Transparent Proxy Selective Bypass


Is it possible to selectively bypass a Transparent Interception Proxy squid? If so, how?


Yes, it is possible to bypass a Squid running as an interception proxy. Except for the fact that it's not up to squid to do it, but it's a task for the underlying interception technology.

Once Squid gets engaged to serve a request, it can't declare itself out of the game, but has to either service it or fail it.

This requirement also determines what kind of filtering is possible; generally speaking this restricts to only using network-level checks: typically destination IP address and TCP port.


When running on a Linux host, interception will typically be handled, via an iptables REDIRECT or DNAT rule, as detailed in ConfigExamples/Intercept/LinuxRedirect or ConfigExamples/Intercept/LinuxDnat.

To add an exception allowing direct access to, the iptables configuration example in that page should be changed like this:

iptables -t nat -N BYPASS
iptables -t nat -A PREROUTING -s SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j BYPASS
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -t nat -A POSTROUTING -j MASQUERADE

iptables -t nat -A BYPASS -d -j ACCEPT

The BYPASS chain is the one performing the transparent interception bypass. You can grow it as much as you wish appending one line like the example for every destination host (or network) you wish NOT to intercept.

For details on setting iptables up and the meaning of the various flags and options, please see the iptables documentation.

Problems with the solution

As a side effect, all sites served from the same IP address as, will be directly accessible as well. At this time, this is an unavoidable side-effect using general-purpose technologies; workarounds such as the one shown at LinuxQuestions are not reliable and should not be deployed.

KnowledgeBase/TransparentProxySelectiveBypass (last edited 2011-05-12 13:04:35 by AmosJeffries)