squid proxy giving trouble

jibskg · 05-14-2009, 10:06 AM

hello
i have firewall( fc 8) running with iptables and squid as transparent proxy, it was working perfect last two months i am getting some problems, each day i have to restart the squid at least 8 to 10 time, because pages dont display, and download stops in between. i had take out the port forwading from iptables for squid and everything working perfectly,i also cleared the cache from /var/log/squid/ , still no change in the performance, please some one could help me

runnning squid version squid-2.6.STABLE19-1.fc8
running iptables iptables-1.3.8-6.fc8

thanks

chitambira · 05-14-2009, 10:51 AM

logs logs please!!

jibskg · 05-14-2009, 10:54 AM

iam little new to linux , can u tell me which logs u want

thanks

chitambira · 05-14-2009, 11:10 AM

What is the problem right now? (squid slow? or getting errors? or squid not working at all?)
$ locate cache.log

w7hd · 05-14-2009, 11:24 AM

If locate doesn't work, make sure you run "updatedb" as root (it will take several minutes the first time). You should also make sure it is run nightly as a root cron job to keep it up-to-date.

jibskg · 05-14-2009, 12:37 PM

this this cache.log file

2009/05/13 16:00:58| Starting Squid Cache version 2.6.STABLE19 for i386-redhat-linux-gnu...
2009/05/13 16:00:58| Process ID 4069
2009/05/13 16:00:58| With 1024 file descriptors available
2009/05/13 16:00:58| Using epoll for the IO loop
2009/05/13 16:00:58| DNS Socket created at 0.0.0.0, port 54086, FD 6
2009/05/13 16:00:58| Adding nameserver 192.168.251.1 from /etc/resolv.conf
2009/05/13 16:00:58| User-Agent logging is disabled.
2009/05/13 16:00:58| Referer logging is disabled.
2009/05/13 16:00:58| Unlinkd pipe opened on FD 11
2009/05/13 16:00:58| Swap maxSize 102400 KB, estimated 7876 objects
2009/05/13 16:00:58| Target number of buckets: 393
2009/05/13 16:00:58| Using 8192 Store buckets
2009/05/13 16:00:58| Max Mem size: 8192 KB
2009/05/13 16:00:58| Max Swap size: 102400 KB
2009/05/13 16:00:58| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2009/05/13 16:00:58| Rebuilding storage in /var/spool/squid (CLEAN)
2009/05/13 16:00:58| Using Least Load store dir selection
2009/05/13 16:00:58| Set Current Directory to /var/spool/squid
2009/05/13 16:00:58| Loaded Icons.
2009/05/13 16:00:59| Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 13.
2009/05/13 16:00:59| Accepting ICP messages at 0.0.0.0, port 3130, FD 14.
2009/05/13 16:00:59| WCCP Disabled.
2009/05/13 16:00:59| Ready to serve requests.
2009/05/13 16:00:59| Store rebuilding is 57.6% complete
2009/05/13 16:00:59| Done reading /var/spool/squid swaplog (7108 entries)
2009/05/13 16:00:59| Finished rebuilding storage from disk.
2009/05/13 16:00:59| 7108 Entries scanned
2009/05/13 16:00:59| 0 Invalid entries.
2009/05/13 16:00:59| 0 With invalid flags.
2009/05/13 16:00:59| 7108 Objects loaded.
2009/05/13 16:00:59| 0 Objects expired.
2009/05/13 16:00:59| 0 Objects cancelled.
2009/05/13 16:00:59| 0 Duplicate URLs purged.
2009/05/13 16:00:59| 0 Swapfile clashes avoided.
2009/05/13 16:00:59| Took 0.4 seconds (17743.8 objects/sec).
2009/05/13 16:00:59| Beginning Validation Procedure
2009/05/13 16:00:59| Completed Validation Procedure
2009/05/13 16:00:59| Validated 7108 Entries
2009/05/13 16:00:59| store_swap_size = 92144k
2009/05/13 16:00:59| storeLateRelease: released 0 objects
2009/05/13 16:02:11| Preparing for shutdown after 196 requests
2009/05/13 16:02:11| Waiting 30 seconds for active connections to finish
2009/05/13 16:02:11| FD 13 Closing HTTP connection
2009/05/13 16:02:42| Shutting down...
2009/05/13 16:02:42| FD 14 Closing ICP connection
2009/05/13 16:02:42| WARNING: Closing client 192.0.0.71 connection due to lifetime timeout
2009/05/13 16:02:42| http://mlb.mlb.com/images/2009/05/13/X7FqP8mZ.jpg
