Squid+iptables: how do i allow https to pass-through and bypassing Squid?

David 'the bald ginger' picture David 'the bald ginger' · Apr 8, 2010 · Viewed 32k times · Source

Basically started with Squid and iptables today (google is your friend). This stuff is going to be the death of me.

I have Squid3 setup on Ubuntu 9.04 server as Transparent Proxy. It works sweetly when i use the proxy-box as my default gateway etc. The iptable rules for this setup was part of the tutorial. :P

I can unfortunately not access https sites (such as Gmail or anything on port 443 basically). This is because Squid dont like what it cannot cache, which in this case is the https traffic.

I would like to add an iptable rule so that i can basically access https sites and use Skype. Basically allow these types of traffic to pass through without going through Squid proxy? (bypassing it so to speak)

Would anyone perhaps know how to do this or have a link to any sources that would assist me in figuring it out?

Thank you.

Answer

David 'the bald ginger' picture David 'the bald ginger' · Apr 9, 2010

After actually considering chewing through my own wrists and dreaming of IPs all night long + brute force googling/trying ANYTHING i could get my digital fingers on i managed to put something together that actually works. I dont know the technical reasons why, so if you can provide set explanations please do so! :D

PS: everything in the explanation is done via command line

PS: this is not a final solution, but its a working one in answer to my own question.

Here it is:

Step 1: Had to enable IP Forwarding on the box:

vim /etc/sysctl.conf

//find and uncomment the following

net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1

Step 2: Add loop back rule (this is more for when all ports are covered, apparently many apps need it?

iptables -I INPUT -i lo -j ACCEPT

Step 3. Add rules for the bypassing of port 443: (eth1 is internet interface and x.x.x.x/eth0 is LAN interface)

iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source x.x.x.x

Step 4. Then finally the rules making Squid transparent:(x.x.x.x is IP of LAN interface)

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination x.x.x.x:3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128