1

I've got a set of iptable rules that look like this:

-A PREROUTING  --jump intercept-nat
-A intercept-nat --jump DNAT -s 10.10.1.0/24 ! -d 10.10.1.1/32 -p tcp -m tcp --dport 80 --to-destination 10.10.1.1:3126 -m comment --comment "intercept-nat"
-A intercept-nat --jump DNAT -s 10.10.1.0/24 ! -d 10.10.1.1/32 -p tcp -m tcp --dport 443 --to-destination 10.10.1.1:3127 -m comment --comment "intercept-nat"
-A intercept-nat --jump DNAT -s 10.1.2.0/24 ! -d 10.10.1.1/32 -p tcp -m tcp --dport 80 --to-destination 10.10.1.1:3126 -m comment --comment "intercept-nat"
-A intercept-nat --jump DNAT -s 10.1.2.0/24 ! -d 10.10.1.1/32 -p tcp -m tcp --dport 443 --to-destination 10.10.1.1:3127 -m comment --comment "intercept-nat"

It's designed to send 80 and 443 traffic to Squid, a http cache proxy. I'd like to put some lines in the iptables rules that would NOT direct 443 traffic to specific IP addresses to 10.10.1.1:3127 (squid)

Use case: I have a websocket server that the clients behind the proxy need to connect to but squid doesnt support websockets. So I want that traffic to bypass squid

Erik Petersen
  • 63
  • 6

3 Answers3

2

I'd do the following:

-A PREROUTING -s 10.10.1.0/24 ! -d 10.10.1.1/32 --jump intercept-nat
-A PREROUTING -s 10.1.2.0/24 ! -d 10.10.1.1/32 --jump intercept-nat
-A intercept-nat -d target-ip -p tcp -m tcp --dport 443 -j RETURN
-A intercept-nat --jump DNAT -p tcp -m tcp --dport 80 --to-destination 10.10.1.1:3126 -m comment --comment "intercept-nat"
-A intercept-nat --jump DNAT -p tcp -m tcp --dport 443 --to-destination 10.10.1.1:3127 -m comment --comment "intercept-nat"

Every time a packet destination matches target-ip it will skip the rest of the intercept-nat rules. I also changed your rules a little bit to make them more readable and easy to change ;-).

Mauricio López
  • 944
  • 4
  • 9
0

The simplest way to bypass NAT is to ACCEPT the packet, which will end the path in table (PREROUTING) as well as in chain (intercept-nat). RETURN will leave the chain (intercept-nat) and continue through table (PREROUTING).

iptables -t nat -A PREROUTING <some criterium> -j ACCEPT

or 

iptables -t nat -A intercept-nat <some criterium> -j ACCEPT

Even though I wrote -A, you have to place this line before the NAT action, or insert it in first position.

setenforce 1
  • 928
  • 5
  • 7
0

Given that you want to exclude certain traffic from being NATed to your proxy, a rule for that should be placed before the others. And I wouldn't include it in your user-defined chain intercept-nat since that chain is logically intended to do NAT, not to not do it.

Simply:

iptables -t nat -A PREROUTING -d w.x.y.z -p tcp --dport 443 -j ACCEPT

where w.x.y.z is the websocket server address.

Besides I would modify your current rules (although I am guessing some things here):

  • I think you don't need to specify the source IP addresses in the match section since you probably just want to redirect all traffic from your internal lan(s). I'll assume eth0 is the external lan and eth1 and eth2 the internal ones.
  • You probably don't need to specify destination IP address either, saving some CPU cycles. I assume web traffic is not directed to the proxy machine, unless you have a web server running on it.
  • If the proxy is running in the same machine as the firewall, you can also avoid to specify the destination IP to use in DNAT target by using REDIRECT instead.

Eliminating specification of IP addresses improves maintenance, allows reuse and keeps things simpler. All together would be:

-A PREROUTING -d w.x.y.z/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A PREROUTING ! -i eth0 -j intercept-nat
-A intercept-nat -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3126 -m comment --comment "intercept-nat"
-A intercept-nat -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127 -m comment --comment "intercept-nat"
Julio Diez
  • 141
  • 1
  • 3