2009/05/13 16:02:42| WARNING: Closing client 192.0.0.57 connection due to lifetime timeout
2009/05/13 16:02:42| http://0.channel21.facebook.com/x/25.../p_728840895=0
2009/05/13 16:02:42| WARNING: Closing client 192.168.30.15 connection due to lifetime timeout
2009/05/13 16:02:42| http://y.tagstat.com/dyn/css/_/tOAxajRlb.css
2009/05/13 16:02:42| WARNING: Closing client 192.168.30.15 connection due to lifetime timeout
2009/05/13 16:02:42| http://y.tagstat.com/dyn/css/o/xyMP4a_rh.css
2009/05/13 16:02:42| WARNING: Closing client 192.102.72.211 connection due to lifetime timeout
2009/05/13 16:02:42| http://g.ceipmsn.com/8SE/41?MI=60FEE...6n%3d536409890
2009/05/13 16:02:42| WARNING: Closing client 192.102.72.211 connection due to lifetime timeout
2009/05/13 16:02:42| http://g.ceipmsn.com/8SE/41?MI=60FEE...6n%3d536409890
2009/05/13 16:02:42| WARNING: Closing client 192.102.72.211 connection due to lifetime timeout
2009/05/13 16:02:42| http://g.ceipmsn.com/8SE/41?MI=60FEE...6n%3d536409890
2009/05/13 16:02:42| WARNING: Closing client 192.102.72.211 connection due to lifetime timeout
2009/05/13 16:02:42| http://g.ceipmsn.com/8SE/41?MI=60FEE...6n%3d536409890
2009/05/13 16:02:42| WARNING: Closing client 192.102.72.162 connection due to lifetime timeout
2009/05/13 16:02:42| http://217.12.8.115/uk.f279.mail.yah...KpnaJOhWdbMA--
2009/05/13 16:02:42| WARNING: Closing client 192.0.0.109 connection due to lifetime timeout
2009/05/13 16:02:42| http://0.channel05.facebook.com/x/20...p_1403156972=0
2009/05/13 16:02:42| Closing unlinkd pipe on FD 11
2009/05/13 16:02:42| storeDirWriteCleanLogs: Starting...
2009/05/13 16:02:42| Finished. Wrote 7131 entries.
2009/05/13 16:02:42| Took 0.0 seconds (2708317.5 entries/sec).
CPU Usage: 0.459 seconds = 0.167 user + 0.292 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 5
Memory usage for squid via mallinfo():
total space in arena: 4772 KB
Ordinary blocks: 4684 KB 125 blks
Small blocks: 0 KB 5 blks
Holding blocks: 244 KB 1 blks
Free Small blocks: 0 KB
Free Ordinary blocks: 87 KB
Total in use: 4928 KB 98%
Total free: 87 KB 2%
2009/05/13 16:02:42| Squid Cache (Version 2.6.STABLE19): Exiting normally.
2009/05/13 16:02:43| Starting Squid Cache version 2.6.STABLE19 for i386-redhat-linux-gnu...
2009/05/13 16:02:43| Process ID 4275
2009/05/13 16:02:43| With 1024 file descriptors available
2009/05/13 16:02:43| Using epoll for the IO loop
2009/05/13 16:02:43| DNS Socket created at 0.0.0.0, port 38219, FD 6
2009/05/13 16:02:43| Adding nameserver 192.168.251.1 from /etc/resolv.conf
2009/05/13 16:02:43| User-Agent logging is disabled.
2009/05/13 16:02:43| Referer logging is disabled.
2009/05/13 16:02:43| Unlinkd pipe opened on FD 11
2009/05/13 16:02:43| Swap maxSize 102400 KB, estimated 7876 objects
2009/05/13 16:02:43| Target number of buckets: 393
2009/05/13 16:02:43| Using 8192 Store buckets
2009/05/13 16:02:43| Max Mem size: 8192 KB
2009/05/13 16:02:43| Max Swap size: 102400 KB
2009/05/13 16:02:43| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2009/05/13 16:02:43| Rebuilding storage in /var/spool/squid (CLEAN)
2009/05/13 16:02:43| Using Least Load store dir selection
2009/05/13 16:02:43| Set Current Directory to /var/spool/squid
2009/05/13 16:02:43| Loaded Icons.
2009/05/13 16:02:43| Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 13.
2009/05/13 16:02:43| Accepting ICP messages at 0.0.0.0, port 3130, FD 14.
2009/05/13 16:02:43| WCCP Disabled.
2009/05/13 16:02:43| Ready to serve requests.
2009/05/13 16:02:43| Store rebuilding is 57.4% complete
2009/05/13 16:02:43| Done reading /var/spool/squid swaplog (7131 entries)
2009/05/13 16:02:43| Finished rebuilding storage from disk.
2009/05/13 16:02:43| 7131 Entries scanned
2009/05/13 16:02:43| 0 Invalid entries.
2009/05/13 16:02:43| 0 With invalid flags.
