> Hi folks, > I have a little bandwidth problem. My customer's network is simple like > this: internet ---> squid 2.6 StabLe 5 (trasparent mode) ----> lan > 172.16.0.0/16 Please upgrade to stable 17. There are a lot of speed improvements and some big security holes fixed. > > Now, the problem is that when I redirect the 80 port to 8080 (squid) all > the clients' connection slow down (from 250 Kbyte/s to 20/30 kbyte/s), > and when I disable the iptables rule all returns fast. > > How can I solve this? > > Squid.conf > > http_port 8080 transparent > icp_port 0 > htcp_port 0 > cache_access_log /var/log/squid/access.log UPDATE TO: access.log /var/log/squid/access.log > cache_log /var/log/squid/cache.log > cache_store_log /var/log/squid/store.log TRY: cache_store_log none > emulate_httpd_log on > mime_table /etc/squid/mime.conf > pid_filename /var/run/squid.pid > dns_nameservers 213.140.2.12 208.67.222.222 193.205.245.66 These are better set at the OS level. Squid can retrieve them from there if configured properly. If you are jailing squid, don't worry. > acl all src 0.0.0.0/0.0.0.0 > http_access allow all Ouch! USE: acl localnet src 172.16.0.0/16 http_access allow localnet http_access deny all > > iptables rules > > $IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -s 172.16.0.0/16 -j > REDIRECT --to-port 8080 > $IPTABLES -t nat -A POSTROUTING -s 172.16.0.0/16 -j SNAT --to-source > 192.168.1.2 That might be a large part of the problem... The REDIRECT for transparent is okay. I'm not sure why you mention SNAT, it is not needed. What is needed (I have this working perfectly here) is: # bypass the proxy outbound on 80... $IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -s $PROXY_IP -j RETURN # push everything else through squid... $IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -s 172.16.0.0/16 -j REDIRECT --to-port 8080 With the usual MASQUERADE in POSTROUTING. Amos
