didnt you see any strange request in your access list?
Mahmoud Taghizadeh
On Mon, 15 Jul 2002, Chad Whitten wrote:
> my personal squid proxy (for home network) has all of a sudden - 3 times in
> the last week - just gotten plain flaky. Sites dont load, nothing gets
> logged in the access.log. the only way i can get it working again is to
> reboot (stopping and restarting squid doesnt work). Its squid 2.4stable6
> running on suse linux 7.1. linux box is gateway and when squid stops
> responding all other services (ftp, mail, etc) keep working. the proxy is
> transparent compiled with the following options
>
> ./configure --prefix=/usr/local --exec_prefix=/usr/local
> --bindir=/usr/local/sbin --libexecdir=/usr/local/lib/squid
> --localstatedir=/var --sysconfdir=/etc/squid --disable-snmp --enable-poll
> --enable-linux-netfilter --enable-gnuregex --disable-wccp
>
> here is my startup script for iptables and squid
> #!/bin/bash
> #
> # IP Masqing script transparent proxy
>
> INTIF='eth0';
> LOIF='lo';
> IPTABLES='/usr/sbin/iptables';
> INTNET='10.1.1.0/24';
> INTERNET='0/0';
> INTBRD='10.1.1.255';
>
>
> # Enable IP Forwarding & some other stuff in the kernel
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
> for pfile in /proc/sys/net/ipv4/conf/*/rp_filter
> do
> echo "1" > $pfile
> done
> echo 1024 32768 > /proc/sys/net/ipv4/ip_local_port_range
> echo 8192 > /proc/sys/net/ipv4/tcp_max_syn_backlog
> echo 8192 > /proc/sys/net/ipv4/tcp_max_syn_backlog
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> # Raise number of file descriptors
> ulimit -HSn 8192
>
>
> # Setup Defaults
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
>
> # Setup forwarding policies
> $IPTABLES -A FORWARD -j ACCEPT
>
> # Setup masquerading policies
> $IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
> $IPTABLES -A FORWARD -s $INTERNET -j DROP
>
> # Enable transparent proxying
> $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> # Block some things that should never get here
> #$IPTABLES -A INPUT -i $INTIF -s 192.168.0.0/16 -j DROP
> #$IPTABLES -A INPUT -i $INTIF -s 172.16.0.0/12 -j DROP
> #$IPTABLES -A INPUT -i $INTIF -s 0.0.0.0/32 -j DROP
> #$IPTABLES -A INPUT -i $INTIF -s 255.255.255.255/32 -j DROP
> #$IPTABLES -A INPUT -i $INTIF -s $INTERNET -d 192.168.0.0/16 -j DROP
> #$IPTABLES -A INPUT -i $INTIF -s $INTERNET -d 172.16.0.0/12 -j DROP
> #$IPTABLES -A INPUT -i $INTIF -s $INTERNET -d 0.0.0.0/32 -j DROP
> #$IPTABLES -A INPUT -i $INTIF -s $INTERNET -d 255.255.255.255/32 -j DROP
>
> # Drop any localhost pings
> #$IPTABLES -A INPUT -p icmp -d 127.0.0.1 -j DROP
>
> # Drop any attempts to broadcast pings
> #$IPTABLES -A INPUT -p icmp -i $INTIF -d $INTBRD -j DROP
>
> # Startup Squid
> /usr/local/sbin/squid
>
> squid.conf is just the stuff needed for transparent proxy. other than that
> its all defaults.
>
> specs on box are amd 550, 256 meg ram, 40 gig ide drive, serves three clients
> no apparent hardware errors on box.
>
> See anything that could be causing a problem?
>
> --
> Chad Whitten
> neXband Communications
> cwhitten@nexband.com
>
Received on Tue Jul 16 2002 - 00:44:21 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:15 MST