Squid + iptables：我如何允许https传递并绕过Squid？ [英] Squid+iptables: how do i allow https to pass-through and bypassing Squid?

问题描述

今天基本上从Squid和iptables开始（谷歌是你的朋友）。这个东西将是我的死亡。

Basically started with Squid and iptables today (google is your friend). This stuff is going to be the death of me.

我在Ubuntu 9.04服务器上安装了Squid3作为Transparent Proxy。当我使用代理框作为我的默认网关等时，它工作得很好。此设置的iptable规则是本教程的一部分。 ：P

I have Squid3 setup on Ubuntu 9.04 server as Transparent Proxy. It works sweetly when i use the proxy-box as my default gateway etc. The iptable rules for this setup was part of the tutorial. :P

遗憾的是，我无法访问https网站（例如Gmail或基本上443端口上的任何内容）。这是因为Squid不喜欢它无法缓存的东西，在这种情况下是https流量。

I can unfortunately not access https sites (such as Gmail or anything on port 443 basically). This is because Squid dont like what it cannot cache, which in this case is the https traffic.

我想添加一个iptable规则，这样我基本上可以访问https网站并使用Skype。基本上允许这些类型的流量通过而不通过Squid代理？ （绕过它可以这么说）

I would like to add an iptable rule so that i can basically access https sites and use Skype. Basically allow these types of traffic to pass through without going through Squid proxy? (bypassing it so to speak)

是否有人知道如何做到这一点或者有任何来源的链接可以帮助我搞清楚？

Would anyone perhaps know how to do this or have a link to any sources that would assist me in figuring it out?

谢谢。

推荐答案

在实际考虑通过我自己的手腕咀嚼和做梦之后IP整夜+暴力搜索/尝试任何我可以得到我的数字手指我设法把一些实际工作的东西放在一起。我不知道技术原因，所以如果你能提供解释，请这样做！ ：D

After actually considering chewing through my own wrists and dreaming of IPs all night long + brute force googling/trying ANYTHING i could get my digital fingers on i managed to put something together that actually works. I dont know the technical reasons why, so if you can provide set explanations please do so! :D

PS：解释中的所有内容都是通过命令行完成的

PS: everything in the explanation is done via command line

PS：这不是最终的解决方案，但它是一个回答我自己的问题的工作。

PS: this is not a final solution, but its a working one in answer to my own question.

这是：

步骤1：必须在包装盒上启用IP转发：

vim /etc/sysctl.conf

//查找并取消注释以下内容

//find and uncomment the following

net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1

第2步：添加循环规则（当所有端口都被覆盖时，这更适用于显然许多应用需要它吗？

iptables -I INPUT -i lo -j ACCEPT

步骤3.添加绕过端口443的规则：（eth1是互联网接口，xxxx / eth0是LAN接口）

iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source x.x.x.x

步骤4.然后最后规则使Squid透明:( xxxx是LAN接口的IP）

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination x.x.x.x:3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

这篇关于Squid + iptables：我如何允许https传递并绕过Squid？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！