[squid-users] Re: WARNING! Your cache is running out of filedescriptors

Yes this is a gateway machine. Here is my long iptables. Thanks for helping.

# Generated by iptables-save v1.4.19.1 on Mon Jun 16 08:10:44 2014
*nat
:PREROUTING ACCEPT [155329:13831056]
:INPUT ACCEPT [163339:10275649]
:OUTPUT ACCEPT [168487:10350058]
:POSTROUTING ACCEPT [544:45054]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_external - [0:0]
:POST_external_allow - [0:0]
:POST_external_deny - [0:0]
:POST_external_log - [0:0]
:POST_internal - [0:0]
:POST_internal_allow - [0:0]
:POST_internal_deny - [0:0]
:POST_internal_log - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_external - [0:0]
:PRE_external_allow - [0:0]
:PRE_external_deny - [0:0]
:PRE_external_log - [0:0]
:PRE_internal - [0:0]
:PRE_internal_allow - [0:0]
:PRE_internal_deny - [0:0]
:PRE_internal_log - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o p2p1 -g POST_external
-A POSTROUTING_ZONES -o p6p1 -g POST_internal
-A POSTROUTING_ZONES -g POST_public
-A POST_external -j POST_external_log
-A POST_external -j POST_external_deny
-A POST_external -j POST_external_allow
-A POST_external_allow ! -i lo -j MASQUERADE
-A POST_internal -j POST_internal_log
-A POST_internal -j POST_internal_deny
-A POST_internal -j POST_internal_allow
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A POST_public_allow ! -i lo -j MASQUERADE
-A PREROUTING_ZONES -i p2p1 -g PRE_external
-A PREROUTING_ZONES -i p6p1 -g PRE_internal
-A PREROUTING_ZONES -g PRE_public
-A PREROUTING_direct -i p6p1 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.13.1:3129
-A PREROUTING_direct -i p6p1 -p tcp -m tcp --dport 443 -j DNAT
--to-destination 192.168.13.1:3130
-A PREROUTING_direct -i p2p1 -p tcp -m tcp --dport 443 -j REDIRECT
--to-ports 3130
-A PREROUTING_direct -i p2p1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
3129
-A PRE_external -j PRE_external_log
-A PRE_external -j PRE_external_deny
-A PRE_external -j PRE_external_allow
-A PRE_external_allow -p tcp -m mark --mark 0x64 -j DNAT --to-destination
192.168.13.108:22
-A PRE_external_allow -p tcp -m mark --mark 0x65 -j DNAT --to-destination
192.168.13.107:22
-A PRE_external_allow -p tcp -m mark --mark 0x66 -j DNAT --to-destination
192.168.13.104:5000-5020
-A PRE_external_allow -p tcp -m mark --mark 0x67 -j DNAT --to-destination
192.168.13.105:22
-A PRE_external_allow -p tcp -m mark --mark 0x68 -j DNAT --to-destination
192.168.13.109:22
-A PRE_external_allow -p tcp -m mark --mark 0x69 -j DNAT --to-destination
192.168.13.104:22
-A PRE_external_allow -p tcp -m mark --mark 0x6a -j DNAT --to-destination
192.168.13.106:22
-A PRE_external_allow -p udp -m mark --mark 0x6b -j DNAT --to-destination
192.168.13.104:5000-5020
-A PRE_external_allow -p tcp -m mark --mark 0x6c -j DNAT --to-destination
192.168.13.102:22
-A PRE_internal -j PRE_internal_log
-A PRE_internal -j PRE_internal_deny
-A PRE_internal -j PRE_internal_allow
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Jun 16 08:10:44 2014
# Generated by iptables-save v1.4.19.1 on Mon Jun 16 08:10:44 2014
*mangle
:PREROUTING ACCEPT [7079916:4367281964]
:INPUT ACCEPT [6413821:4248905726]
:FORWARD ACCEPT [666095:118376238]
:OUTPUT ACCEPT [5547690:4295572741]
:POSTROUTING ACCEPT [6213726:4413950361]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_external - [0:0]
:PRE_external_allow - [0:0]
:PRE_external_deny - [0:0]
:PRE_external_log - [0:0]
:PRE_internal - [0:0]
:PRE_internal_allow - [0:0]
:PRE_internal_deny - [0:0]
:PRE_internal_log - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i p2p1 -g PRE_external
-A PREROUTING_ZONES -i p6p1 -g PRE_internal
-A PREROUTING_ZONES -g PRE_public
-A PRE_external -j PRE_external_log
-A PRE_external -j PRE_external_deny
-A PRE_external -j PRE_external_allow
-A PRE_external_allow -p tcp -m tcp --dport 2082 -j MARK --set-xmark
0x64/0xffffffff
-A PRE_external_allow -p tcp -m tcp --dport 2072 -j MARK --set-xmark
0x65/0xffffffff
-A PRE_external_allow -p tcp -m tcp --dport 5000:5020 -j MARK --set-xmark
0x66/0xffffffff
-A PRE_external_allow -p tcp -m tcp --dport 2052 -j MARK --set-xmark
0x67/0xffffffff
-A PRE_external_allow -p tcp -m tcp --dport 2092 -j MARK --set-xmark
0x68/0xffffffff
-A PRE_external_allow -p tcp -m tcp --dport 2042 -j MARK --set-xmark
0x69/0xffffffff
-A PRE_external_allow -p tcp -m tcp --dport 2062 -j MARK --set-xmark
0x6a/0xffffffff
-A PRE_external_allow -p udp -m udp --dport 5000:5020 -j MARK --set-xmark
0x6b/0xffffffff
-A PRE_external_allow -p tcp -m tcp --dport 2022 -j MARK --set-xmark
0x6c/0xffffffff
