[squid-users] squid or iptables big problem !

From: Hubert Choma <hubert.ch_at_wp.pl>
Date: Thu, 11 Mar 2010 09:21:35 +0100

Hello
Please check my configs. I don't know it's a problem with squid config
(transparent 8080) or iptables. Pages are loading very very slow
sometimes I receive error DNS timeout and clients can't connect to WWW
sites. I open ports 53 UDP and TCP on my firewall CENTOS 5.4. My
Linuxbox is configured as a router. I have redirected 80,21,9999(ssh)
ports on my hardware router to linux 192.168.1.2

How can I debug squid to check it is a firewall problem ?
 
In resolv.conf I have write down IP of hardware router and IP's of my
internet provider DNS so it shouldn't be a problem with DNS ?!

resolv.conf
nameserver 192.168.1.1
nameserver 194.204.152.34
nameserver 194.204.159.1

My net topology
192.168.1.1(UTM hardware router)---192.168.1.2 CENOTS router with
transparent squid--192.168.0.0/24 LAN clients

eth0 WAN -192.168.1.2 (static IP)
eth1 LAN -192.168.0.1 (static IP)
Squid 2.6 stable 21

Maybe its iptables config problem ? Please HELP
Your help will be appreciated !!!

iptables

#!/bin/sh
modprobe ip_nat
modprobe ip_conntrack_ftp
modprobe ip_conntrack
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 
iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT it is necessary ??

iptables -A INPUT -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT

# RDP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT
--to-destination 192.168.0.6:3389
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -j ACCEPT
#DraytekSyslog
iptables -t nat -I PREROUTING -p udp -i eth0 -d 0/0 --dport 514 -j DNAT
--to 192.168.0.6
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 514 -j ACCEPT

# DNS
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j DNAT
--to-destination 192.168.0.1:53
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT
--to-destination 192.168.0.1:53
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT

# SERVICES
iptables -A INPUT -i eth0 -d 192.168.1.2 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -d 192.168.1.2 -p tcp --dport 5432 -j ACCEPT
iptables -A INPUT -i eth0 -d 192.168.1.2 -p tcp --dport 9999 -j ACCEPT
iptables -A INPUT -i eth0 -d 192.168.1.2 -p tcp --dport 21 -j ACCEPT

#NAT
iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp
--dport 80 -j DNAT --to-destination 192.168.0.1:8080
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT
--to-source 192.168.1.2

squid.conf

http_port 192.168.0.1:8080 transparent
dns_nameservers 192.168.1.1 194.204.152.34 194.204.159.1
acl localnet src 192.168.0.0/24
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com

acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com

http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet
range_offset_limit -1
quick_abort_min -1

acl ftp proto FTP
http_access allow ftp
cache_vary on

#MY ACL's (only allowed sites in file dozwolone.txt are allowed for
ograniczone_komputery other sites are prohibited)
acl all src 0.0.0.0/0.0.0.0
cache allow all
acl dozwolone dstdomain -i "/etc/squid/dozwolone.txt"
acl ograniczone_komputery src 192.168.0.2 192.168.0.3 192.168.0.4
192.168.0.9 192.168.0.10
acl nieograniczone src 192.168.0.5 192.168.0.6 192.168.0.7 192.168.0.8
acl poczta dstdom_regex .*poczta. .*mail.

http_access allow dozwolone ograniczone_komputery !poczta
http_access allow nieograniczone
http_access deny all

# DEFAULT ACL
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
cache_mgr hubert_at_wp.pl
cachemgr_passwd mypassword
acl localhost src 127.0.0.1/255.255.255.255
acl dostep_stats src 192.168.0.0/24

http_access allow manager localhost
http_access allow manager dostep_stats
#http_access deny manager
http_access allow all

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#http_access allow all
##http_access allow manager localhost
##http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow all

#hierarchy_stoplist cgi-bin ?
#acl QUERY urlpath_regex cgi-bin \?
#cache deny QUERY
cache_mem 20 MB
maximum_object_size_in_memory 8 MB
maximum_object_size 750 MB

#cache on XFS partition
cache_dir aufs /mnt/sdb/squid 2000 16 256
access_log /var/log/squid/access.log squid
error_directory /usr/share/squid/errors/Polish
refresh_pattern ^ftp: 1440 20% 10080
#refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid
Received on Thu Mar 11 2010 - 08:21:40 MST

This archive was generated by hypermail 2.2.0 : Thu Mar 11 2010 - 12:00:06 MST