We had a power outtage a couple of days ago and ever since my transparent proxying is working very slowly. When I enter the proxy manually in my browser, I get nice and fast speed. When I remove the proxy info and go directly through my firewall without the proxy forced I get good speed. However, when I insert the following iptables line into my firewall (which is ALSO my proxy) stuff slows down considerably. Misc information: I am running my own DNS server and DNS queries on the server are nice and quick. The DNS, Firewall and Squid are the same server. I've got the squid OK'd in my /etc/sysconfig/SuSEfirewall2 script with the PREROUTING information in /etc/sysconfig/SuSEfirewall2-custom. I've got an iPrism web traffic filter inbetween me and the squid proxy. I've turned that OFF and I get the same behavior. Again, all this worked BEFORE a power outtage and the server came back up. As soon as I remove the PREROUTING line from my firewall everything is nice and fast. Also, should my firewall be DROPping packects on my internal interface? SuSEfirewall2 put that stuff in automatically. I've reproduced this on a separate server with the same squid.conf and iptables setup and I have the same slowness. Here's my IPTABLES stuff: # iptables-save | grep 8080 -A input_int -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -j DROP -A input_int -p udp -m udp --dport 8080 -m state --state NEW -j DROP -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 # /usr/sbin/squid -v Squid Cache: Version 2.5.STABLE5 configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--with-dl' '--enable-snmp' '--enable-carp' '--enable-useragent-log' '--enable-auth=basic digest ntlm' '--enable-basic-auth-helpers=LDAP MSNT NCSA PAM SMB YP getpwnam multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB no_check' '--enable-digest-auth-helpers=password' '--enable-external-acl-helpers=ip_user ldap_group unix_group wbinfo_group' '--enable-ntlm-fail-open' '--enable-referer-log' '--enable-arp-acl' '--enable-htcp' '--enable-underscores' '--enable-stacktraces' '--enable-delay-pools' '--enable-ssl' '--enable-cache-digests' '--enable-poll' '--enable-storeio=aufs,ufs,diskd,null' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--with-samba-sources=/usr/include/samba' '--enable-x-accelerator-vary' # uname -a Linux opportunity 2.6.5-7.201-smp #1 SMP Thu Aug 25 06:20:45 UTC 2005 i686 i686 i386 GNU/Linux opportunity:~ # opportunity:~ # iptables -v iptables v1.2.9: cat /etc/resolv.conf nameserver 127.0.0.1 search xtek.com Here's my squid.conf: http_port 192.168.202.254:8080 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY maximum_object_size 60240 KB cache_dir ufs /usr/local/squid 1000 16 256 mime_table /usr/share/squid/mime.conf log_fqdn on acl all src 0.0.0.0/0.0.0.0 acl xtek src 192.168.202.0/24 acl upstairs src 192.168.206.0/24 acl wireless src 192.168.207.0/255.255.255.0 acl unknown src 192.168.209.0/255.255.255.0 acl shop src 192.168.203.0/255.255.255.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl BLOCK url_regex "/usr/local/squid/block.acl" acl mimeblock1 rep_mime_type ^application/smil$ acl mimeblock1 rep_mime_type ^application/vnd.ms.wms-hdr.asfv1$ acl mimeblock1 rep_mime_type ^audio/x-pn-realaudio$ http_access deny BLOCK http_reply_access deny mimeblock1 http_access allow xtek http_access allow wireless http_access allow unknown http_access allow shop http_access allow upstairs http_access allow localhost http_access deny all icp_access allow all httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Thanks, Brian
