[squid-users] 2.4 kernel/IPTables problem? (Can't access several sites)

From: Michael C. Jett <jettm@dont-contact.us>
Date: Fri, 30 Mar 2001 10:59:22 -0600

I'm having a strange problem with Squid on 2.4 kernel/IP Tables machines.
There are several sites that simply will not load unless I bypass Squid.
The following sites are on the list of those that will not come up:


When attempting to connect to these sites, the browser pauses until
evidently it times out and gives a 111 - Connection Refused error message
back to the browser.

My configuration is as follows:

### - Dino - Dino is running kernel 2.4.2 (RH7) and has two network
interfaces, the internal eth0 on and the external eth1 with a
valid internet address. It runs IP Tables and uses a POSTROUTING SNAT line
to masquerade internal machines:
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to valid-external-ip

The FORWARD chain is open to all internal machines with the following lines:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! eth1 -j ACCEPT

Dino also takes care of DHCP and DNS for us, in case that's relevant.

#### - Odie - Odie is running kernel 2.4.2 (RH7) and has a single
network interface, eth0, on Odie is currently running
Squid-2.3-STABLE4, but I experienced the EXACT same problem with
Squid-2.4-STABLE1. Odie has a default policy of ACCEPT on the INPUT,
OUTPUT, and FORWARD chains, and redirects web requests to Squid with:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 3128

I compiled Squid from source, with the following configure options
./configure --enable-delay-pools --enable-cache-digests --enable-poll --disa
ble-ident-lookups --enable-truncate --enable-heap-replacement --enable-snmp

All the clients have a default route to, which has forwarding
turned on. This sends the packets to, which has a default route

What I have been through at this point:
- My first thought was that it was a problem with transparent proxy. I put
the Squid IP and port in my IE5.5 proxy configuration and experienced the
same problem.
- All of the pages that we have problems with have javascript files that
they download, with a <script src="xxx.xx"> tag. I had seen several posts
about embedded carriage returns in the tags, so I added #define
RELAXED_HTTP_PARSER 1 in client_side.c and recompiled. I could access the
sites that other people had posted with this problem, so I'm thinking this
is a red herring(?).
- When a site, such as www.adaptec.com, won't load being redirected through
Squid, I make an exception on the firewall rules on Odie. I will add a line
such as: iptables -t nat -A PREROUTING -i eth0 -d www.adaptec.com -j ACCEPT
ahead of the REDIRECT line. This resolves the problem for that site since
it doesn't go through Squid. However, this seems to me to indicate that all
of my routing, firewall rules, etc., are OK since the only thing that has
changed is that we're not routing through Squid.
- This was all running previously on a 2.2.16 (RH6.2) box that I compiled
from source in the same manner. The only differences I can see are the
kernel (2.2.16 v. 2.4.2), RedHat version (6.2 v. 7.0), IPCHAINS v. iptables,
and on the previous configuration everything was running on one box, Squid
firewall and all. As a last resort, I copied the currently running
/usr/local/squid/bin/squid and /usr/local/squid/etc/squid.conf from the old
machine to Odie and restarted Squid on Odie. At this point the new and old
machines were running the exact same binary and config file (with obvious
machine name and path changes). Setting my browser proxy to the old Squid
box would let me open www.isyndicate.com, setting it to the new Squid box
would not. They were both running Squid-2.3-STABLE4 at this point.

I'm outta ideas. My thought at this point is that it has to be either a
dynamic library problem with RedHat 7, a curiosity with iptables (but not
transparent proxy since I have the same problem setting my browser
directly), a problem with kernel 2.4.2, a problem with my routing setup
(ICMP Redirects?), or I'm just an idiot... :)

I would appreciate any help from anyone...

Mike Jett
Received on Fri Mar 30 2001 - 09:59:24 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:03 MST