-A PRE_internal -j PRE_internal_log
-A PRE_internal -j PRE_internal_deny
-A PRE_internal -j PRE_internal_allow
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Jun 16 08:10:44 2014
# Generated by iptables-save v1.4.19.1 on Mon Jun 16 08:10:44 2014
*security
:INPUT ACCEPT [6397473:4243959237]
:FORWARD ACCEPT [665999:118370198]
:OUTPUT ACCEPT [5547713:4295575625]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Mon Jun 16 08:10:44 2014
# Generated by iptables-save v1.4.19.1 on Mon Jun 16 08:10:44 2014
*raw
:PREROUTING ACCEPT [7079963:4367286131]
:OUTPUT ACCEPT [5547714:4295575713]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Mon Jun 16 08:10:44 2014
# Generated by iptables-save v1.4.19.1 on Mon Jun 16 08:10:44 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5547690:4295572741]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_external - [0:0]
:FWDI_external_allow - [0:0]
:FWDI_external_deny - [0:0]
:FWDI_external_log - [0:0]
:FWDI_internal - [0:0]
:FWDI_internal_allow - [0:0]
:FWDI_internal_deny - [0:0]
:FWDI_internal_log - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_external - [0:0]
:FWDO_external_allow - [0:0]
:FWDO_external_deny - [0:0]
:FWDO_external_log - [0:0]
:FWDO_internal - [0:0]
:FWDO_internal_allow - [0:0]
:FWDO_internal_deny - [0:0]
:FWDO_internal_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_external - [0:0]
:IN_external_allow - [0:0]
:IN_external_deny - [0:0]
:IN_external_log - [0:0]
:IN_internal - [0:0]
:IN_internal_allow - [0:0]
:IN_internal_deny - [0:0]
:IN_internal_log - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i p2p1 -g FWDI_external
-A FORWARD_IN_ZONES -i p6p1 -g FWDI_internal
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o p2p1 -g FWDO_external
-A FORWARD_OUT_ZONES -o p6p1 -g FWDO_internal
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_external -j FWDI_external_log
-A FWDI_external -j FWDI_external_deny
-A FWDI_external -j FWDI_external_allow
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x64 -j
ACCEPT
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x65 -j
ACCEPT
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x66 -j
ACCEPT
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x67 -j
ACCEPT
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x68 -j
ACCEPT
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x69 -j
ACCEPT
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x6a -j
ACCEPT
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x6b -j
ACCEPT
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x6c -j
ACCEPT
-A FWDI_internal -j FWDI_internal_log
-A FWDI_internal -j FWDI_internal_deny
-A FWDI_internal -j FWDI_internal_allow
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDO_external -j FWDO_external_log
-A FWDO_external -j FWDO_external_deny
-A FWDO_external -j FWDO_external_allow
-A FWDO_external_allow -j ACCEPT
-A FWDO_internal -j FWDO_internal_log
-A FWDO_internal -j FWDO_internal_deny
-A FWDO_internal -j FWDO_internal_allow
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A FWDO_public_allow -j ACCEPT
-A INPUT_ZONES -i p2p1 -g IN_external
-A INPUT_ZONES -i p6p1 -g IN_internal
-A INPUT_ZONES -g IN_public
-A INPUT_direct -s 192.168.13.0/24 -p tcp -m tcp --dport 3129 -j ACCEPT
-A INPUT_direct -s 192.168.13.0/24 -p tcp -m tcp --dport 3130 -j ACCEPT
-A IN_external -j IN_external_log
-A IN_external -j IN_external_deny
-A IN_external -j IN_external_allow
-A IN_external_allow -p tcp -m tcp --dport 2012 -m conntrack --ctstate NEW
-j ACCEPT
-A IN_internal -j IN_internal_log
-A IN_internal -j IN_internal_deny
-A IN_internal -j IN_internal_allow
-A IN_internal_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m
conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate
NEW -j ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_internal_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_internal_allow -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_internal_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_internal_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 2032 -m conntrack --ctstate NEW
-j ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 10000 -m conntrack --ctstate NEW
-j ACCEPT
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack
--ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j
ACCEPT
COMMIT
# Completed on Mon Jun 16 08:10:44 2014

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-Your-cache-is-running-out-of-filedescriptors-tp4666357p4666365.html
Sent from the Squid - Users mailing list archive at Nabble.com.