[squid-users] 5 second delay

From: George Dominguez <G.Dominguez@dont-contact.us>
Date: Wed, 20 Sep 2006 17:36:46 +1000

 In regards to a five minutes delay people are experiencing when
accessing http://cat.lib.unimelb.edu.au/

I run the following iptables rules. What I'm trying to achieve is; if
the request is destine to http://cat.lib.unimelb.edu.au/ then redirect
to firewall.

The rule is where I placed the ### mark. Could someone tell me if it
will work, before I apply the rules on the live environment.

Thanks in advance

--------My IP Tables------------------

#!/bin/sh
#
------------------------------------------------------------------------
------------
# See URL:
http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.
html
# (c) 2006, nixCraft under GNU/GPL v2.0+
#
------------------------------------------------------------------------
-------------
# squid server IP
SQUID_SERVER="128.250.180.100"
# cat.lib.unimelb.edu.au Ip address
catlib="128.250.144.132"
# Firewall IP address
firewall="128.250.2.21"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
FTP_PORT="21"

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
# Support for connection tracking of FTP and mod for win xp ftp client
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow ICMP
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j
ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j
MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
### DNAT port 80 request comming from LAN systems to squid 3128
($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp -d $catlib -j DNAT --to
$firewall
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to
$SQUID_SERVER:$SQUID_PORT
### if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp -d $catlib -j REDIRECT
--to $firewall
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT
--to-port $SQUID_PORT
# Do some checks for obviously spoofed IP's
iptables -t nat -A PREROUTING -i $INTERNET -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i $INTERNET -s 127.0.0.1/8 -j DROP
# Drop Microsoft packets outbound from Server
iptables -A OUTPUT -p tcp -o $INTERNET --dport 139 -j DROP
iptables -A OUTPUT -p tcp -o $INTERNET --dport 445 -j DROP
iptables -A OUTPUT -p tcp -o $INTERNET --dport 32875 -j DROP
iptables -A OUTPUT -p udp -o $INTERNET --source-port 32875 -j DROP
iptables -A OUTPUT -p udp -o $INTERNET --dport 137 -j DROP
# DROP everything
iptables -A INPUT -j DROP

-----Original Message-----
From: George Dominguez [mailto:G.Dominguez@mbs.edu]
Sent: Monday, 18 September 2006 12:36 PM
To: squid-users@squid-cache.org
Subject: [squid-users] 5 second delay

Good morning,

It was brought to my attention that there is a 5 second delay when
accessing the following page and their respective sub menus
http://cat.lib.unimelb.edu.au/

This was not the case before the proxy was introduced.

We ran squid in transparent mode, on a RedHat EL4 server with 5GB of RAM
an a small cache of 20GB. I checked the logs but can't find anything
wrong at all.

Any Ideas, on what I should/could be looking for? The page is simple
html.

Regards
George Dominguez
Business and Systems Engineer
Information Technology & Services Department Melbourne Business School
PH: 9349-8473

--
________________________________________________________________________
_______
 
Notice from Melbourne Business School Ltd 
The information contained in this e-mail is confidential, and is
intended for the named person's use only.  It may contain proprietary or
legally privileged information. If you have received this email in
error, please notify the sender and delete it immediately.  You must
not, directly or indirectly, use, disclose, distribute, print, or copy
any part of this message if you are not the intended recipient
Internet communications are not secure. You should scan this message and
any attachments for viruses. Melbourne Business School does not accept
any liability for loss or damage which may result from receipt of this
message or any attachments.
________________________________________________________________________
______ 
 
--
_______________________________________________________________________________
 
Notice from Melbourne Business School Ltd 
The information contained in this e-mail is confidential, and is intended for
the named person's use only.  It may contain proprietary or legally privileged
information. If you have received this email in error, please notify the
sender and delete it immediately.  You must not, directly or indirectly, use,
disclose, distribute, print, or copy any part of this message if you are not
the intended recipient
Internet communications are not secure. You should scan this message and any
attachments for viruses. Melbourne Business School does not accept any
liability for loss or damage which may result from receipt of this message or
any attachments.
______________________________________________________________________________ 
 
Received on Wed Sep 20 2006 - 01:37:09 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Oct 01 2006 - 12:00:03 MDT