Yes this is a gateway machine. Here is my long iptables. Thanks for helping. # Generated by iptables-save v1.4.19.1 on Mon Jun 16 08:10:44 2014 *nat :PREROUTING ACCEPT [155329:13831056] :INPUT ACCEPT [163339:10275649] :OUTPUT ACCEPT [168487:10350058] :POSTROUTING ACCEPT [544:45054] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_external - [0:0] :POST_external_allow - [0:0] :POST_external_deny - [0:0] :POST_external_log - [0:0] :POST_internal - [0:0] :POST_internal_allow - [0:0] :POST_internal_deny - [0:0] :POST_internal_log - [0:0] :POST_public - [0:0] :POST_public_allow - [0:0] :POST_public_deny - [0:0] :POST_public_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_external - [0:0] :PRE_external_allow - [0:0] :PRE_external_deny - [0:0] :PRE_external_log - [0:0] :PRE_internal - [0:0] :PRE_internal_allow - [0:0] :PRE_internal_deny - [0:0] :PRE_internal_log - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o p2p1 -g POST_external -A POSTROUTING_ZONES -o p6p1 -g POST_internal -A POSTROUTING_ZONES -g POST_public -A POST_external -j POST_external_log -A POST_external -j POST_external_deny -A POST_external -j POST_external_allow -A POST_external_allow ! -i lo -j MASQUERADE -A POST_internal -j POST_internal_log -A POST_internal -j POST_internal_deny -A POST_internal -j POST_internal_allow -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow -A POST_public_allow ! -i lo -j MASQUERADE -A PREROUTING_ZONES -i p2p1 -g PRE_external -A PREROUTING_ZONES -i p6p1 -g PRE_internal -A PREROUTING_ZONES -g PRE_public -A PREROUTING_direct -i p6p1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.13.1:3129 -A PREROUTING_direct -i p6p1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.13.1:3130 -A PREROUTING_direct -i p2p1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130 -A PREROUTING_direct -i p2p1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129 -A PRE_external -j PRE_external_log -A PRE_external -j PRE_external_deny -A PRE_external -j PRE_external_allow -A PRE_external_allow -p tcp -m mark --mark 0x64 -j DNAT --to-destination 192.168.13.108:22 -A PRE_external_allow -p tcp -m mark --mark 0x65 -j DNAT --to-destination 192.168.13.107:22 -A PRE_external_allow -p tcp -m mark --mark 0x66 -j DNAT --to-destination 192.168.13.104:5000-5020 -A PRE_external_allow -p tcp -m mark --mark 0x67 -j DNAT --to-destination 192.168.13.105:22 -A PRE_external_allow -p tcp -m mark --mark 0x68 -j DNAT --to-destination 192.168.13.109:22 -A PRE_external_allow -p tcp -m mark --mark 0x69 -j DNAT --to-destination 192.168.13.104:22 -A PRE_external_allow -p tcp -m mark --mark 0x6a -j DNAT --to-destination 192.168.13.106:22 -A PRE_external_allow -p udp -m mark --mark 0x6b -j DNAT --to-destination 192.168.13.104:5000-5020 -A PRE_external_allow -p tcp -m mark --mark 0x6c -j DNAT --to-destination 192.168.13.102:22 -A PRE_internal -j PRE_internal_log -A PRE_internal -j PRE_internal_deny -A PRE_internal -j PRE_internal_allow -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Mon Jun 16 08:10:44 2014 # Generated by iptables-save v1.4.19.1 on Mon Jun 16 08:10:44 2014 *mangle :PREROUTING ACCEPT [7079916:4367281964] :INPUT ACCEPT [6413821:4248905726] :FORWARD ACCEPT [666095:118376238] :OUTPUT ACCEPT [5547690:4295572741] :POSTROUTING ACCEPT [6213726:4413950361] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_external - [0:0] :PRE_external_allow - [0:0] :PRE_external_deny - [0:0] :PRE_external_log - [0:0] :PRE_internal - [0:0] :PRE_internal_allow - [0:0] :PRE_internal_deny - [0:0] :PRE_internal_log - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i p2p1 -g PRE_external -A PREROUTING_ZONES -i p6p1 -g PRE_internal -A PREROUTING_ZONES -g PRE_public -A PRE_external -j PRE_external_log -A PRE_external -j PRE_external_deny -A PRE_external -j PRE_external_allow -A PRE_external_allow -p tcp -m tcp --dport 2082 -j MARK --set-xmark 0x64/0xffffffff -A PRE_external_allow -p tcp -m tcp --dport 2072 -j MARK --set-xmark 0x65/0xffffffff -A PRE_external_allow -p tcp -m tcp --dport 5000:5020 -j MARK --set-xmark 0x66/0xffffffff -A PRE_external_allow -p tcp -m tcp --dport 2052 -j MARK --set-xmark 0x67/0xffffffff -A PRE_external_allow -p tcp -m tcp --dport 2092 -j MARK --set-xmark 0x68/0xffffffff -A PRE_external_allow -p tcp -m tcp --dport 2042 -j MARK --set-xmark 0x69/0xffffffff -A PRE_external_allow -p tcp -m tcp --dport 2062 -j MARK --set-xmark 0x6a/0xffffffff -A PRE_external_allow -p udp -m udp --dport 5000:5020 -j MARK --set-xmark 0x6b/0xffffffff -A PRE_external_allow -p tcp -m tcp --dport 2022 -j MARK --set-xmark 0x6c/0xffffffff -A PRE_internal -j PRE_internal_log -A PRE_internal -j PRE_internal_deny -A PRE_internal -j