2009/05/13 16:02:43| 7131 Objects loaded.
2009/05/13 16:02:43| 0 Objects expired.
2009/05/13 16:02:43| 0 Objects cancelled.
2009/05/13 16:02:43| 0 Duplicate URLs purged.
2009/05/13 16:02:43| 0 Swapfile clashes avoided.
2009/05/13 16:02:43| Took 0.3 seconds (21271.3 objects/sec).
2009/05/13 16:02:43| Beginning Validation Procedure
2009/05/13 16:02:43| Completed Validation Procedure
2009/05/13 16:02:43| Validated 7131 Entries
2009/05/13 16:02:43| store_swap_size = 92152k
2009/05/13 16:02:44| storeLateRelease: released 0 objects
2009/05/13 16:06:57| httpReadReply: Excess data from "GET http://webcs.msg.yahoo.com/crossdomain.xml"
2009/05/13 16:07:48| httpReadReply: Excess data from "GET http://webcs.msg.yahoo.com/crossdomain.xml"
2009/05/13 20:58:18| parseHttpRequest: Unsupported method '^C^A÷ð+
'
2009/05/13 20:58:18| clientReadRequest: FD 32 (192.0.0.86:2789) Invalid Request
2009/05/13 21:08:54| parseHttpRequest: Unsupported method '^C^B^A¤6
2009/05/13 21:08:54| clientReadRequest: FD 68 (192.0.0.86:3171) Invalid Request
2009/05/14 08:03:21| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:03:21| clientReadRequest: FD 72 (192.102.72.152:1025) Invalid Request
2009/05/14 08:03:51| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:03:51| clientReadRequest: FD 27 (192.102.72.152:1035) Invalid Request
2009/05/14 08:04:22| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:04:22| clientReadRequest: FD 228 (192.102.72.152:1037) Invalid Request
2009/05/14 08:04:52| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:04:52| clientReadRequest: FD 46 (192.102.72.152:1047) Invalid Request
2009/05/14 08:05:22| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:05:22| clientReadRequest: FD 44 (192.102.72.152:1053) Invalid Request
2009/05/14 08:05:52| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:05:52| clientReadRequest: FD 77 (192.102.72.152:1067) Invalid Request
2009/05/14 08:06:22| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:06:22| clientReadRequest: FD 30 (192.102.72.152:1080) Invalid Request
2009/05/14 08:06:52| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:06:52| clientReadRequest: FD 153 (192.102.72.152:1086) Invalid Request
2009/05/14 08:08:16| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:08:16| clientReadRequest: FD 30 (192.102.72.152:1030) Invalid Request
2009/05/14 08:08:47| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:08:47| clientReadRequest: FD 198 (192.102.72.152:1043) Invalid Request
2009/05/14 08:09:17| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:09:17| clientReadRequest: FD 121 (192.102.72.152:1047) Invalid Request
2009/05/14 08:09:40| parseHttpRequest: Requestheader contains NULL characters
2009/05/14 08:09:40| parseHttpRequest: Unsupported method '^C'
2009/05/14 08:09:40| clientReadRequest: FD 232 (192.102.72.155:49339) Invalid Request
2009/05/14 08:09:47| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:09:47| clientReadRequest: FD 33 (192.102.72.152:1073) Invalid Request
2009/05/14 08:10:17| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:10:17| clientReadRequest: FD 57 (192.102.72.152:1084) Invalid Request
2009/05/14 08:10:47| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:10:47| clientReadRequest: FD 76 (192.102.72.152:1111) Invalid Request
2009/05/14 08:11:17| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:11:17| clientReadRequest: FD 35 (192.102.72.152:1116) Invalid Request
2009/05/14 08:11:47| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:11:47| clientReadRequest: FD 159 (192.102.72.152:1136) Invalid Request
2009/05/14 08:12:17| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 08:12:17| clientReadRequest: FD 26 (192.102.72.152:1162) Invalid Request
2009/05/14 08:12:47| parseHttpRequest: Unsupported method 'NICK'

