Thanks Antony. Yes, new, established and related. The first rule in the INPUT chain is --state RELATED,ESTABLISHED with all the --state NEW rules below that. With this configuration the vast majority of connections went through fine but occasionally one timed out. If I remove the state analysis in iptables everything works fine. On 26 February 2014 10:46, Antony Stone <Antony.Stone@xxxxxxxxxxxxxxxxxxxx> wrote: > On Wednesday 26 February 2014 at 11:40:59, Paul Carew wrote: > >> Thanks Amos. >> >> This is now resolved and appears to have been related to iptables on >> the upstream Squid server. >> >> Originally I was accepting --state NEW connections only on the >> upstream Squid server's iptables configuration. By removing the >> --state NEW component and just accepting all tcp connections between >> the relevant IP addresses and ports all of the connection failed error >> messages have vanished from Squid's cache logs. > > I assume you mean you were accepting both NEW and ESTABLISHED? > >> I'll look into iptables as I'm puzzled why it would block a SYN packet >> on a --state NEW rule match. > > --state NEW would not block SYN, but it would block ACK and SYN,ACK > > You'd need --state ESTABLISHED to allow those through. > > > Hope that helps, > > > Antony. > > -- > All matter in the Universe can be placed into one of two categories: > > 1. Things which need to be fixed. > 2. Things which need to be fixed once you've had a few minutes to play with > them. > > Please reply to the list; > please don't CC me.
