Iptables Exclusion

Currently running Redhat 9.0 with IPTABLES.
All outgoing port 80 traffic is being re-directed to 3218 (squid cache) with the following command
-A PREROUTING -i ! eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3218
I  wish to add an exclusion so that if the traffic is coming fom a specific internal address then it not be re-directed through the squid.

Any ideas ?
michael334Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kidomanCommented:
Hi,

very simple.... modify ur rule set to this:

iptables -A PREROUTING -p tcp -i ! eth0 --dport 80 -s ! (your internal address) -j REDIRECT --to-ports 3128

By doing this we would exclude packets coming from the particular node being redirect. They would head for port 80.

Hope this helps,

Karan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
michael334Author Commented:
Is it possible to allow multiple hosts, at this stage i only have one, however in the future i can see the need to add more ..
0
kidomanCommented:
Hi,

I think I can help here....

Suppose you want to exclude (say 10 ips) with no similarity, then you could do soming like:

iptables -N excluded_ips

iptables -A excluded_ips -s (first IP address) -j DROP
iptables -A excluded_ips -s (second IP address) -j DROP
.... so on
iptables -A excluded_ips -s (last IP address) -j DROP

iptables -A PREROUTING -p tcp -i ! eth0 --dport 80 -j excluded_ips
iptables -A PREROUTING -p tcp -i ! eth0 --dport 80 -j REDIRECT --to-ports 3128

This scriptlet should replace ur current setup. See if it helps??? Do post back.

Karan
0
michael334Author Commented:
Thanks for the info,  That works a treat.

Michael334
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.