2009/05/14 13:29:49| Starting Squid Cache version 2.6.STABLE19 for i386-redhat-linux-gnu...
2009/05/14 13:29:49| Process ID 7526
2009/05/14 13:29:49| With 1024 file descriptors available
2009/05/14 13:29:49| Using epoll for the IO loop
2009/05/14 13:29:49| DNS Socket created at 0.0.0.0, port 60807, FD 6
2009/05/14 13:29:49| Adding nameserver 192.168.251.1 from /etc/resolv.conf
2009/05/14 13:29:49| User-Agent logging is disabled.
2009/05/14 13:29:49| Referer logging is disabled.
2009/05/14 13:29:49| Unlinkd pipe opened on FD 11
2009/05/14 13:29:49| Swap maxSize 102400 KB, estimated 7876 objects
2009/05/14 13:29:49| Target number of buckets: 393
2009/05/14 13:29:49| Using 8192 Store buckets
2009/05/14 13:29:49| Max Mem size: 8192 KB
2009/05/14 13:29:49| Max Swap size: 102400 KB
2009/05/14 13:29:49| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2009/05/14 13:29:49| Rebuilding storage in /var/spool/squid (CLEAN)
2009/05/14 13:29:49| Using Least Load store dir selection
2009/05/14 13:29:49| Set Current Directory to /var/spool/squid
2009/05/14 13:29:49| Loaded Icons.
2009/05/14 13:29:50| Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 13.
2009/05/14 13:29:50| Accepting ICP messages at 0.0.0.0, port 3130, FD 14.
2009/05/14 13:29:50| WCCP Disabled.
2009/05/14 13:29:50| Ready to serve requests.
2009/05/14 13:29:50| Done reading /var/spool/squid swaplog (3323 entries)
2009/05/14 13:29:50| Finished rebuilding storage from disk.
2009/05/14 13:29:50| 3323 Entries scanned
2009/05/14 13:29:50| 0 Invalid entries.
2009/05/14 13:29:50| 0 With invalid flags.
2009/05/14 13:29:50| 3323 Objects loaded.
2009/05/14 13:29:50| 0 Objects expired.
2009/05/14 13:29:50| 0 Objects cancelled.
2009/05/14 13:29:50| 0 Duplicate URLs purged.
2009/05/14 13:29:50| 0 Swapfile clashes avoided.
2009/05/14 13:29:50| Took 0.3 seconds (10859.9 objects/sec).
2009/05/14 13:29:50| Beginning Validation Procedure
2009/05/14 13:29:50| Completed Validation Procedure
2009/05/14 13:29:50| Validated 3323 Entries
2009/05/14 13:29:50| store_swap_size = 92148k
2009/05/14 13:29:50| storeLateRelease: released 0 objects
2009/05/14 13:30:04| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 13:30:04| clientReadRequest: FD 155 (192.102.72.152:3795) Invalid Request
2009/05/14 13:30:34| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 13:30:04| clientReadRequest: FD 155 (192.102.72.152:3795) Invalid Request
2009/05/14 13:30:34| parseHttpRequest: Unsupported method 'NICK'
2009/05/14 13:30:34| clientReadRequest: FD 294 (192.102.72.152:3802) Invalid Request
2009/05/14 13:30:39| parseHttpRequest: Requestheader contains NULL characters
2009/05/14 13:30:39| parseHttpRequest: Unsupported method '^C'
2009/05/14 13:30:39| clientReadRequest: FD 282 (192.168.30.14:1156) Invalid Request
-- INSERT --

