In regards to a five minutes delay people are experiencing when accessing http://cat.lib.unimelb.edu.au/ I run the following iptables rules. What I'm trying to achieve is; if the request is destine to http://cat.lib.unimelb.edu.au/ then redirect to firewall. The rule is where I placed the ### mark. Could someone tell me if it will work, before I apply the rules on the live environment. Thanks in advance --------My IP Tables------------------ #!/bin/sh # ------------------------------------------------------------------------ ------------ # See URL: http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto. html # (c) 2006, nixCraft under GNU/GPL v2.0+ # ------------------------------------------------------------------------ ------------- # squid server IP SQUID_SERVER="128.250.180.100" # cat.lib.unimelb.edu.au Ip address catlib="128.250.144.132" # Firewall IP address firewall="128.250.2.21" # Interface connected to Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" FTP_PORT="21" # DO NOT MODIFY BELOW # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack # Support for connection tracking of FTP and mod for win xp ftp client modprobe ip_conntrack_ftp modprobe ip_nat_ftp # Enable IP Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow ICMP iptables -A INPUT -p icmp --icmp-type any -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT ### DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp -d $catlib -j DNAT --to $firewall iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT ### if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp -d $catlib -j REDIRECT --to $firewall iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # Do some checks for obviously spoofed IP's iptables -t nat -A PREROUTING -i $INTERNET -s 192.168.0.0/16 -j DROP iptables -t nat -A PREROUTING -i $INTERNET -s 127.0.0.1/8 -j DROP # Drop Microsoft packets outbound from Server iptables -A OUTPUT -p tcp -o $INTERNET --dport 139 -j DROP iptables -A OUTPUT -p tcp -o $INTERNET --dport 445 -j DROP iptables -A OUTPUT -p tcp -o $INTERNET --dport 32875 -j DROP iptables -A OUTPUT -p udp -o $INTERNET --source-port 32875 -j DROP iptables -A OUTPUT -p udp -o $INTERNET --dport 137 -j DROP # DROP everything iptables -A INPUT -j DROP -----Original Message----- From: George Dominguez [mailto:G.Dominguez@xxxxxxx] Sent: Monday, 18 September 2006 12:36 PM To: squid-users@xxxxxxxxxxxxxxx Subject: 5 second delay Good morning, It was brought to my attention that there is a 5 second delay when accessing the following page and their respective sub menus http://cat.lib.unimelb.edu.au/ This was not the case before the proxy was introduced. We ran squid in transparent mode, on a RedHat EL4 server with 5GB of RAM an a small cache of 20GB. I checked the logs but can't find anything wrong at all. Any Ideas, on what I should/could be looking for? The page is simple html. Regards George Dominguez Business and Systems Engineer Information Technology & Services Department Melbourne Business School PH: 9349-8473 -- ________________________________________________________________________ _______ Notice from Melbourne Business School Ltd The information contained in this e-mail is confidential, and is intended for the named person's use only. It may contain proprietary or legally privileged information. If you have received this email in error, please notify the sender and delete it immediately. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient Internet communications are not secure. You should scan this message and any attachments for viruses. Melbourne Business School does not accept any liability for loss or damage which may result from receipt of this message or any attachments. ________________________________________________________________________ ______ -- _______________________________________________________________________________ Notice from Melbourne Business School Ltd The information contained in this e-mail is confidential, and is intended for the named person's use only. It may contain proprietary or legally privileged information. If you have received this email in error, please notify the sender and delete it immediately. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient Internet communications are not secure. You should scan this message and any attachments for viruses. Melbourne Business School does not accept any liability for loss or damage which may result from receipt of this message or any attachments. ______________________________________________________________________________
