Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have 1 machine which works as Local
1. Apache Server
2. Router (squid proxy)
3. Firewall
I have 2 Lan Cards
Below is Iptables Files I am pasting which i dont fully understand but my connection is worknig fine but Internet is slow.
I need help in analysing this file.
Can someone look into this matter.
IPTABLES
---------------
# squid server IP
SQUID_SERVER="124.??.???.??" >> THIS IS REAL IP
# Interface connected to Internet
INTERNET="em1"
# Interface connected to LAN
LAN="p2p1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy #All input Drop #Output allowed
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# iptables -A INPUT -i $INTERNET -s 192.168.0.0/24 -j DROP
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A OUTPUT -o $LAN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 443 -j REDIRECT --to-ports $SQUID_PORT
#To block all service requests on port 80
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -i $INTERNET -p tcp --dport 80 -j DROP
# Log and Drop Packets IP spoofing on public interface
#iptables -A INPUT -i $INTERNET -s 124.??.???.??/8 -j LOG --log-prefix "IP_SPOOF A: "
#iptables -A INPUT -i $INTERNET -s 124.??.???.??/8 -j DROP
#Drop Private Network Address On Public Interface
iptables -A INPUT -i $INTERNET -s 192.168.0.0/24 -j DROP
#Drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# open access to Samba file server for lan users only ##
#iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
#iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
#iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
#iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
#Force SYN packets check
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#Force Fragments packets check
iptables -A INPUT -f -j DROP
#XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
## open tcp port 143 (imap) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
#Log and Drop Spoofing Source Addresses
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF "
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF "
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF "
iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST "
iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF "
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK "
iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j LOG --log-prefix "IP DROP MULTICAST "
iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j LOG --log-prefix "IP DROP "
iptables -A INPUT -i eth0 -s 240.0.0.0/4 -j LOG --log-prefix "IP DROP "
iptables -A INPUT -i eth0 -s 255.255.255.255/32 -j LOG --log-prefix "IP DROP "
iptables -A INPUT -i eth0 -s 168.254.0.0/16 -j LOG --log-prefix "IP DROP "
iptables -A INPUT -i eth0 -s 248.0.0.0/5 -j LOG --log-prefix "IP DROP "
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
if you want squid file i have also attached this file along with this post.
Can someone see and tell me where i am making mistake?
there is nothing there that would cause anything to be "slow". Note you've not described what is slow abuot it in any way at all. Squid is certainly a much more likely candidate for "slow" but without even telling us what you're using squid for, I don't see how we are supposed to assist you. Is this just webpages? what about non web traffic, like ssh? What network latency do you see when pinging google.com for example? We need more.
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
http_reply_access allow all
# Squid normally listens to port 3128
http_port 3128 transparent
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 1000 16 256
cache_dir ufs /home/squid_cache_dir 10000 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Absolute path to squid access log.
access_log /var/log/squid/access.log squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
you don't know how to bypass your own proxy? that you run?
Hmm, OK well the best way I'd suggest from my limited knowledge of your environment is probably to use puTTY on Windows to ssh into the proxy server and use it as a SOCKS5 proxy. http://vectrosecurity.com/content/view/67/26/ there are many simpler ways, but without telling you to start turning services on and off it's not going to happen. Using socks you should be able to get a full browsing experience, from the perspective of the server machine without squid in the way.
as for that error, it's because you have "transparent" mode in use there. Personally I would suggest you do NOT use transparent proxying, just make browser explicitly define the proxy. it's much clearer to troubleshoot and better in many ways, despite the natural inclination to want less manual configuration (which can be dealt with by proxy.pac files etc. if so desired)
I know how to use putty from window machine and i do use that.
but what i understand by word bypass means stop using squid and use somethign else.
Now for transparent mode i have to use that otherwise i have to setup port into every browser and computer and different OS so that i dont want to do it.
I just want to solve this error.
Please let me know what other info do yuo need so i can provide you but please help.
but what you understand? Where's the but? That's exactly what i'm saying you should do. Have you done it?
As above, transparent proxies are easy, but they are also rubbish. and you can use proxy.pac / wpad.dat mechanisms to configure clients with minimal ongoing effort.
no offense but i dont understand the meaning of last reply from your side.
I had done this in past with Fedora 8, 12, 16 and was working fine but somehow i had to format the machine and i am now not getting speed due to updated version of squid.
rest all the setting are same as it should. because i have stored the file of settings (whatever was required file).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.