Excluding certain NAT in linux iptables?

[Greg Spath <gkspath () armstrong com>]

Hi all,

My first post to the list, let me know if not on topic or if I should go
elsewhere.

Background:
We deploy a linux-based appliance to form branch office IPSec tunnels. 
I've recently added a squid proxy to the mix, and want to use it
transparently using iptables REDIRECT.

This is all well and good, but there are certain Internal web server
auth methods (I'm sure you can guess which company) which this will
break (unless I spend far too much time building that configuration
into these squid caches).

So, for this pilot rollout, I want to redirect only stuff destined to
the Internet to the squid cache, and leave stuff that goes through the
tunnels alone.

Here is the line to direct everything (eth1 is my private interface on
the gateway):

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
REDIRECT --to-port 3128

To exclude rfc1918, I did this:
/sbin/iptables -t nat -A PREROUTING -d 192.168.0.0/16 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -d 172.16.0.0/12 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -d 10.0.0.0/8 -j ACCEPT 
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
REDIRECT--to-port 3128

Should it be "FORWARD" instead of "ACCEPT?"  Is there a better way to do
this?  I was unable to find any examples of this situation in any groups
or iptables documentation.

ACCEPT does work, btw.  I just want to verify that I'm not doing
something stupid.

Thanks in advance for taking the time to read through this.

-- Greg


-- 
Greg Spath <gkspath () armstrong com>                        
Infrastructure Security Analyst    
Armstrong World Industries, Inc.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards