Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
dm862013-12-18 17:33:22
Squid
dm86, 2013-12-18 17:33:22

How to give computers with specific ip addresses direct access to the Internet bypassing the squid proxy server?

There is a server on Centos Linux with two network interface cards. One accepts the ISP eth 0, the other looks into the local network eth1. A Squid proxy server is installed, through which all computers on the network go. I have already asked the question that I cannot set up the Onwebinar web conferencing service, which works using p2p flash technology. It cannot communicate with other members due to our proxy server. What to do with it - I do not know.
If you still cannot configure this service to work through a proxy server, then you can somehow make some computers on the local network work with certain ip addresses (or a separate subnet) bypassing the Squid proxy server. Probably this can be done somehow through iptables, but I do not know the correct commands and sequence of commands.
Now in iptables in the nat section, port redirects are registered to the port of the proxy server 3128.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

6 answer(s)
Report
O
oia, 2013-12-18
@oia

Port forwarding will help, you just need to understand which ports to open
Open UDP ports in the range 1024-65535.
magicpast.net/software/index.php?page=probros-port...

Report
M
maxaon, 2013-12-18
@maxaon

You can set up a TURN server behind a nat. www.adobe.com/devnet/flashplayer/articles/rtmfp_ci...
Tester cc.rtmfp.net
Check your flash player version.
Or forward ports to some ip
iptables -t nat -I PREROUTING -p tcp --dport 1024:65535 -j DNAT --to-destination 192.168.1.100

Report
M
maxaon, 2013-12-19
@maxaon

I think I understand what you need to do. The first option, and the simplest, is to make computers white IP addresses.
The second option, which will definitely work, is to make a hole and use full cone nat instead of normal NAT.

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o <ваш исх интерфейс> -j MASQUERADE

As I understand it, RTMFP works through udp hole punching.
Additional material
habrahabr.ru/post/150298
help.adobe.com/en_US/adobemediaserver/configadmin/...
en.wikipedia.org/wiki/UDP_hole_punching
habrahabr.ru/post/155803

Report
D
dm86, 2013-12-19
@dm86

This is a screenshot from the network computer from which I want to go to the webinar
yadi.sk/d/v4nZ1aXBEZFp2
And this is from the server itself, everything is fine there
yadi.sk/d/uDneOt5sEZFqm

Report
D
dm86, 2013-12-19
@dm86

Here is iptables
*nat
:PREROUTING ACCEPT [1:386067]
:POSTROUTING ACCEPT [1:194678]
:OUTPUT ACCEPT [1:194678]
-A PREROUTING -i 192.168.1.195 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128.
-A PREROUTING -i eth1 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128.
-A PREROUTING -i eth1 -p tcp -m tcp --dport 280 -j REDIRECT --to-ports 3128.
-A PREROUTING -i eth1 -p tcp -m tcp --dport 488 -j REDIRECT --to -ports 3128.
-A PREROUTING -i eth1 -p tcp -m tcp --dport 777 -j REDIRECT --to-ports 3128.
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE.
COMMIT
# Completed on Sat Oct 19 01:13:14 2013
# Generated by iptables-save v1.4.7 on Sat Oct 19 01:13:14 2013
*mangle
:PREROUTING ACCEPT [371263:162270149]
:INPUT ACCEPT [1024:161464707]
:FORWARD ACCEPT [1024:794498]
:OUTPUT ACCEPT [3974 :196075533]
:POSTROUTING ACCEPT [403223:197038940]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill.
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill.
*filter
:FORWARD ACCEPT [1024:65535]
:INPUT ACCEPT [1024:65535]
:OUTPUT ACCEPT [1024:65535]
-A INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT
- A FORWARD -i eth1 -o eth0 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1024:65535 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1024:65535 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1024:65535 -j ACCEPT
-A FORWARD -m state --state NEW -i eth1 -s 192.168.1.0/24 -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -j ACCEPT
-A FORWARD -s 192.168.1.195/24 -i eth1 -j ACCEPT
-A FORWARD -d 192.168.1.195/24 -i eth0 -j ACCEPT
COMMIT
# Completed on Sat Oct 19 01:13:14 2013

Report
D
D1abloRUS, 2013-12-19
@D1abloRUS

Why exactly MASQUERADE and not SNAT?
You have strange iptables rules in general

Similar questions
M
micropodgon2019-09-30 09:25:12
SQUID kerberos authorization works in IE but not in Chrome why? 0Reply
R
R_E_D2015-06-24 17:24:00
What do you use SQUID for on your home network? 2Reply
S
soulruins2015-06-28 17:15:18
Authorization control on Squid proxy server? 1Reply
M
mypage_892017-06-26 17:08:49
How to set up iptables on CentOS for torrent? 1Reply
K
Konstantin2017-07-28 10:12:42
Read error. The system returned: 104 connection reset by peer. Why? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question