rajesh.bahl · 05-14-2009, 12:52 PM

Can you give slightly more detail -- Are you using dialing of your dsl modem ( if using the same) or "permanent on" ? Is there any error message while connecting to Net ? Also does Squid run for some time and become slow or it is slow whenever user requests for sites ?

Also can you cross-check the IP of your DNS server ?

rajesh.bahl

jibskg · 05-14-2009, 03:16 PM

i have adsl connection thats always on and its never slows down only just stop like that and i wont be able to access any sites then i have to restart squid service

falcom · 05-14-2009, 06:18 PM

post your squid.conf configuration... please only the principal lines... to help you

rajesh.bahl · 05-15-2009, 02:26 AM

When every other PC stops, are you able to open any site from the PC that is running squid ?
Please post your configuration file /etc/squid/squid.conf.

rajesh.bahl

chitambira · 05-15-2009, 04:16 AM

There are a number of issues I would like to address here:

1. It looks like you got a misconfig in your squid.conf, post it as suggested.
2. It looks like you are running into problems with file descriptors (see link below).
3. You seem to be running out of memory, consider upgrading memory, or (or allocation within squid.conf)
4. Consider upgrading your squid to the latest squid-3.0.STABLE15.

You seem to have immersed your head into squid without understanding it first
Read this thoroughly: http://blog.nazmi.web.id/2007/06/20/...riptor-limits/

jibskg · 05-15-2009, 08:01 AM

this is my squid.conf

acl denied_domains dstdomain "/etc/squid/denied_domains.acl"
acl filetypes urlpath_regex -i "/etc/squid/denied_filetypes.acl"
acl bad url_regex "/etc/squid/bad.acl"

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

acl ibin src 192.0.0.32
acl bez src 192.0.0.86
acl ndra src 192.0.0.121
acl ndra2 src 192.0.0.123
acl ved src 192.0.0.118
acl ward src 192.0.0.33
acl ight src 192.0.0.99
acl ton src 192.0.0.20
acl shaw src 10.0.0.9

http_access allow ibin
http_access allow ndra
http_access allow ndra2
http_access allow bez
http_access allow ved
http_access allow ward
http_access allow ight
http_access allow ton
http_access allow shaw
http_access deny denied_domains
http_access deny filetypes
http_access deny bad
http_access allow all
http_access deny all

icp_access allow all

http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log squid

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

coredump_dir /var/spool/squid

falcom · 05-15-2009, 08:55 AM

first, you have a

Quote:

http_access deny denied_domains
http_access deny filetypes
http_access deny bad

after to allow permisions to navegate to users... which is the reason for placing the lines if not using?? bad
this lines

Quote:

http_access allow all
http_access deny all

very bad the last line is:
http_access deny all
second:
post your iptables script to help you...
PD: sorry for my poor english...

jibskg · 05-15-2009, 09:07 AM

#!/bin/sh
#
# Local Settings
#

SYSCTL="/sbin/sysctl -w"

IPT="/usr/local/sbin/iptables"
IPTS="/usr/local/sbin/iptables-save"
IPTR="/usr/local/sbin/iptables-restore"

# Internet Interface
INET_IFACE="eth1"
INET_ADDRESS="192.168.251.3"

# Local Interface Information
LOCAL_IFACE="eth2"
LOCAL_IP="192.168.252.1"
LOCAL_NET="192.168.252.0/24"
LOCAL_BCAST="192.168.252.255"

# Static IP - Terminal Server Interfac
TS_IFACE="eth0"
TS_IP="xxx.xxx.xxx.xxx"

# Localhost Interface

LO_IFACE="lo"
LO_IP="127.0.0.1"

# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo "done"
exit 0
fi

###############################################################################
#
# Load Modules
#

echo "Loading kernel modules ..."

###############################################################################
#
# Kernel Parameter Configuration
#
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi

if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi

if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="0"
fi

if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi

if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi

if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians="0"
fi

###############################################################################
#
# Flush Any Existing Rules or Chains
#

echo "Flushing Tables ..."

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi

###############################################################################
#
# Rules Configuration
#

###############################################################################
#
# Filter Table
#
###############################################################################

# Set Policies

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

###############################################################################
#
# User-Specified Chains
#
# Create user chains to reduce the number of rules each packet
# must traverse.

echo "Create and populate custom rule chains ..."

$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound

###############################################################################
#
# Populate User Chains
#

# bad_packets chain
#
# Drop INVALID packets immediately

$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "IPT - Invalid packet: "

$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP

# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets

# All good, so return
$IPT -A bad_packets -p ALL -j RETURN

# bad_tcp_packets chain
#
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN

# $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE ! --syn -m state \
# --state NEW -j DROP

$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "IPT - New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN

#Ping From Out side Enable or disable
# icmp_packets chain

$IPT -A icmp_packets --fragment -p ICMP -j LOG \
--log-prefix "IPT - ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP

$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP

# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j DROP

# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN

# TCP & UDP
# Identify ports at:
# http://www.chebucto.ns.ca/~rakerman/port-table.html
# http://www.iana.org/assignments/port-numbers

# udp_inbound chain
#
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP

# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN

# udp_outbound chain
#

# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

# tcp_inbound chain
#
# sshd
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN

# tcp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT

# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

###############################################################################
#
# INPUT Chain
#

echo "Process INPUT chain ..."

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# CUSTOM
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.0.0.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.40.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.30.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.102.72.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.0.0.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.0.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.99.0.1 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.99.0.3 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.99.0.5 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.8.0.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.60.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.61.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.62.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.63.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.89.0.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.10.0.0/24 -d $LOCAL_IP -j ACCEPT

$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.8.0.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.252.0/24 -d $LOCAL_IP -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets

# DOCSIS compliant cable modems
# Some DOCSIS compliant cable modems send IGMP multicasts to find
# connected PCs. The multicast packets have the destination address
# 224.0.0.1. You can accept them. If you choose to do so,
# Uncomment the rule to ACCEPT them and comment the rule to DROP
# them The firewall will drop them here by default to avoid
# cluttering the log. The firewall will drop all multicasts
# to the entire subnet (224.0.0.1) by default. To only affect
# IGMP multicasts, change '-p ALL' to '-p 2'. Of course,
# if they aren't accepted elsewhere, it will only ensure that
# multicasts on other protocols are logged.
# Drop them without logging.
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT

# RULE TO BLOCK P2P FILE SHARING
#$IPT -A INPUT -p udp -i $LOCAL_IFACE -j QUEUE

# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT

# Inbound Internet Packet Rules

# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT

$IPT -A INPUT -p ALL -i $TS_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

$IPT -A INPUT -p TCP -i $TS_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $TS_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $TS_IFACE -j icmp_packets

# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
#$IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP

# Log packets that still don't match
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "IPT - INPUT packet died: "

###############################################################################
#
# FORWARD Chain
#

echo "Process FORWARD chain ..."

