Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
SDN 101: An Introduction to Software Defined Networking
Discover the advantages of SDN.
SDN has quickly become one of the hottest trends in IT. But not all SDN solutions offer real software-defined functionality. As more enterprises consider SDN, they want to know, “What is SDN? And what are the real benefits?” If you're ready to explore the advantages of SDN, and want to know how it should be implemented within your enterprise, start by reading our introductory white paper.
Click Here to receive this Complete Guide absolutely free.
I have 1 machine which works as Local
1. Apache Server
2. Router (squid proxy)
I have 2 Lan Cards
Below is Iptables Files I am pasting which i dont fully understand but my connection is worknig fine but Internet is slow.
I need help in analysing this file.
Can someone look into this matter.
# squid server IP
SQUID_SERVER="124.??.???.??" >> THIS IS REAL IP
# Interface connected to Internet
# Interface connected to LAN
# Squid port
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
# For win xp ftp client
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy #All input Drop #Output allowed
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# iptables -A INPUT -i $INTERNET -s 192.168.0.0/24 -j DROP
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A OUTPUT -o $LAN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 443 -j REDIRECT --to-ports $SQUID_PORT
#To block all service requests on port 80
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -i $INTERNET -p tcp --dport 80 -j DROP
# Log and Drop Packets IP spoofing on public interface
#iptables -A INPUT -i $INTERNET -s 124.??.???.??/8 -j LOG --log-prefix "IP_SPOOF A: "
#iptables -A INPUT -i $INTERNET -s 124.??.???.??/8 -j DROP
#Drop Private Network Address On Public Interface
iptables -A INPUT -i $INTERNET -s 192.168.0.0/24 -j DROP
#Drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# open access to Samba file server for lan users only ##
#iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
#iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
#iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
#iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
#Force SYN packets check
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#Force Fragments packets check
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
## open tcp port 143 (imap) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
#Log and Drop Spoofing Source Addresses
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF "
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF "
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF "
iptables -A INPUT -i eth0 -s 22.214.171.124/4 -j LOG --log-prefix "IP DROP MULTICAST "
iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF "
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK "
iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j LOG --log-prefix "IP DROP MULTICAST "
iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j LOG --log-prefix "IP DROP "
iptables -A INPUT -i eth0 -s 240.0.0.0/4 -j LOG --log-prefix "IP DROP "
iptables -A INPUT -i eth0 -s 255.255.255.255/32 -j LOG --log-prefix "IP DROP "
iptables -A INPUT -i eth0 -s 126.96.36.199/16 -j LOG --log-prefix "IP DROP "
iptables -A INPUT -i eth0 -s 248.0.0.0/5 -j LOG --log-prefix "IP DROP "
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
if you want squid file i have also attached this file along with this post.
Can someone see and tell me where i am making mistake?
there is nothing there that would cause anything to be "slow". Note you've not described what is slow abuot it in any way at all. Squid is certainly a much more likely candidate for "slow" but without even telling us what you're using squid for, I don't see how we are supposed to assist you. Is this just webpages? what about non web traffic, like ssh? What network latency do you see when pinging google.com for example? We need more.
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
http_reply_access allow all
# Squid normally listens to port 3128
http_port 3128 transparent
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 1000 16 256
cache_dir ufs /home/squid_cache_dir 10000 16 256
# Leave coredumps in the first cache dir
# Absolute path to squid access log.
access_log /var/log/squid/access.log squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
you don't know how to bypass your own proxy? that you run?
Hmm, OK well the best way I'd suggest from my limited knowledge of your environment is probably to use puTTY on Windows to ssh into the proxy server and use it as a SOCKS5 proxy. http://vectrosecurity.com/content/view/67/26/ there are many simpler ways, but without telling you to start turning services on and off it's not going to happen. Using socks you should be able to get a full browsing experience, from the perspective of the server machine without squid in the way.
as for that error, it's because you have "transparent" mode in use there. Personally I would suggest you do NOT use transparent proxying, just make browser explicitly define the proxy. it's much clearer to troubleshoot and better in many ways, despite the natural inclination to want less manual configuration (which can be dealt with by proxy.pac files etc. if so desired)