Ubuntu Server 10.10 with Squid not completing tcp handshakes
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ubuntu Server 10.10 with Squid not completing tcp handshakes
I have an Ubuntu Server 10.10 machine running in-between my firewall and the rest of my network that monitors the internet connection and functions as a web cache.
It had been working for about a year, but started having an issue where no one (either from the server itself or from the local network) could connect to a website. Port 80 was the only one affected, which is forwarded via iptables to port 3128 for Squid.
After lots of trial and error, I thought to do a packet capture from the internet-side of the server (which I should've done in the first place!). Turns out the tcp handshake is not completed. The connection is started with a syn packet; the web server (google.com for example) responds with a SYN/ACK, and then nothing else is sent until the squid server tries again with another SYN packet. It repeats several times like that, then gives up and gives a connection timeout error message.
My iptables rules are as follows:
# Generated by iptables-save v1.4.4 on Wed May 11 15:25:04 2011
*nat
:PREROUTING ACCEPT [76436:8805348]
:OUTPUT ACCEPT [7935:481414]
:POSTROUTING ACCEPT [41079:2805931]
-A PREROUTING -i br1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Wed May 11 15:25:04 2011
# Generated by iptables-save v1.4.4 on Wed May 11 15:25:04 2011
*filter
:INPUT ACCEPT [129288:70307197]
:FORWARD ACCEPT [125324:29602631]
:OUTPUT ACCEPT [209340:97911579]
-A INPUT -i br1 -p tcp -m tcp --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed May 11 15:25:04 2011
I'm no guru when it comes to iptables, and when I originally setup the server, I knew even less. So if something is wrong or at least could be done better with the rules please tell me. Also, I should note that I'm using bridge-utils to bridge the two ethernet interfaces. Squid is set as an intercepting (transparent) proxy. Thanks in advance.
I should mention I found a couple other instances on the internet of people having the same problem, but they either had no solutions or the one person had configured his transparent proxy wrong. He was trying to transparently proxy with iptables instead of using the "transparent" option in Squid.
I think this is an iptables problem, whether my configuration (more probable) or a bug, since I saw someone with the same problem unrelated to squid. I don't have the link anymore, but one person in that thread said the problem had to do with using DNAT in iptables to forward one port to another, the same thing I'm attempting to do.
I might try downgrading to Ubuntu 10.04 to see if that helps, since my configuration was working for a solid year and the only change I made recently was updating, maybe it's something to do with a new version of iptables. While I have a hard time believing that, I've exhausted all my other options. I even formatted and re-installed everything but the problem's still there.
It should also be noted that the problem disappears temporarily when I restart the server. For a few hours, it works fine, but it inevitably comes back before the day is out. I'm also going to try operating Squid on port 80 and bypassing the iptables forwarding step. Sure it's not best practice, but this server is required to save bandwidth since we're on a satellite connection with low caps.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.