I have an Ubuntu Server 10.10 machine running in-between my firewall and the rest of my network that monitors the internet connection and functions as a web cache.

It had been working for about a year, but started having an issue where no one (either from the server itself or from the local network) could connect to a website. Port 80 was the only one affected, which is forwarded via iptables to port 3128 for Squid.

After lots of trial and error, I thought to do a packet capture from the internet-side of the server (which I should've done in the first place!). Turns out the tcp handshake is not completed. The connection is started with a syn packet; the web server (google.com for example) responds with a SYN/ACK, and then nothing else is sent until the squid server tries again with another SYN packet. It repeats several times like that, then gives up and gives a connection timeout error message.

My iptables rules are as follows:
# Generated by iptables-save v1.4.4 on Wed May 11 15:25:04 2011
*nat
:PREROUTING ACCEPT [76436:8805348]
:OUTPUT ACCEPT [7935:481414]
:POSTROUTING ACCEPT [41079:2805931]
-A PREROUTING -i br1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Wed May 11 15:25:04 2011
# Generated by iptables-save v1.4.4 on Wed May 11 15:25:04 2011
*filter
:INPUT ACCEPT [129288:70307197]
:FORWARD ACCEPT [125324:29602631]
:OUTPUT ACCEPT [209340:97911579]
-A INPUT -i br1 -p tcp -m tcp --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed May 11 15:25:04 2011

I'm no guru when it comes to iptables, and when I originally setup the server, I knew even less. So if something is wrong or at least could be done better with the rules please tell me. Also, I should note that I'm using bridge-utils to bridge the two ethernet interfaces. Squid is set as an intercepting (transparent) proxy. Thanks in advance.

I should mention I found a couple other instances on the internet of people having the same problem, but they either had no solutions or the one person had configured his transparent proxy wrong. He was trying to transparently proxy with iptables instead of using the "transparent" option in Squid.

I think this is an iptables problem, whether my configuration (more probable) or a bug, since I saw someone with the same problem unrelated to squid. I don't have the link anymore, but one person in that thread said the problem had to do with using DNAT in iptables to forward one port to another, the same thing I'm attempting to do.

I might try downgrading to Ubuntu 10.04 to see if that helps, since my configuration was working for a solid year and the only change I made recently was updating, maybe it's something to do with a new version of iptables. While I have a hard time believing that, I've exhausted all my other options. I even formatted and re-installed everything but the problem's still there.

It should also be noted that the problem disappears temporarily when I restart the server. For a few hours, it works fine, but it inevitably comes back before the day is out. I'm also going to try operating Squid on port 80 and bypassing the iptables forwarding step. Sure it's not best practice, but this server is required to save bandwidth since we're on a satellite connection with low caps.

bump. If I need to ask this in a different forum, let me know.