# Used if forwarding for a private network

#$IPT -A FORWARD -p udp --source-port ! 53 -j DROP

# Port Forward SSH Connections

# Port forward httpd

# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets

# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound

# RULE TO BLOCK P2P FILE SHARING
#$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j QUEUE

# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound

# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT

# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT

$IPT -A FORWARD -i $TS_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# Log packets that still don't match
$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "IPT - FORWARD packet died: "

###############################################################################
# OUTPUT Chain
#

echo "Process OUTPUT chain ..."

# Generally trust the firewall on output

# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

# To internal network
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $TS_IFACE -j ACCEPT

# Log packets that still don't match
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "IPT - OUTPUT packet died: "

###############################################################################
#
# nat table
#
###############################################################################

# The nat table is where network address translation occurs if there
# is a private network. If the gateway is connected to the Internet
# with a static IP, snat is used. If the gateway has a dynamic address,
# masquerade must be used instead. There is more overhead associated
# with masquerade, so snat is better when it can be used.
# The nat table has a builtin chain, PREROUTING, for dnat and redirects.
# Another, POSTROUTING, handles snat and masquerade.
echo "Load rules for nat table ..."

###############################################################################
#
# PREROUTING chain
#

$IPT -t nat -A PREROUTING -i $LOCAL_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3128

#
# POSTROUTING chain
#

$IPT -t nat -A POSTROUTING -o $INET_IFACE \
-j SNAT --to-source $INET_ADDRESS

$IPT -t nat -A POSTROUTING -o $TS_IFACE \
-j SNAT --to-source $TS_IP

###############################################################################
#
# mangle table
#
###############################################################################

# The mangle table is used to alter packets. It can alter or mangle them in
# several ways. For the purposes of this generator, we only use its ability
# to alter the TTL in packets. However, it can be used to set netfilter
# mark values on specific packets. Those marks could then be used in another
# table like filter, to limit activities associated with a specific host, for
# instance. The TOS target can be used to set the Type of Service field in
# the IP header. Note that the TTL target might not be included in the
# distribution on your system. If it is not and you require it, you will
# have to add it. That may require that you build from source.

echo "Load rules for mangle table ..."

$IPT -t mangle -A PREROUTING -j CONNMARK --restore-mark
$IPT -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
$IPT -t mangle -A PREROUTING -j CONNMARK --save-mark

#$IPT -t mangle -A POSTROUTING -m layer7 --l7proto msnmessenger -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto rtsp -j DROP
#$IPT -t mangle -A POSTROUTING -m layer7 --l7proto shoutcast -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto ares -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto edonkey -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto gnutella -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto imesh -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto fasttrack -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto napster -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto audiogalaxy -j DROP
#$IPT -t mangle -A POSTROUTING -m layer7 --l7proto shoutcast -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto http-rtsp -j DROP
#$IPT -t mangle -A POSTROUTING -m layer7 --l7proto rtsp -j DROP
#$IPT -t mangle -A POSTROUTING -m layer7 --l7proto flash -j DROP
#$IPT -t mangle -A POSTROUTING -m layer7 --l7proto httpaudio -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto httpvideo -j DROP

chitambira · 05-15-2009, 11:26 AM

If I inderstood your problem correctly,
-- Case 1: your squid runs ok for some time, then dies, meaning you are having to reboot the box frequently, Thats right?? If so then you configs work (although they may be NOT best practice) but first, I wanted to address the dying issue. It certainly cannot be iptables. (mainly resources)
-- Case 2: BUT if its not working at all, then we start troubleshooting the networking, then go to configuration (iptables, squid.conf)
-- case 3: If its working and its not dying, BUT only performs poorly, eg being slow, then we can narrow down to networking and resources (iptables, memory, file descriptors)

So could you clarify your problem please