squid proxy giving trouble
hello
i have firewall( fc 8) running with iptables and squid as transparent proxy, it was working perfect last two months i am getting some problems, each day i have to restart the squid at least 8 to 10 time, because pages dont display, and download stops in between. i had take out the port forwading from iptables for squid and everything working perfectly,i also cleared the cache from /var/log/squid/ , still no change in the performance, please some one could help me runnning squid version squid-2.6.STABLE19-1.fc8 running iptables iptables-1.3.8-6.fc8 thanks |
logs logs please!!
|
iam little new to linux , can u tell me which logs u want
thanks |
What is the problem right now? (squid slow? or getting errors? or squid not working at all?)
$ locate cache.log |
If locate doesn't work, make sure you run "updatedb" as root (it will take several minutes the first time). You should also make sure it is run nightly as a root cron job to keep it up-to-date.
|
this this cache.log file
2009/05/13 16:00:58| Starting Squid Cache version 2.6.STABLE19 for i386-redhat-linux-gnu... 2009/05/13 16:00:58| Process ID 4069 2009/05/13 16:00:58| With 1024 file descriptors available 2009/05/13 16:00:58| Using epoll for the IO loop 2009/05/13 16:00:58| DNS Socket created at 0.0.0.0, port 54086, FD 6 2009/05/13 16:00:58| Adding nameserver 192.168.251.1 from /etc/resolv.conf 2009/05/13 16:00:58| User-Agent logging is disabled. 2009/05/13 16:00:58| Referer logging is disabled. 2009/05/13 16:00:58| Unlinkd pipe opened on FD 11 2009/05/13 16:00:58| Swap maxSize 102400 KB, estimated 7876 objects 2009/05/13 16:00:58| Target number of buckets: 393 2009/05/13 16:00:58| Using 8192 Store buckets 2009/05/13 16:00:58| Max Mem size: 8192 KB 2009/05/13 16:00:58| Max Swap size: 102400 KB 2009/05/13 16:00:58| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2009/05/13 16:00:58| Rebuilding storage in /var/spool/squid (CLEAN) 2009/05/13 16:00:58| Using Least Load store dir selection 2009/05/13 16:00:58| Set Current Directory to /var/spool/squid 2009/05/13 16:00:58| Loaded Icons. 2009/05/13 16:00:59| Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 13. 2009/05/13 16:00:59| Accepting ICP messages at 0.0.0.0, port 3130, FD 14. 2009/05/13 16:00:59| WCCP Disabled. 2009/05/13 16:00:59| Ready to serve requests. 2009/05/13 16:00:59| Store rebuilding is 57.6% complete 2009/05/13 16:00:59| Done reading /var/spool/squid swaplog (7108 entries) 2009/05/13 16:00:59| Finished rebuilding storage from disk. 2009/05/13 16:00:59| 7108 Entries scanned 2009/05/13 16:00:59| 0 Invalid entries. 2009/05/13 16:00:59| 0 With invalid flags. 2009/05/13 16:00:59| 7108 Objects loaded. 2009/05/13 16:00:59| 0 Objects expired. 2009/05/13 16:00:59| 0 Objects cancelled. 2009/05/13 16:00:59| 0 Duplicate URLs purged. 2009/05/13 16:00:59| 0 Swapfile clashes avoided. 2009/05/13 16:00:59| Took 0.4 seconds (17743.8 objects/sec). 2009/05/13 16:00:59| Beginning Validation Procedure 2009/05/13 16:00:59| Completed Validation Procedure 2009/05/13 16:00:59| Validated 7108 Entries 2009/05/13 16:00:59| store_swap_size = 92144k 2009/05/13 16:00:59| storeLateRelease: released 0 objects 2009/05/13 16:02:11| Preparing for shutdown after 196 requests 2009/05/13 16:02:11| Waiting 30 seconds for active connections to finish 2009/05/13 16:02:11| FD 13 Closing HTTP connection 2009/05/13 16:02:42| Shutting down... 2009/05/13 16:02:42| FD 14 Closing ICP connection 2009/05/13 16:02:42| WARNING: Closing client 192.0.0.71 connection due to lifetime timeout 2009/05/13 16:02:42| http://mlb.mlb.com/images/2009/05/13/X7FqP8mZ.jpg 2009/05/13 16:02:42| WARNING: Closing client 192.0.0.57 connection due to lifetime timeout 2009/05/13 16:02:42| http://0.channel21.facebook.com/x/25.../p_728840895=0 2009/05/13 16:02:42| WARNING: Closing client 192.168.30.15 connection due