I've re-edited the original question, because I have changed the setup since the original answer, which was for NAT based setup. NAT is no longer being used and has been replaced with TPROXY for IPv6 compatibility.
I'm running squid in a small network. I've setup a couple of squid listening ports for different scenarios.
Excerpt of squid.conf
- http_port 3128 - This is will be pushed to Windows clients via domain policy, with the HTTP Proxy set via WPAD.
- http_port 3129 tproxy - This is for clients that are having traffic on port 80 intercepted.
For the TPROXY setup I'm using the following iptables/ip6tables rules on my DD-WRT router with iproute2
to mark and redirect traffic to the proxy. The problem is in this setup all traffic is tagged, including IPv4 and IPv6 traffic that is going to the Squid proxy via the 3128 port setup.
I need a way to exclude this traffic because it is is adding overhead and breaking connectivity (particularly IPv6) on LAN clients that have the proxy applied directly.
I'm aware I could add specific clients to the PREROUTING
table with an ACCEPT
rule, but doing this for both IPv4 and IPv6 will become hard to manage quickly. I need to find a generic way to exclude all LAN clients that go through the Squid Proxy on port 3128 at router level but I don't know the best way to do it.
Current DD-WRT Squid policy routing:
# Squid transparent proxy
PROXY_IPV4=192.168.x.x
PROXY_IPV6=2001:470:xxxx:xx::x
CLIENTIFACE=br0
FWMARK=3
iptables -t mangle -A PREROUTING -i $CLIENTIFACE -s $PROXY_IPV4 -p tcp --dport 80 -j ACCEPT
ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -s $PROXY_IPV6 -p tcp --dport 80 -j ACCEPT
iptables -t mangle -A PREROUTING -i $CLIENTIFACE -p tcp --dport 80 -j MARK --set-mark $FWMARK
iptables -t mangle -A PREROUTING -m mark --mark $FWMARK -j ACCEPT
ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -p tcp --dport 80 -j MARK --set-mark $FWMARK
ip6tables -t mangle -A PREROUTING -m mark --mark $FWMARK -j ACCEPT
iptables -t filter -A FORWARD -i $CLIENTIFACE -o $CLIENTIFACE -p tcp --dport 80 -j ACCEPT
ip6tables -t filter -A FORWARD -i $CLIENTIFACE -o $CLIENTIFACE -p tcp --dport 80 -j ACCEPT
ip rule add fwmark $FWMARK table 2
ip -6 rule add fwmark $FWMARK table 2
ip route add default via $PROXY_IPV4 table 2
ip -6 route add default via $PROXY_IPV6 table 2
# End Squid intercept proxy config
Add an iptables rule to
ACCEPT
traffic on port 80 from the squid server. After that rule you can have theDNAT
rules.As soon as a rule matches the chain isn't followed anymore so the
ACCEPT
will short-circuit theDNAT
for traffic from squid.EDIT: The
DNAT
rule already excludes the$PROXY_IP
so adding an extra rule shouldn't be necessary. I personally prefer to add an explicit rule toACCEPT
traffic from the proxy so that any further rules won't affect that traffic.For those clients that obey the proxy rules to use the proxy explicitly on port 3128, that traffic won't go via the router as the clients can access the proxy directly; at least I'm hoping that the proxy and the clients are in the same subnet? If for some reason the proxy and the clients are on different subnets but on the same physical LAN network, then the router should send ICMP redirects to the client when traffic destined for the proxy from a client arrives at the router.