Search squid archive

RE: Squid wont load certain pages.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

First off, thanks all for the help and advice.

It seems it is two problems.  The difficulties with Yahoo mail and
wiki.squid-cache.org are two separate things.  I've yet to delve into
the Yahoo one fully again but I've studied the wiki.squid-cache.org
packet dumps carefully and this is what's going on.

Just to clarify again, the gateway machine runs iptables for IP masq
type things, but the policy is very restrictive by default and all port
80 traffic goes via Squid which runs on the same machine.  For the
purposes of testing, I've knocked a hole in the firewall to allow a
machine on the internal network to access the wiki.squid-cache.org site
directly, without using Squid. All packet traces were done on the
gateway machine on the Internet facing NIC.

When wiki.squid-cache.org/SquidFaq/SquidAcl is accessed directly the tcp
connection is a well and good:

Packet 1 ->, SYN, packet 2 <- SYN/ACK, packet 3 -> ACK, packet 4 ->
ACK/PUSH and so on.

When the self same machine tries to access the exact same page but via
Squid, it just goes in an eternal handshake loop, where the 3-way
handshake is completed and repeated again and again:

Packet 1 ->, SYN, packet 2 <- SYN/ACK, packet 3 -> ACK, and back to the
beginning.

One thing of note though is that the third packet doesn't include a
relative ACK number, only a relative sequence number.  Furthermore,
watching my /var/log/messages at the same time, I'm seeing some packets
from wiki.squid-cache.org hitting my firewall: not many but some.  I'm
presuming that this is what's preventing the TCP connection from
advancing.  That said, I've no idea why some packets would hit it, and
others wouldn't when it's all part of the same conversation.  Anyhow,
I'll include my iptables -L -n at the end.

I'll also have a look at the Yahoo connections in more detail once I've
eaten something as it's 15:20 and I'm far too hungry for this.


Thanks again,

Callum.



iptables output:



Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  10.3.0.1             0.0.0.0/0           tcp flags:!
0x17/0x02 
ACCEPT     udp  --  10.3.0.1             0.0.0.0/0           
ACCEPT     tcp  --  10.3.0.2             0.0.0.0/0           tcp flags:!
0x17/0x02 
ACCEPT     udp  --  10.3.0.2             0.0.0.0/0           
ACCEPT     tcp  --  10.3.0.3             0.0.0.0/0           tcp flags:!
0x17/0x02 
ACCEPT     udp  --  10.3.0.3             0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0              0.0.0.0/0           tcp flags:!
0x17/0x02 
ACCEPT     udp  --  0.0.0.0              0.0.0.0/0           
ACCEPT     tcp  --  158.152.1.58         0.0.0.0/0           tcp flags:!
0x17/0x02 
ACCEPT     udp  --  158.152.1.58         0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg
10/sec burst 5 
NR         all  -- !62.49.100.112/28     0.0.0.0/0           
DROP       all  --  0.0.0.0/0            255.255.255.255     
DROP       all  --  0.0.0.0/0            62.49.100.127       
DROP       all  --  255.255.255.255      0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0             
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state
INVALID 
LSI        all  -f  0.0.0.0/0            0.0.0.0/0           limit: avg
10/min burst 5 
INBOUND    all  --  0.0.0.0/0            0.0.0.0/0           
INBOUND    all  --  0.0.0.0/0            10.3.0.1            
INBOUND    all  --  0.0.0.0/0            62.49.100.114       
INBOUND    all  --  0.0.0.0/0            10.3.0.255          
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0
level 6 prefix `Unknown Input' 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg
10/sec burst 5 
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:0x06/0x02 TCPMSS clamp to PMTU 
ACCEPT     tcp  --  0.0.0.0/0            10.3.0.2            tcp
dpt:3389 
ACCEPT     udp  --  0.0.0.0/0            10.3.0.2            udp
dpt:3389 
ACCEPT     tcp  --  0.0.0.0/0            10.3.0.3            tcp
dpt:3389 
ACCEPT     udp  --  0.0.0.0/0            10.3.0.3            udp
dpt:3389 
ACCEPT     tcp  --  0.0.0.0/0            10.3.0.4            tcp
dpt:3389 
ACCEPT     udp  --  0.0.0.0/0            10.3.0.4            udp
dpt:3389 
ACCEPT     tcp  --  0.0.0.0/0            10.3.0.3            tcp
dpt:43334 
ACCEPT     udp  --  0.0.0.0/0            10.3.0.3            udp
dpt:43334 
OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.0/8          state
RELATED,ESTABLISHED 
ACCEPT     udp  --  0.0.0.0/0            10.0.0.0/8          state
RELATED,ESTABLISHED 
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0
level 6 prefix `Unknown Forward' 