to lifetime timeout 2009/05/13 16:02:42| http://y.tagstat.com/dyn/css/_/tOAxajRlb.css 2009/05/13 16:02:42| WARNING: Closing client 192.168.30.15 connection due to lifetime timeout 2009/05/13 16:02:42| http://y.tagstat.com/dyn/css/o/xyMP4a_rh.css 2009/05/13 16:02:42| WARNING: Closing client 192.102.72.211 connection due to lifetime timeout 2009/05/13 16:02:42| http://g.ceipmsn.com/8SE/41?MI=60FEE...6n%3d536409890 2009/05/13 16:02:42| WARNING: Closing client 192.102.72.211 connection due to lifetime timeout 2009/05/13 16:02:42| http://g.ceipmsn.com/8SE/41?MI=60FEE...6n%3d536409890 2009/05/13 16:02:42| WARNING: Closing client 192.102.72.211 connection due to lifetime timeout 2009/05/13 16:02:42| http://g.ceipmsn.com/8SE/41?MI=60FEE...6n%3d536409890 2009/05/13 16:02:42| WARNING: Closing client 192.102.72.211 connection due to lifetime timeout 2009/05/13 16:02:42| http://g.ceipmsn.com/8SE/41?MI=60FEE...6n%3d536409890 2009/05/13 16:02:42| WARNING: Closing client 192.102.72.162 connection due to lifetime timeout 2009/05/13 16:02:42| http://217.12.8.115/uk.f279.mail.yah...KpnaJOhWdbMA-- 2009/05/13 16:02:42| WARNING: Closing client 192.0.0.109 connection due to lifetime timeout 2009/05/13 16:02:42| http://0.channel05.facebook.com/x/20...p_1403156972=0 2009/05/13 16:02:42| Closing unlinkd pipe on FD 11 2009/05/13 16:02:42| storeDirWriteCleanLogs: Starting... 2009/05/13 16:02:42| Finished. Wrote 7131 entries. 2009/05/13 16:02:42| Took 0.0 seconds (2708317.5 entries/sec). CPU Usage: 0.459 seconds = 0.167 user + 0.292 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 5 Memory usage for squid via mallinfo(): total space in arena: 4772 KB Ordinary blocks: 4684 KB 125 blks Small blocks: 0 KB 5 blks Holding blocks: 244 KB 1 blks Free Small blocks: 0 KB Free Ordinary blocks: 87 KB Total in use: 4928 KB 98% Total free: 87 KB 2% 2009/05/13 16:02:42| Squid Cache (Version 2.6.STABLE19): Exiting normally. 2009/05/13 16:02:43| Starting Squid Cache version 2.6.STABLE19 for i386-redhat-linux-gnu... 2009/05/13 16:02:43| Process ID 4275 2009/05/13 16:02:43| With 1024 file descriptors available 2009/05/13 16:02:43| Using epoll for the IO loop 2009/05/13 16:02:43| DNS Socket created at 0.0.0.0, port 38219, FD 6 2009/05/13 16:02:43| Adding nameserver 192.168.251.1 from /etc/resolv.conf 2009/05/13 16:02:43| User-Agent logging is disabled. 2009/05/13 16:02:43| Referer logging is disabled. 2009/05/13 16:02:43| Unlinkd pipe opened on FD 11 2009/05/13 16:02:43| Swap maxSize 102400 KB, estimated 7876 objects 2009/05/13 16:02:43| Target number of buckets: 393 2009/05/13 16:02:43| Using 8192 Store buckets 2009/05/13 16:02:43| Max Mem size: 8192 KB 2009/05/13 16:02:43| Max Swap size: 102400 KB 2009/05/13 16:02:43| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2009/05/13 16:02:43| Rebuilding storage in /var/spool/squid (CLEAN) 2009/05/13 16:02:43| Using Least Load store dir selection 2009/05/13 16:02:43| Set Current Directory to /var/spool/squid 2009/05/13 16:02:43| Loaded Icons. 2009/05/13 16:02:43| Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 13. 2009/05/13 16:02:43| Accepting ICP messages at 0.0.0.0, port 3130, FD 14. 2009/05/13 16:02:43| WCCP Disabled. 2009/05/13 16:02:43| Ready to serve requests. 2009/05/13 16:02:43| Store rebuilding is 57.4% complete 2009/05/13 16:02:43| Done reading /var/spool/squid swaplog (7131 entries) 2009/05/13 16:02:43| Finished rebuilding storage from disk. 2009/05/13 16:02:43| 7131 Entries scanned 2009/05/13 16:02:43| 0 Invalid entries. 2009/05/13 16:02:43| 0 With invalid flags. 2009/05/13 16:02:43| 7131 Objects loaded. 2009/05/13 16:02:43| 0 Objects expired. 2009/05/13 16:02:43| 0 Objects cancelled. 2009/05/13 16:02:43| 0 Duplicate URLs purged. 2009/05/13 16:02:43| 0 Swapfile clashes avoided. 2009/05/13 16:02:43| Took 0.3 seconds (21271.3 objects/sec). 