1.4.21: ! not allowed with multiple source or destination IP > addresses > > So my question is: how can I write an iptables rule (or series of rules) > that redirect all traffic to my proxy, *except* the one going to > ? It is not a good practice to place domain names into iptables rules. Define a custom table, place this table into your rule list (to stick at the right place) and feed that table with the resolved domain names. This can be altered while running in the case of changes (check resolving results periodically). -- LF ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid vs. iptables redirection: exception for certain domains ?
Le 11/03/2018 à 11:01, Nicolas Kovacs a écrit : > So here's what I want to do, in plain words: > > 1. Redirect all HTTP traffic (port 80) to port 3128. So far so good. > > 2. Redirect all HTTPS traffic (port 443) to port 3129. Equally OK. > > AND... > > 3. DO NOT REDIRECT traffic that goes to certain domains, like: > > github.com > credit-cooperatif.coop > cloud.microlinux.fr > squid-cache.org > etc. I've experimented some more, and I have a partial success. Here, I'm redirecting all HTTPS traffic *except* the one that goes to my bank: iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d www.credit-cooperatif.coop --dport 443 -j REDIRECT --to-port 3129 This works because my bank is hosted on a single IP. As soon as I replace that with a domain that's hosted on multiple IP's, I get this: iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d www.google.com --dport 443 -j REDIRECT --to-port 3129 # firewall.sh iptables v1.4.21: ! not allowed with multiple source or destination IP addresses So my question is: how can I write an iptables rule (or series of rules) that redirect all traffic to my proxy, *except* the one going to ? Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos