IPtables rules to bypass squid proxy

I Think I just need a sanity check on some iptables rules. (spoiler alert its not good.)

The basic issue. We have a Squid Proxy server that is interfering with Various internet resources. I am remote and want to update the IPTable rules on the proxy server so that traffic never actually reaches the Proxy service. This is a temporary fix while I work on migrating the network to actual network hardware.

So the goal is to route all traffic that is not SSH from the Local network(enp5s0 10.90.30.1/16) to The "Router" (192.168.165.1/24) with the interface (enp4s0 192.168.165.1/24)

iptables -t nat -A PREROUTING -p tcp --dport 22 -d 10.90.30.1 -j INPUT
iptables -t nat -A PREROUTING -p tcp --dport 80 -d 10.90.30.1 -j INPUT
iptables -t nat -A PREROUTING -i enp5s0 -d 10.90.30.1 -j DNAT --to 192.168.165.1
iptables -t nat -A PREROUTING -i enp4s0 -d 192.168.165.151 -j DNAT --to 10.90.30.1
iptables -A INPUT -tcp --dport 22 -d 10.90.30.1 -j ACCEPT
iptables -A Foward -i enp5s0 -d 10.90.30.1 --dport 22 accept
iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE

I appreciate all the help I can get. I like to think I understand Iptables enough to setup basic firewalls. But advanced routing is something I have never had to do.

How much NAT is too much NAT? this much NAT.

You can probably mark packets with iptables and then have a specific routing table for those marked packages. Just an example how this works:

# IPv4 address of proxy
PROXYIP4=192.168.1.45

# IPv6 address of proxy
PROXYIP6=fd48:2b50:6a95:a6db::73:7175:6964

# interface facing clients & clients to be squidified
CLIENTIFACE=br-lan
CLIENTIP=smart-tv.lan

# arbitrary mark used to route packets by the firewall. May be anything from 1 to 64.
FWMARK=8

# chain (should be OUTPUT on client and PREROUTING on router)
CHAIN=PREROUTING

# routing table id
TABLEID=252


# permit Squid box out to the Internet
#iptables -t mangle -A $CHAIN -p tcp --dport 80 -s $PROXYIP4 -j ACCEPT
#ip6tables -t mangle -A $CHAIN -p tcp --dport 80 -s $PROXYIP6 -j ACCEPT

# mark everything else on port 80 to be routed to the Squid box
iptables -t mangle -A $CHAIN -p tcp -s $CLIENTIP -m multiport --dports 80,443 -j MARK --set-mark $FWMARK
ip6tables -t mangle -A $CHAIN -p tcp -s $CLIENTIP -m multiport --dports 80,443 -j MARK --set-mark $FWMARK

# NP: Ensure that traffic from inside the network is allowed to loop back inside again.
iptables -t filter -A FORWARD -i $CLIENTIFACE -o $CLIENTIFACE -p tcp --dport 80 -j ACCEPT
ip6tables -t filter -A FORWARD -i $CLIENTIFACE -o $CLIENTIFACE -p tcp --dport 80 -j ACCEPT

ip rule add fwmark $FWMARK table $TABLEID
ip route add default via $PROXYIP4 table $TABLEID
ip -6 rule add fwmark $FWMARK table $TABLEID
ip -6 route add default via $PROXYIP6 table $TABLEID

It's not applicable for you without modifications, because it actually does the opposite – redirects traffic TO the Squid proxy. (Likely that I also got it from some tutorial.) My point is to demonstrate that you can apply a different routing table for marked packages, and I think this is what you also need to do.

So the reason a transparent proxy works, is that the upper layer protocols contains information on where to connect. In HTTP it's the Host header; in TLS it's the SNI header.

But when you redirect packets on a layer 3 basis, which is where routers operate, the router that receives the rewritten package has no idea what to do with it. The destination is listed as the IP of the router, which probably isn't listening on the destination port. If it happens to be listening, it'll pass the packet onto whatever software is listening, and not forward it.

So probably what you're trying to achieve won't work, because the router will have no idea what to do with the traffic.