2009/05/13 16:02:43| Beginning Validation Procedure 2009/05/13 16:02:43| Completed Validation Procedure 2009/05/13 16:02:43| Validated 7131 Entries 2009/05/13 16:02:43| store_swap_size = 92152k 2009/05/13 16:02:44| storeLateRelease: released 0 objects 2009/05/13 16:06:57| httpReadReply: Excess data from "GET http://webcs.msg.yahoo.com/crossdomain.xml" 2009/05/13 16:07:48| httpReadReply: Excess data from "GET http://webcs.msg.yahoo.com/crossdomain.xml" 2009/05/13 20:58:18| parseHttpRequest: Unsupported method '^C^A÷ð+ ' 2009/05/13 20:58:18| clientReadRequest: FD 32 (192.0.0.86:2789) Invalid Request 2009/05/13 21:08:54| parseHttpRequest: Unsupported method '^C^B^A¤6 2009/05/13 21:08:54| clientReadRequest: FD 68 (192.0.0.86:3171) Invalid Request 2009/05/14 08:03:21| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:03:21| clientReadRequest: FD 72 (192.102.72.152:1025) Invalid Request 2009/05/14 08:03:51| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:03:51| clientReadRequest: FD 27 (192.102.72.152:1035) Invalid Request 2009/05/14 08:04:22| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:04:22| clientReadRequest: FD 228 (192.102.72.152:1037) Invalid Request 2009/05/14 08:04:52| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:04:52| clientReadRequest: FD 46 (192.102.72.152:1047) Invalid Request 2009/05/14 08:05:22| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:05:22| clientReadRequest: FD 44 (192.102.72.152:1053) Invalid Request 2009/05/14 08:05:52| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:05:52| clientReadRequest: FD 77 (192.102.72.152:1067) Invalid Request 2009/05/14 08:06:22| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:06:22| clientReadRequest: FD 30 (192.102.72.152:1080) Invalid Request 2009/05/14 08:06:52| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:06:52| clientReadRequest: FD 153 (192.102.72.152:1086) Invalid Request 2009/05/14 08:08:16| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:08:16| clientReadRequest: FD 30 (192.102.72.152:1030) Invalid Request 2009/05/14 08:08:47| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:08:47| clientReadRequest: FD 198 (192.102.72.152:1043) Invalid Request 2009/05/14 08:09:17| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:09:17| clientReadRequest: FD 121 (192.102.72.152:1047) Invalid Request 2009/05/14 08:09:40| parseHttpRequest: Requestheader contains NULL characters 2009/05/14 08:09:40| parseHttpRequest: Unsupported method '^C' 2009/05/14 08:09:40| clientReadRequest: FD 232 (192.102.72.155:49339) Invalid Request 2009/05/14 08:09:47| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:09:47| clientReadRequest: FD 33 (192.102.72.152:1073) Invalid Request 2009/05/14 08:10:17| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:10:17| clientReadRequest: FD 57 (192.102.72.152:1084) Invalid Request 2009/05/14 08:10:47| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:10:47| clientReadRequest: FD 76 (192.102.72.152:1111) Invalid Request 2009/05/14 08:11:17| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:11:17| clientReadRequest: FD 35 (192.102.72.152:1116) Invalid Request 2009/05/14 08:11:47| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:11:47| clientReadRequest: FD 159 (192.102.72.152:1136) Invalid Request 2009/05/14 08:12:17| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 08:12:17| clientReadRequest: FD 26 (192.102.72.152:1162) Invalid Request 2009/05/14 08:12:47| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 13:29:49| Starting Squid Cache version 2.6.STABLE19 for i386-redhat-linux-gnu... 2009/05/14 13:29:49| Process ID 7526 2009/05/14 13:29:49| With 1024 file descriptors available 2009/05/14 13:29:49| Using epoll for the IO loop 2009/05/14 13:29:49| DNS Socket created at 0.0.0.0, port 60807, FD 6 2009/05/14 13:29:49| Adding nameserver 192.168.251.1 from /etc/resolv.conf 2009/05/14 13:29:49| User-Agent logging is disabled. 