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  62.49.100.114        10.3.0.1            tcp dpt:53 
ACCEPT     udp  --  62.49.100.114        10.3.0.1            udp dpt:53 
ACCEPT     tcp  --  62.49.100.114        10.3.0.2            tcp dpt:53 
ACCEPT     udp  --  62.49.100.114        10.3.0.2            udp dpt:53 
ACCEPT     tcp  --  62.49.100.114        10.3.0.3            tcp dpt:53 
ACCEPT     udp  --  62.49.100.114        10.3.0.3            udp dpt:53 
ACCEPT     tcp  --  62.49.100.114        0.0.0.0             tcp dpt:53 
ACCEPT     udp  --  62.49.100.114        0.0.0.0             udp dpt:53 
ACCEPT     tcp  --  62.49.100.114        158.152.1.58        tcp dpt:53 
ACCEPT     udp  --  62.49.100.114        158.152.1.58        udp dpt:53 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  255.255.255.255      0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0             
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state
INVALID 
OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0           
OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0           
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0
level 6 prefix `Unknown Output' 

Chain INBOUND (4 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
ACCEPT     all  --  10.0.0.0/8           0.0.0.0/0           
ACCEPT     all  --  10.3.0.1             0.0.0.0/0           
ACCEPT     all  --  62.49.100.114        0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpt:32223 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
dpt:32223 
ACCEPT     tcp  --  10.0.0.0/8           0.0.0.0/0           tcp
dpt:3128 
ACCEPT     udp  --  10.0.0.0/8           0.0.0.0/0           udp
dpt:3128 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:25 
ACCEPT     tcp  --  10.0.0.0/8           0.0.0.0/0           tcp
dpt:123 
ACCEPT     udp  --  10.0.0.0/8           0.0.0.0/0           udp
dpt:123 
ACCEPT     tcp  --  10.0.0.0/8           0.0.0.0/0           tcp dpt:53 
ACCEPT     udp  --  10.0.0.0/8           0.0.0.0/0           udp dpt:53 
ACCEPT     tcp  --  10.0.0.0/8           0.0.0.0/0           tcp
dpt:180 
ACCEPT     udp  --  10.0.0.0/8           0.0.0.0/0           udp
dpt:180 
LSI        all  --  0.0.0.0/0            0.0.0.0/0           

Chain LOG_FILTER (5 references)
target     prot opt source               destination         

Chain LSI (73 references)
target     prot opt source               destination         
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix
`Inbound ' 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:0x17/0x02 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix
`Inbound ' 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:0x17/0x04 
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type
8 
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg
5/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain LSO (1 references)
target     prot opt source               destination         
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg
5/sec burst 5 LOG flags 0 level 6 prefix `Outbound ' 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
icmp-port-unreachable 

