My IPTABLEs and Slow internet connection
Dear Sir,
I have 1 machine which works as Local 1. Apache Server 2. Router (squid proxy) 3. Firewall I have 2 Lan Cards Below is Iptables Files I am pasting which i dont fully understand but my connection is worknig fine but Internet is slow. I need help in analysing this file. Can someone look into this matter. IPTABLES --------------- # squid server IP SQUID_SERVER="124.??.???.??" >> THIS IS REAL IP # Interface connected to Internet INTERNET="em1" # Interface connected to LAN LAN="p2p1" # Squid port SQUID_PORT="3128" # DO NOT MODIFY BELOW # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # For win xp ftp client modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy #All input Drop #Output allowed iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -i $INTERNET -s 192.168.0.0/24 -j DROP # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN -j ACCEPT iptables -A OUTPUT -o $LAN -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 443 -j REDIRECT --to-ports $SQUID_PORT #To block all service requests on port 80 iptables -A INPUT -p tcp --dport 80 -j DROP iptables -A INPUT -i $INTERNET -p tcp --dport 80 -j DROP # Log and Drop Packets IP spoofing on public interface #iptables -A INPUT -i $INTERNET -s 124.??.???.??/8 -j LOG --log-prefix "IP_SPOOF A: " #iptables -A INPUT -i $INTERNET -s 124.??.???.??/8 -j DROP #Drop Private Network Address On Public Interface iptables -A INPUT -i $INTERNET -s 192.168.0.0/24 -j DROP #Drop all NULL packets iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # open access to Samba file server for lan users only ## #iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT #iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT #iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT #iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT #Force SYN packets check iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP #Force Fragments packets check iptables -A INPUT -f -j DROP #XMAS packets iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP ## open tcp port 143 (imap) for all ## iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT #Log and Drop Spoofing Source Addresses iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF " iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF " iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF " iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST " iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF " iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK " iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j LOG --log-prefix "IP DROP MULTICAST " iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j LOG --log-prefix "IP DROP " iptables -A INPUT -i eth0 -s 240.0.0.0/4 -j LOG --log-prefix "IP DROP " iptables -A INPUT -i eth0 -s 255.255.255.255/32 -j LOG --log-prefix "IP DROP " iptables -A INPUT -i eth0 -s 168.254.0.0/16 -j LOG --log-prefix "IP DROP " iptables -A INPUT -i eth0 -s 248.0.0.0/5 -j LOG --log-prefix "IP DROP " # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP if you want squid file i have also attached this file along with this post. Can someone see and tell me where i am making mistake? |
there is nothing there that would cause anything to be "slow". Note you've not described what is slow abuot it in any way at all. Squid is certainly a much more likely candidate for "slow" but without even telling us what you're using squid for, I don't see how we are supposed to assist you. Is this just webpages? what about non web traffic, like ssh? What network latency do you see when pinging google.com for example? We need more.
|
We use Squid for Internet Gateway Router.
So our internal team browse internet through that machine. we control or block the traffic from that machine for unauthorised sites. i am pasting squid file data below. SQUID ----- # # Recommended minimum configuration: # acl localnet src 127.0.0.1/32 ::1 acl to_localnet dst 127.0.0.0/8 0.0.0.0/32 ::1 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT cache_mem 1024 MB acl special src 192.168.0.151 acl goodurl url_regex -i "/etc/squid/goodurl" acl badurl url_regex -i "/etc/squid/badurl" acl extndeny url_regex -i "/etc/squid/extndeny" # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # http_access allow special #http_access allow localnet goodurl #http_access deny localnet badurl #http_access deny localnet extndeny # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all http_reply_access allow all # Squid normally listens to port 3128 http_port 3128 transparent # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/spool/squid 1000 16 256 cache_dir ufs /home/squid_cache_dir 10000 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Absolute path to squid access log. access_log /var/log/squid/access.log squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 |
so what if you bypass squid? Is it faster then?
|
I have not tried bypassing.
Rather i dont know how to bypass (means how to do this with other services like Iptables). I have pasted both the files here. everyone in office cannot open google.com or subsidiary sites because we have block lots of other google services so. so will this affect. evenif as a www.google.com as search engines we open it opens very very slow. so i need to know why it takes too much time to open the site. |
Also I am getting this error at my /var/log/squid/cache.log
2012/04/19 14:29:58 kid1| ERROR: No forward-proxy ports configured. 2012/04/19 14:29:58 kid1| ERROR: No forward-proxy ports configured. 2012/04/19 14:29:59 kid1| ERROR: No forward-proxy ports configured. 2012/04/19 14:30:00 kid1| ERROR: No forward-proxy ports configured. 2012/04/19 14:30:08 kid1| ERROR: No forward-proxy ports configured. why so? Can you please help by looking at IPTABLES and SQUID file content pasted earlier to this email. I will appreciate if this can also be resolved with speed. Thanks buddy, |
you don't know how to bypass your own proxy? that you run?
Hmm, OK well the best way I'd suggest from my limited knowledge of your environment is probably to use puTTY on Windows to ssh into the proxy server and use it as a SOCKS5 proxy. http://vectrosecurity.com/content/view/67/26/ there are many simpler ways, but without telling you to start turning services on and off it's not going to happen. Using socks you should be able to get a full browsing experience, from the perspective of the server machine without squid in the way. |
as for that error, it's because you have "transparent" mode in use there. Personally I would suggest you do NOT use transparent proxying, just make browser explicitly define the proxy. it's much clearer to troubleshoot and better in many ways, despite the natural inclination to want less manual configuration (which can be dealt with by proxy.pac files etc. if so desired)
|
I know how to use putty from window machine and i do use that.
but what i understand by word bypass means stop using squid and use somethign else. Now for transparent mode i have to use that otherwise i have to setup port into every browser and computer and different OS so that i dont want to do it. I just want to solve this error. Please let me know what other info do yuo need so i can provide you but please help. thanks, |
but what you understand? Where's the but? That's exactly what i'm saying you should do. Have you done it?
As above, transparent proxies are easy, but they are also rubbish. and you can use proxy.pac / wpad.dat mechanisms to configure clients with minimal ongoing effort. |
Sorry Chris
no offense but i dont understand the meaning of last reply from your side. I had done this in past with Fedora 8, 12, 16 and was working fine but somehow i had to format the machine and i am now not getting speed due to updated version of squid. rest all the setting are same as it should. because i have stored the file of settings (whatever was required file). i dont know how to explain yuo this. |
All times are GMT -5. The time now is 09:13 PM. |