2009/05/14 13:29:49| Referer logging is disabled. 2009/05/14 13:29:49| Unlinkd pipe opened on FD 11 2009/05/14 13:29:49| Swap maxSize 102400 KB, estimated 7876 objects 2009/05/14 13:29:49| Target number of buckets: 393 2009/05/14 13:29:49| Using 8192 Store buckets 2009/05/14 13:29:49| Max Mem size: 8192 KB 2009/05/14 13:29:49| Max Swap size: 102400 KB 2009/05/14 13:29:49| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2009/05/14 13:29:49| Rebuilding storage in /var/spool/squid (CLEAN) 2009/05/14 13:29:49| Using Least Load store dir selection 2009/05/14 13:29:49| Set Current Directory to /var/spool/squid 2009/05/14 13:29:49| Loaded Icons. 2009/05/14 13:29:50| Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 13. 2009/05/14 13:29:50| Accepting ICP messages at 0.0.0.0, port 3130, FD 14. 2009/05/14 13:29:50| WCCP Disabled. 2009/05/14 13:29:50| Ready to serve requests. 2009/05/14 13:29:50| Done reading /var/spool/squid swaplog (3323 entries) 2009/05/14 13:29:50| Finished rebuilding storage from disk. 2009/05/14 13:29:50| 3323 Entries scanned 2009/05/14 13:29:50| 0 Invalid entries. 2009/05/14 13:29:50| 0 With invalid flags. 2009/05/14 13:29:50| 3323 Objects loaded. 2009/05/14 13:29:50| 0 Objects expired. 2009/05/14 13:29:50| 0 Objects cancelled. 2009/05/14 13:29:50| 0 Duplicate URLs purged. 2009/05/14 13:29:50| 0 Swapfile clashes avoided. 2009/05/14 13:29:50| Took 0.3 seconds (10859.9 objects/sec). 2009/05/14 13:29:50| Beginning Validation Procedure 2009/05/14 13:29:50| Completed Validation Procedure 2009/05/14 13:29:50| Validated 3323 Entries 2009/05/14 13:29:50| store_swap_size = 92148k 2009/05/14 13:29:50| storeLateRelease: released 0 objects 2009/05/14 13:30:04| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 13:30:04| clientReadRequest: FD 155 (192.102.72.152:3795) Invalid Request 2009/05/14 13:30:34| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 13:30:04| clientReadRequest: FD 155 (192.102.72.152:3795) Invalid Request 2009/05/14 13:30:34| parseHttpRequest: Unsupported method 'NICK' 2009/05/14 13:30:34| clientReadRequest: FD 294 (192.102.72.152:3802) Invalid Request 2009/05/14 13:30:39| parseHttpRequest: Requestheader contains NULL characters 2009/05/14 13:30:39| parseHttpRequest: Unsupported method '^C' 2009/05/14 13:30:39| clientReadRequest: FD 282 (192.168.30.14:1156) Invalid Request -- INSERT -- |
Can you give slightly more detail -- Are you using dialing of your dsl modem ( if using the same) or "permanent on" ? Is there any error message while connecting to Net ? Also does Squid run for some time and become slow or it is slow whenever user requests for sites ?
Also can you cross-check the IP of your DNS server ? rajesh.bahl |
i have adsl connection thats always on and its never slows down only just stop like that and i wont be able to access any sites then i have to restart squid service
|
post your squid.conf configuration... please only the principal lines... to help you
|
When every other PC stops, are you able to open any site from the PC that is running squid ?
Please post your configuration file /etc/squid/squid.conf. rajesh.bahl |
There are a number of issues I would like to address here:
1. It looks like you got a misconfig in your squid.conf, post it as suggested. 2. It looks like you are running into problems with file descriptors (see link below). 3. You seem to be running out of memory, consider upgrading memory, or (or allocation within squid.conf) 4. Consider upgrading your squid to the latest squid-3.0.STABLE15. You seem to have immersed your head into squid without understanding it first Read this thoroughly: http://blog.nazmi.web.id/2007/06/20/...riptor-limits/ |
this is my squid.conf