Chain NR (1 references)
target     prot opt source               destination         
LSI        all  --  0.0.0.0/8            62.49.100.112/28    
LSI        all  --  1.0.0.0/8            62.49.100.112/28    
LSI        all  --  2.0.0.0/8            62.49.100.112/28    
LSI        all  --  5.0.0.0/8            62.49.100.112/28    
LSI        all  --  7.0.0.0/8            62.49.100.112/28    
LSI        all  --  10.0.0.0/8           62.49.100.112/28    
LSI        all  --  23.0.0.0/8           62.49.100.112/28    
LSI        all  --  27.0.0.0/8           62.49.100.112/28    
LSI        all  --  31.0.0.0/8           62.49.100.112/28    
LSI        all  --  36.0.0.0/8           62.49.100.112/28    
LSI        all  --  37.0.0.0/8           62.49.100.112/28    
LSI        all  --  39.0.0.0/8           62.49.100.112/28    
LSI        all  --  42.0.0.0/8           62.49.100.112/28    
LSI        all  --  49.0.0.0/8           62.49.100.112/28    
LSI        all  --  50.0.0.0/8           62.49.100.112/28    
LSI        all  --  77.0.0.0/8           62.49.100.112/28    
LSI        all  --  78.0.0.0/8           62.49.100.112/28    
LSI        all  --  79.0.0.0/8           62.49.100.112/28    
LSI        all  --  92.0.0.0/8           62.49.100.112/28    
LSI        all  --  93.0.0.0/8           62.49.100.112/28    
LSI        all  --  94.0.0.0/8           62.49.100.112/28    
LSI        all  --  95.0.0.0/8           62.49.100.112/28    
LSI        all  --  96.0.0.0/8           62.49.100.112/28    
LSI        all  --  97.0.0.0/8           62.49.100.112/28    
LSI        all  --  98.0.0.0/8           62.49.100.112/28    
LSI        all  --  99.0.0.0/8           62.49.100.112/28    
LSI        all  --  100.0.0.0/8          62.49.100.112/28    
LSI        all  --  101.0.0.0/8          62.49.100.112/28    
LSI        all  --  102.0.0.0/8          62.49.100.112/28    
LSI        all  --  103.0.0.0/8          62.49.100.112/28    
LSI        all  --  104.0.0.0/8          62.49.100.112/28    
LSI        all  --  105.0.0.0/8          62.49.100.112/28    
LSI        all  --  106.0.0.0/8          62.49.100.112/28    
LSI        all  --  107.0.0.0/8          62.49.100.112/28    
LSI        all  --  108.0.0.0/8          62.49.100.112/28    
LSI        all  --  109.0.0.0/8          62.49.100.112/28    
LSI        all  --  110.0.0.0/8          62.49.100.112/28    
LSI        all  --  111.0.0.0/8          62.49.100.112/28    
LSI        all  --  112.0.0.0/8          62.49.100.112/28    
LSI        all  --  113.0.0.0/8          62.49.100.112/28    
LSI        all  --  114.0.0.0/8          62.49.100.112/28    
LSI        all  --  115.0.0.0/8          62.49.100.112/28    
LSI        all  --  116.0.0.0/8          62.49.100.112/28    
LSI        all  --  117.0.0.0/8          62.49.100.112/28    
LSI        all  --  118.0.0.0/8          62.49.100.112/28    
LSI        all  --  119.0.0.0/8          62.49.100.112/28    
LSI        all  --  120.0.0.0/8          62.49.100.112/28    
LSI        all  --  127.0.0.0/8          62.49.100.112/28    
LSI        all  --  169.254.0.0/16       62.49.100.112/28    
LSI        all  --  172.16.0.0/12        62.49.100.112/28    
LSI        all  --  173.0.0.0/8          62.49.100.112/28    
LSI        all  --  174.0.0.0/8          62.49.100.112/28    
LSI        all  --  175.0.0.0/8          62.49.100.112/28    
LSI        all  --  176.0.0.0/8          62.49.100.112/28    
LSI        all  --  177.0.0.0/8          62.49.100.112/28    
LSI        all  --  178.0.0.0/8          62.49.100.112/28    
LSI        all  --  179.0.0.0/8          62.49.100.112/28    
LSI        all  --  180.0.0.0/8          62.49.100.112/28    
LSI        all  --  181.0.0.0/8          62.49.100.112/28    
LSI        all  --  182.0.0.0/8          62.49.100.112/28    
LSI        all  --  183.0.0.0/8          62.49.100.112/28    
LSI        all  --  184.0.0.0/8          62.49.100.112/28    
LSI        all  --  185.0.0.0/8          62.49.100.112/28    
LSI        all  --  186.0.0.0/8          62.49.100.112/28    
LSI        all  --  187.0.0.0/8          62.49.100.112/28    
LSI        all  --  192.0.2.0/24         62.49.100.112/28    
LSI        all  --  192.168.0.0/16       62.49.100.112/28    
LSI        all  --  197.0.0.0/8          62.49.100.112/28    
LSI        all  --  198.18.0.0/15        62.49.100.112/28    
LSI        all  --  223.0.0.0/8          62.49.100.112/28    
LSI        all  --  224.0.0.0/3          62.49.100.112/28    

Chain OUTBOUND (3 references)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            10.3.0.1            
ACCEPT     all  --  0.0.0.0/0            63.210.156.0/22     
ACCEPT     all  --  0.0.0.0/0            64.154.220.0/22     
ACCEPT     all  --  0.0.0.0/0            216.82.0.0/18       
ACCEPT     all  --  0.0.0.0/0            8.2.32.0/22         
ACCEPT     all  --  0.0.0.0/0            64.129.40.0/22      
ACCEPT     all  --  0.0.0.0/0            64.129.44.0/22      
ACCEPT     all  --  0.0.0.0/0            8.4.12.0/22         
ACCEPT     all  --  0.0.0.0/0            8.10.144.0/21       
ACCEPT     all  --  127.0.0.1            0.0.0.0/0           
ACCEPT     all  --  10.3.0.1             0.0.0.0/0           
ACCEPT     all  --  62.49.100.114        0.0.0.0/0           
ACCEPT     tcp  --  10.3.0.0/24          0.0.0.0/0           tcp dpt:53 
ACCEPT     udp  --  10.3.0.0/24          0.0.0.0/0           udp dpt:53 
ACCEPT     tcp  --  10.0.0.0/8           0.0.0.0/0           tcp
dpt:554 
ACCEPT     udp  --  10.0.0.0/8           0.0.0.0/0           udp
dpt:554 
ACCEPT     tcp  --  10.0.0.0/8           0.0.0.0/0           tcp
dpt:123 
ACCEPT     udp  --  10.0.0.0/8           0.0.0.0/0           udp
dpt:123 
ACCEPT     tcp  --  10.0.0.0/8           0.0.0.0/0           tcp
dpt:1755 
ACCEPT     udp  --  10.0.0.0/8           0.0.0.0/0           udp
dpt:1755 
ACCEPT     tcp  --  10.0.0.0/8           0.0.0.0/0           tcp
dpts:20:21 
ACCEPT     udp  --  10.0.0.0/8           0.0.0.0/0           udp
dpts:20:21 
ACCEPT     tcp  --  62.49.100.114        0.0.0.0/0           tcp dpt:25 
ACCEPT     udp  --  62.49.100.114        0.0.0.0/0           udp dpt:25 
LSO        all  --  0.0.0.0/0            0.0.0.0/0
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux