We have a squid proxy setup which listens on default port(3128): on eht0 (192.x.x.x).
It has another interface eth1 (10.x.x.x) used to connect to external world. It is doing good quality content filtering using squidguard.
But now we want some of the host in the network to bypass the squid. providing full access to few people.
I am thinking of some thing using iptables:
Any packet from those specific host(for which proxy to be by passed) hitting eth0 on port 3128 of the proxy should redirected to eth1 and should be able to access anything.
Will this work? If yes, then please help me with rules?
I know this can be done in good manner using squidgaurd but want to do it with iptables only.
Best Answer
You are not going to be able to achieve this unless you are using a transparent proxy - which you are not. With an explicitly configured proxy iptables would only be able to see the conversation between the the client host, and the squid proxy. That would make traffic manipulation impossible because iptables would have no idea what website/IP address you are trying to get to.
You can do it fairly easily the other way around with a transparent proxy however. That is to say have iptables redirect all www traffic to the proxy unless it meets certain criteria.
If using your proxy in transparent mode is an option for you then you can achieve your goal if you follow the guide below, but modify the prerouting stage in iptables to have exceptions just above the proxy redirect. Like so:
SQUID/iptables transparent proxy howto