acl denied_domains dstdomain "/etc/squid/denied_domains.acl" acl filetypes urlpath_regex -i "/etc/squid/denied_filetypes.acl" acl bad url_regex "/etc/squid/bad.acl" acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl ibin src 192.0.0.32 acl bez src 192.0.0.86 acl ndra src 192.0.0.121 acl ndra2 src 192.0.0.123 acl ved src 192.0.0.118 acl ward src 192.0.0.33 acl ight src 192.0.0.99 acl ton src 192.0.0.20 acl shaw src 10.0.0.9 http_access allow ibin http_access allow ndra http_access allow ndra2 http_access allow bez http_access allow ved http_access allow ward http_access allow ight http_access allow ton http_access allow shaw http_access deny denied_domains http_access deny filetypes http_access deny bad http_access allow all http_access deny all icp_access allow all http_port 3128 transparent hierarchy_stoplist cgi-bin ? access_log /var/log/squid/access.log squid acl QUERY urlpath_regex cgi-bin \? cache deny QUERY refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl apache rep_header Server ^Apache broken_vary_encoding allow apache coredump_dir /var/spool/squid |
first, you have a
Quote:
this lines Quote:
http_access deny all second: post your iptables script to help you... PD: sorry for my poor english... |
#!/bin/sh
# # Local Settings # SYSCTL="/sbin/sysctl -w" IPT="/usr/local/sbin/iptables" IPTS="/usr/local/sbin/iptables-save" IPTR="/usr/local/sbin/iptables-restore" # Internet Interface INET_IFACE="eth1" INET_ADDRESS="192.168.251.3" # Local Interface Information LOCAL_IFACE="eth2" LOCAL_IP="192.168.252.1" LOCAL_NET="192.168.252.0/24" LOCAL_BCAST="192.168.252.255" # Static IP - Terminal Server Interfac TS_IFACE="eth0" TS_IP="xxx.xxx.xxx.xxx" # Localhost Interface LO_IFACE="lo" LO_IP="127.0.0.1" # Save and Restore arguments handled here if [ "$1" = "save" ] then echo -n "Saving firewall to /etc/sysconfig/iptables ... " $IPTS > /etc/sysconfig/iptables echo "done" exit 0 elif [ "$1" = "restore" ] then echo -n "Restoring firewall from /etc/sysconfig/iptables ... " $IPTR < /etc/sysconfig/iptables echo -n "Restoring firewall from /etc/sysconfig/iptables ... " $IPTR < /etc/sysconfig/iptables echo "done" exit 0 fi ############################################################################### # # Load Modules # echo "Loading kernel modules ..." ############################################################################### # # Kernel Parameter Configuration # if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/ip_forward else $SYSCTL net.ipv4.ip_forward="1" fi if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/tcp_syncookies else $SYSCTL net.ipv4.tcp_syncookies="1" fi if [ "$SYSCTL" = "" ] then echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter else $SYSCTL net.ipv4.conf.all.rp_filter="0" fi if [ "$SYSCTL" = "" ] then echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route else $SYSCTL net.ipv4.conf.all.accept_source_route="0" fi if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects else $SYSCTL net.ipv4.conf.all.secure_redirects="1" fi if [ "$SYSCTL" = "" ] then echo "0" > /proc/sys/net/ipv4/conf/all/log_martians else $SYSCTL net.ipv4.conf.all.log_martians="0" fi ############################################################################### # # Flush Any Existing Rules or Chains # echo "Flushing Tables ..." # Reset Default Policies $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P OUTPUT ACCEPT # Flush all rules $IPT -F $IPT -t nat -F $IPT -t mangle -F # Erase all non-default chains $IPT -X $IPT -t nat -X $IPT -t mangle -X if [ "$1" = "stop" ] then echo "Firewall completely flushed! Now running with no firewall." exit 0 fi ############################################################################### # # Rules Configuration # ############################################################################### # # Filter Table # ############################################################################### # Set Policies $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP ############################################################################### # # User-Specified Chains # # Create user chains to reduce the number of rules each packet # must traverse. echo "Create and populate custom rule chains ..." $IPT -N bad_packets $IPT -N bad_tcp_packets $IPT -N icmp_packets $IPT -N udp_inbound $IPT -N udp_outbound $IPT -N tcp_inbound $IPT -N tcp_outbound ############################################################################### # # Populate User Chains # # bad_packets chain # # Drop INVALID packets immediately $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \ --log-prefix "IPT - Invalid packet: " $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP # Then check the tcp packets for additional problems $IPT -A bad_packets -p tcp -j bad_tcp_packets # All good, so return $IPT -A bad_packets -p ALL -j RETURN # bad_tcp_packets chain # $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN # $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE ! --syn -m state \ # --state NEW -j DROP $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "IPT - New not syn: " $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # All good, so return $IPT -A bad_tcp_packets -p tcp -j RETURN #Ping From Out side Enable or disable # icmp_packets chain $IPT -A icmp_packets --fragment -p ICMP -j LOG \ --log-prefix "IPT - ICMP Fragment: " $IPT -A icmp_packets --fragment -p ICMP -j DROP $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP # Time Exceeded $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j DROP # Not matched, so return so it will be logged $IPT -A icmp_packets -p ICMP -j RETURN # TCP & UDP # Identify ports at: # http://www.chebucto.ns.ca/~rakerman/port-table.html # http://www.iana.org/assignments/port-numbers # udp_inbound chain # $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP # Not matched, so return for logging $IPT -A udp_inbound -p UDP -j RETURN # udp_outbound chain # # No match, so ACCEPT $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT # tcp_inbound chain # # sshd #$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT # Not matched, so return so it will be logged $IPT -A tcp_inbound -p TCP -j RETURN # tcp_outbound chain # # This chain is used with a private network to prevent forwarding for # requests on specific protocols. Applied to the FORWARD rule from # the internal network. Ends with an ACCEPT # No match, so ACCEPT $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT ############################################################################### # # INPUT Chain # echo "Process INPUT chain ..." # Allow all on localhost interface $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT # CUSTOM $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.0.0.0/24 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.40.0/24 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.30.0/24 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.102.72.0/24 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.0.0.0/24 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.0.0/24 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.99.0.1 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.99.0.3 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.99.0.5 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.8.0.0/24 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.60.0/24 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.61.0/24 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.62.0/24 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.63.0/24 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.89.0.0/24 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.10.0.0/24 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.8.0.0/24 -d $LOCAL_IP -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.252.0/24 -d $LOCAL_IP -j