Hi Nicolas,
On Sunday 11 March 2018 05:35 PM, Nicolas Kovacs wrote:
Le 11/03/2018 à 12:31, Amos Jeffries a écrit :
OK, I got something that's starting to work.
# Exceptions
EXCEPTIONS=$(egrep -v '(^\#)|(^\s+$)' /usr/local/sbin/no-proxy.txt)
for EXCEPTION in $EXCEPTIONS; do
$IPT -A PREROUTING -t nat -i $IFACE_LAN -d $EXCEPTION -j ACCEPT
done
The problem with this approach might be that domains are looked up for
their IPs at the time of rule creation and not at the time of request.
Since destinations like github.com, google.com, facebook etc use many
large pools of IPs, your rule might not match later in the day or after
a few days.
Better to use "ipset" along with dnsmasq and refer that ipset in the
iptables rule to match dst.
1. ipset create _ipsetname_ bitmap:ip
2. Configure dnsmasq to populate _ipsetname_ by adding following lines
for each domain to dnsmasq.conf:
ipset=/google.com/_ipsetname_
ipset=/github.com/_ipsetname_
...
...
3. Use dnsmasq as resolver-cache on your proxy machine and ensure that
squid uses your dnsmasq for DNS queries.
4. Add intercept iptables rules to not NAT the traffic to destination
ipset:
iptables -A PREROUTING -t nat -i $IFACE_LAN -m set --match-set
_ipsetname_ dst -j ACCEPT
Dnsmasq will keep populating the ipset as and when a resolution request
is received for the matched domains. An ipset can hold 65534 entries.
I use this approach extensively to allow Anti-Virus and Windows updates
to the machines which otherwise are not allowed to access Internet
directly without configuring explicit proxy or through proxy.pac/wpad.
Regards,
Nishant
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
