My IPTABLEs and Slow internet connection
 

Dear Sir,

I have 1 machine which works as Local
1. Apache Server
2. Router (squid proxy)
3. Firewall

I have 2 Lan Cards

Below is Iptables Files I am pasting which i dont fully understand but my connection is worknig fine but Internet is slow.

I need help in analysing this file.

Can someone look into this matter.

IPTABLES
---------------

# squid server IP
SQUID_SERVER="124.??.???.??" >> THIS IS REAL IP
# Interface connected to Internet
INTERNET="em1"
# Interface connected to LAN
LAN="p2p1"
# Squid port
SQUID_PORT="3128"

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# For win xp ftp client
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy #All input Drop #Output allowed
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# iptables -A INPUT -i $INTERNET -s 192.168.0.0/24 -j DROP

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A OUTPUT -o $LAN -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 443 -j REDIRECT --to-ports $SQUID_PORT

#To block all service requests on port 80
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -i $INTERNET -p tcp --dport 80 -j DROP

# Log and Drop Packets IP spoofing on public interface
#iptables -A INPUT -i $INTERNET -s 124.??.???.??/8 -j LOG --log-prefix "IP_SPOOF A: "
#iptables -A INPUT -i $INTERNET -s 124.??.???.??/8 -j DROP

#Drop Private Network Address On Public Interface
iptables -A INPUT -i $INTERNET -s 192.168.0.0/24 -j DROP

#Drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# open access to Samba file server for lan users only ##
#iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
#iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
#iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
#iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

#Force SYN packets check
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#Force Fragments packets check
iptables -A INPUT -f -j DROP

#XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

## open tcp port 143 (imap) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT

#Log and Drop Spoofing Source Addresses
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF "
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF "
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF "
iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST "
iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF "
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK "
iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j LOG --log-prefix "IP DROP MULTICAST "
iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j LOG --log-prefix "IP DROP "
iptables -A INPUT -i eth0 -s 240.0.0.0/4 -j LOG --log-prefix "IP DROP "
iptables -A INPUT -i eth0 -s 255.255.255.255/32 -j LOG --log-prefix "IP DROP "
iptables -A INPUT -i eth0 -s 168.254.0.0/16 -j LOG --log-prefix "IP DROP "
iptables -A INPUT -i eth0 -s 248.0.0.0/5 -j LOG --log-prefix "IP DROP "

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP


if you want squid file i have also attached this file along with this post.

Can someone see and tell me where i am making mistake?

there is nothing there that would cause anything to be "slow". Note you've not described what is slow abuot it in any way at all. Squid is certainly a much more likely candidate for "slow" but without even telling us what you're using squid for, I don't see how we are supposed to assist you. Is this just webpages? what about non web traffic, like ssh? What network latency do you see when pinging google.com for example? We need more.

We use Squid for Internet Gateway Router.

So our internal team browse internet through that machine.

we control or block the traffic from that machine for unauthorised sites.

i am pasting squid file data below.

SQUID
-----
#
# Recommended minimum configuration:
#

acl localnet src 127.0.0.1/32 ::1
acl to_localnet dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

cache_mem 1024 MB

acl special src 192.168.0.151
acl goodurl url_regex -i "/etc/squid/goodurl"
acl badurl url_regex -i "/etc/squid/badurl"
acl extndeny url_regex -i "/etc/squid/extndeny"

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

http_access allow special
#http_access allow localnet goodurl
#http_access deny localnet badurl
#http_access deny localnet extndeny

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all
http_reply_access allow all

# Squid normally listens to port 3128
http_port 3128 transparent

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 1000 16 256
cache_dir ufs /home/squid_cache_dir 10000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Absolute path to squid access log.
access_log /var/log/squid/access.log squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

so what if you bypass squid? Is it faster then?

I have not tried bypassing.

Rather i dont know how to bypass (means how to do this with other services like Iptables).

I have pasted both the files here.

everyone in office cannot open google.com or subsidiary sites because we have block lots of other google services so.

so will this affect.

evenif as a www.google.com as search engines we open it opens very very slow.

so i need to know why it takes too much time to open the site.

Also I am getting this error at my /var/log/squid/cache.log


2012/04/19 14:29:58 kid1| ERROR: No forward-proxy ports configured.
2012/04/19 14:29:58 kid1| ERROR: No forward-proxy ports configured.
2012/04/19 14:29:59 kid1| ERROR: No forward-proxy ports configured.
2012/04/19 14:30:00 kid1| ERROR: No forward-proxy ports configured.
2012/04/19 14:30:08 kid1| ERROR: No forward-proxy ports configured.

why so?

Can you please help by looking at IPTABLES and SQUID file content pasted earlier to this email.

I will appreciate if this can also be resolved with speed.

Thanks buddy,

you don't know how to bypass your own proxy? that you run?

Hmm, OK well the best way I'd suggest from my limited knowledge of your environment is probably to use puTTY on Windows to ssh into the proxy server and use it as a SOCKS5 proxy. http://vectrosecurity.com/content/view/67/26/ there are many simpler ways, but without telling you to start turning services on and off it's not going to happen. Using socks you should be able to get a full browsing experience, from the perspective of the server machine without squid in the way.

as for that error, it's because you have "transparent" mode in use there. Personally I would suggest you do NOT use transparent proxying, just make browser explicitly define the proxy. it's much clearer to troubleshoot and better in many ways, despite the natural inclination to want less manual configuration (which can be dealt with by proxy.pac files etc. if so desired)

I know how to use putty from window machine and i do use that.

but what i understand by word bypass means stop using squid and use somethign else.

Now for transparent mode i have to use that otherwise i have to setup port into every browser and computer and different OS so that i dont want to do it.

I just want to solve this error.

Please let me know what other info do yuo need so i can provide you but please help.

thanks,

but what you understand? Where's the but? That's exactly what i'm saying you should do. Have you done it?

As above, transparent proxies are easy, but they are also rubbish. and you can use proxy.pac / wpad.dat mechanisms to configure clients with minimal ongoing effort.

Sorry Chris

no offense but i dont understand the meaning of last reply from your side.

I had done this in past with Fedora 8, 12, 16 and was working fine but somehow i had to format the machine and i am now not getting speed due to updated version of squid.

rest all the setting are same as it should. because i have stored the file of settings (whatever was required file).

i dont know how to explain yuo this.