Thanks so much for the replies. I haven't had a chance to test whether the:
iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j ACCEPT
will solve my interception problem yet. I worked on the server for a few days while it was down and have new and bigger problems now. Where's the nearest pile of sand :(
I built BIND, since our DNS queries are one of the biggest problems. It's set up as a caching nameserver only. I started getting 111 connection refused errors from squid on most links. Watching the logs, I discovered that squid was following the timing of BIND's error of: timeout, disabling EDNS. I remember from some point in the past someone mentioning that BIND (latest) will do this if ipv6 is not configured, and someone else mentioning that building it with --disable-ipv6 was the answer. I have no ipv6 support in the kernel or any apps I've built. Are the EDNS errors from bind killing squid requests (about 2 seconds)? Is disabling ipv6 in the BIND build the solution? How do I enable about a 30 second timeout for all DNS requests? I have been all over the bind manual, but this stuff isn't in there (nudge, BIND writers). I know this is the squid list, but in this case they're joined at the hip.
I am now isolated from the server for a few days, but will be expected to return with answers. Any help is MUCH appreciated. I will post my squid.conf, named.conf, and rc.iptables next time around if needed. If I don't return with things ready to go I'll be tarred, feathered, and thrown out into the desert to swelter and rot (only slightly exaggerating).
Thanks,
Jason
Received on Fri Sep 05 2008 - 12:40:32 MDT
This archive was generated by hypermail 2.2.0 : Fri Sep 05 2008 - 12:00:02 MDT