ACCEPT # Drop bad packets $IPT -A INPUT -p ALL -j bad_packets # DOCSIS compliant cable modems # Some DOCSIS compliant cable modems send IGMP multicasts to find # connected PCs. The multicast packets have the destination address # 224.0.0.1. You can accept them. If you choose to do so, # Uncomment the rule to ACCEPT them and comment the rule to DROP # them The firewall will drop them here by default to avoid # cluttering the log. The firewall will drop all multicasts # to the entire subnet (224.0.0.1) by default. To only affect # IGMP multicasts, change '-p ALL' to '-p 2'. Of course, # if they aren't accepted elsewhere, it will only ensure that # multicasts on other protocols are logged. # Drop them without logging. $IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP # The rule to accept the packets. # $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT # RULE TO BLOCK P2P FILE SHARING #$IPT -A INPUT -p udp -i $LOCAL_IFACE -j QUEUE # Rules for the private network (accessing gateway system itself) $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT # Inbound Internet Packet Rules # Accept Established Connections $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \ -j ACCEPT $IPT -A INPUT -p ALL -i $TS_IFACE -m state --state ESTABLISHED,RELATED \ -j ACCEPT # Route the rest to the appropriate user chain $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPT -A INPUT -p TCP -i $TS_IFACE -j tcp_inbound $IPT -A INPUT -p UDP -i $TS_IFACE -j udp_inbound $IPT -A INPUT -p ICMP -i $TS_IFACE -j icmp_packets # Drop without logging broadcasts that get this far. # Cuts down on log clutter. # Comment this line if testing new rules that impact # broadcast protocols. #$IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP # Log packets that still don't match $IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-prefix "IPT - INPUT packet died: " ############################################################################### # # FORWARD Chain # echo "Process FORWARD chain ..." # Used if forwarding for a private network #$IPT -A FORWARD -p udp --source-port ! 53 -j DROP # Port Forward SSH Connections # Port forward httpd # Drop bad packets $IPT -A FORWARD -p ALL -j bad_packets # Accept TCP packets we want to forward from internal sources $IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound # RULE TO BLOCK P2P FILE SHARING #$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j QUEUE # Accept UDP packets we want to forward from internal sources $IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound # If not blocked, accept any other packets from the internal interface $IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT # Deal with responses from the internet $IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \ -j ACCEPT $IPT -A FORWARD -i $TS_IFACE -m state --state ESTABLISHED,RELATED \ -j ACCEPT # Log packets that still don't match $IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-prefix "IPT - FORWARD packet died: " ############################################################################### # OUTPUT Chain # echo "Process OUTPUT chain ..." # Generally trust the firewall on output # However, invalid icmp packets need to be dropped # to prevent a possible exploit. $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP # Localhost $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT # To internal network $IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT $IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT # To internet $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT $IPT -A OUTPUT -p ALL -o $TS_IFACE -j ACCEPT # Log packets that still don't match $IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-prefix "IPT - OUTPUT packet died: " ############################################################################### # # nat table # ############################################################################### # The nat table is where network address translation occurs if there # is a private network. If the gateway is connected to the Internet # with a static IP, snat is used. If the gateway has a dynamic address, # masquerade must be used instead. There is more overhead associated # with masquerade, so snat is better when it can be used. # The nat table has a builtin chain, PREROUTING, for dnat and redirects. # Another, POSTROUTING, handles snat and masquerade. echo "Load rules for nat table ..." ############################################################################### # # PREROUTING chain # $IPT -t nat -A PREROUTING -i $LOCAL_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3128 # # POSTROUTING chain # $IPT -t nat -A POSTROUTING -o $INET_IFACE \ -j SNAT --to-source $INET_ADDRESS $IPT -t nat -A POSTROUTING -o $TS_IFACE \ -j SNAT --to-source $TS_IP ############################################################################### # # mangle table # ############################################################################### # The mangle table is used to alter packets. It can alter or mangle them in # several ways. For the purposes of this generator, we only use its ability # to alter the TTL in packets. However, it can be used to set netfilter # mark values on specific packets. Those marks could then be used in another # table like filter, to limit activities associated with a specific host, for # instance. The TOS target can be used to set the Type of Service field in # the IP header. Note that the TTL target might not be included in the # distribution on your system. If it is not and you require it, you will # have to add it. That may require that you build from source. echo "Load rules for mangle table ..." $IPT -t mangle -A PREROUTING -j CONNMARK --restore-mark $IPT -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT $IPT -t mangle -A PREROUTING -j CONNMARK --save-mark #$IPT -t mangle -A POSTROUTING -m layer7 --l7proto msnmessenger -j DROP $IPT -t mangle -A POSTROUTING -m layer7 --l7proto rtsp -j DROP #$IPT -t mangle -A POSTROUTING -m layer7 --l7proto shoutcast -j DROP $IPT -t mangle -A POSTROUTING -m layer7 --l7proto ares -j DROP $IPT -t mangle -A POSTROUTING -m layer7 --l7proto edonkey -j DROP $IPT -t mangle -A POSTROUTING -m layer7 --l7proto gnutella -j DROP $IPT -t mangle -A POSTROUTING -m layer7 --l7proto imesh -j DROP $IPT -t mangle -A POSTROUTING -m layer7 --l7proto fasttrack -j DROP $IPT -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j DROP $IPT -t mangle -A POSTROUTING -m layer7 --l7proto napster -j DROP $IPT -t mangle -A POSTROUTING -m layer7 --l7proto audiogalaxy -j DROP #$IPT -t mangle -A POSTROUTING -m layer7 --l7proto shoutcast -j DROP $IPT -t mangle -A POSTROUTING -m layer7 --l7proto http-rtsp -j DROP #$IPT -t mangle -A POSTROUTING -m layer7 --l7proto rtsp -j DROP #$IPT -t mangle -A POSTROUTING -m layer7 --l7proto flash -j DROP #$IPT -t mangle -A POSTROUTING -m layer7 --l7proto httpaudio -j DROP $IPT -t mangle -A POSTROUTING -m layer7 --l7proto httpvideo -j DROP |
If I inderstood your problem correctly,
-- Case 1: your squid runs ok for some time, then dies, meaning you are having to reboot the box frequently, Thats right?? If so then you configs work (although they may be NOT best practice) but first, I wanted to address the dying issue. It certainly cannot be iptables. (mainly resources) -- Case 2: BUT if its not working at all, then we start troubleshooting the networking, then go to configuration (iptables, squid.conf) -- case 3: If its working and its not dying, BUT only performs poorly, eg being slow, then we can narrow down to networking and resources (iptables, memory, file descriptors) So could you clarify your problem please |
All times are GMT -5. The time now is 03:57 AM. |