PRE_internal_allow -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Mon Jun 16 08:10:44 2014 # Generated by iptables-save v1.4.19.1 on Mon Jun 16 08:10:44 2014 *security :INPUT ACCEPT [6397473:4243959237] :FORWARD ACCEPT [665999:118370198] :OUTPUT ACCEPT [5547713:4295575625] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Mon Jun 16 08:10:44 2014 # Generated by iptables-save v1.4.19.1 on Mon Jun 16 08:10:44 2014 *raw :PREROUTING ACCEPT [7079963:4367286131] :OUTPUT ACCEPT [5547714:4295575713] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] -A PREROUTING -j PREROUTING_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Mon Jun 16 08:10:44 2014 # Generated by iptables-save v1.4.19.1 on Mon Jun 16 08:10:44 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [5547690:4295572741] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_external - [0:0] :FWDI_external_allow - [0:0] :FWDI_external_deny - [0:0] :FWDI_external_log - [0:0] :FWDI_internal - [0:0] :FWDI_internal_allow - [0:0] :FWDI_internal_deny - [0:0] :FWDI_internal_log - [0:0] :FWDI_public - [0:0] :FWDI_public_allow - [0:0] :FWDI_public_deny - [0:0] :FWDI_public_log - [0:0] :FWDO_external - [0:0] :FWDO_external_allow - [0:0] :FWDO_external_deny - [0:0] :FWDO_external_log - [0:0] :FWDO_internal - [0:0] :FWDO_internal_allow - [0:0] :FWDO_internal_deny - [0:0] :FWDO_internal_log - [0:0] :FWDO_public - [0:0] :FWDO_public_allow - [0:0] :FWDO_public_deny - [0:0] :FWDO_public_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_external - [0:0] :IN_external_allow - [0:0] :IN_external_deny - [0:0] :IN_external_log - [0:0] :IN_internal - [0:0] :IN_internal_allow - [0:0] :IN_internal_deny - [0:0] :IN_internal_log - [0:0] :IN_public - [0:0] :IN_public_allow - [0:0] :IN_public_deny - [0:0] :IN_public_log - [0:0] :OUTPUT_direct - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -p icmp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -p icmp -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i p2p1 -g FWDI_external -A FORWARD_IN_ZONES -i p6p1 -g FWDI_internal -A FORWARD_IN_ZONES -g FWDI_public -A FORWARD_OUT_ZONES -o p2p1 -g FWDO_external -A FORWARD_OUT_ZONES -o p6p1 -g FWDO_internal -A FORWARD_OUT_ZONES -g FWDO_public -A FWDI_external -j FWDI_external_log -A FWDI_external -j FWDI_external_deny -A FWDI_external -j FWDI_external_allow -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x64 -j ACCEPT -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x65 -j ACCEPT -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x66 -j ACCEPT -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x67 -j ACCEPT -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x68 -j ACCEPT -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x69 -j ACCEPT -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x6a -j ACCEPT -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x6b -j ACCEPT -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x6c -j ACCEPT -A FWDI_internal -j FWDI_internal_log -A FWDI_internal -j FWDI_internal_deny -A FWDI_internal -j FWDI_internal_allow -A FWDI_public -j FWDI_public_log -A FWDI_public -j FWDI_public_deny -A FWDI_public -j FWDI_public_allow -A FWDO_external -j FWDO_external_log -A FWDO_external -j FWDO_external_deny -A FWDO_external -j FWDO_external_allow -A FWDO_external_allow -j ACCEPT -A FWDO_internal -j FWDO_internal_log -A FWDO_internal -j FWDO_internal_deny -A FWDO_internal -j FWDO_internal_allow -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow -A FWDO_public_allow -j ACCEPT -A INPUT_ZONES -i p2p1 -g IN_external -A INPUT_ZONES -i p6p1 -g IN_internal -A INPUT_ZONES -g IN_public -A INPUT_direct -s 192.168.13.0/24 -p tcp -m tcp --dport 3129 -j ACCEPT -A INPUT_direct -s 192.168.13.0/24 -p tcp -m tcp --dport 3130 -j ACCEPT -A IN_external -j IN_external_log -A IN_external -j IN_external_deny -A IN_external -j IN_external_allow -A IN_external_allow -p tcp -m tcp --dport 2012 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal -j IN_internal_log -A IN_internal -j IN_internal_deny -A IN_internal -j IN_internal_allow -A IN_internal_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p tcp -m tcp --dport 2032 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p tcp -m tcp --dport 10000 -m conntrack --ctstate NEW -j ACCEPT -A IN_public -j IN_public_log -A IN_public -j IN_public_deny -A IN_public -j IN_public_allow -A IN_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT COMMIT # Completed on Mon Jun 16 08:10:44 2014 -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-Your-cache-is-running-out-of-filedescriptors-tp4666357p4666365.html Sent from the Squid - Users mailing list archive at Nabble.com.