On 11/03/18 23:54, Nicolas Kovacs wrote:
> Le 11/03/2018 à 11:17, Amos Jeffries a écrit :
>> The process is not getting anywhere close to caching being relevant. The
>> error you mentioned earlier is in the TLS handshake part of the process.
> I've experimented some more, and I have a partial success. Here, I'm
> redirecting all HTTPS traffic *except* the one that goes to my bank:
> iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d
> www.credit-cooperatif.coop --dport 443 -j REDIRECT --to-port 3129
> This works because my bank is hosted on a single IP. As soon as I
> replace that with a domain that's hosted on multiple IP's, I get this:
> iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d www.google.com
> --dport 443 -j REDIRECT --to-port 3129
> # firewall.sh
> iptables v1.4.21: ! not allowed with multiple source or destination IP
> addresses
> So my question is: how can I write an iptables rule (or series of rules)
> that redirect all traffic to my proxy, *except* the one going to
> <list_of_domains> ?

The whois system can provide info on the IP ranges owned by the
companies like Google which own their own ranges.

The alternative for ssl-bump is the splice action. For that you only
need to know the server names each company uses.

squid-users mailing list

Reply via email to