On 17/06/2014 1:11 a.m., MrErr wrote: > Yes this is a gateway machine. Here is my long iptables. Thanks for helping. > snipping away a great many empty chains ... you do realise that calculating all those jumps and goto for each packet through the box is slowing it down? > -A POSTROUTING -o p2p1 ! -i lo -j MASQUERADE > -A POSTROUTING ! -i lo -j MASQUERADE Er, only need the second MASQUERADE rule here. > -A PREROUTING -i p6p1 -p tcp -m tcp --dport 80 -j DNAT > --to-destination 192.168.13.1:3129 > -A PREROUTING -i p6p1 -p tcp -m tcp --dport 443 -j DNAT > --to-destination 192.168.13.1:3130 > -A PREROUTING -i p2p1 -p tcp -m tcp --dport 443 -j REDIRECT > --to-ports 3130 > -A PREROUTING -i p2p1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports > 3129 > COMMIT What I see these rules doing is NATing new connections from LAN *or* WAN port 80 / 443 to Squid port 3129 and 3130 respectively. Do you actually want the WAN traffic directed to the proxy? Why do you bother having the -i limitations if all interfaces are redirected to the proxy anyway? If you are operating a reverse-proxy then DNAT is the wrong way. Instead: * configure the DNS with proxy IP for the hosted domains, and * squid.conf add "http_port 80 accel" and "http_port 443 accel", and * in iptables filter table add: -A INPUT -i p2p1 -p tcp -d 192.168.13.1 --dport 80 -j ACCEPT -A INPUT -i p2p1 -p tcp -d 192.168.13.1 --dport 443 -j ACCEPT > # Completed on Mon Jun 16 08:10:44 2014 > # Generated by iptables-save v1.4.19.1 on Mon Jun 16 08:10:44 2014 > *mangle > :PREROUTING ACCEPT [7079916:4367281964] > :INPUT ACCEPT [6413821:4248905726] > :FORWARD ACCEPT [666095:118376238] > :OUTPUT ACCEPT [5547690:4295572741] > :POSTROUTING ACCEPT [6213726:4413950361] > :PRE_external - [0:0] > :PRE_external_allow - [0:0] > -A PREROUTING -i p2p1 -g PRE_external > -A PRE_external -j PRE_external_allow > -A PRE_external_allow -p tcp -m tcp --dport 2082 -j MARK --set-xmark > 0x64/0xffffffff > -A PRE_external_allow -p tcp -m tcp --dport 2072 -j MARK --set-xmark > 0x65/0xffffffff > -A PRE_external_allow -p tcp -m tcp --dport 5000:5020 -j MARK --set-xmark > 0x66/0xffffffff > -A PRE_external_allow -p tcp -m tcp --dport 2052 -j MARK --set-xmark > 0x67/0xffffffff > -A PRE_external_allow -p tcp -m tcp --dport 2092 -j MARK --set-xmark > 0x68/0xffffffff > -A PRE_external_allow -p tcp -m tcp --dport 2042 -j MARK --set-xmark > 0x69/0xffffffff > -A PRE_external_allow -p tcp -m tcp --dport 2062 -j MARK --set-xmark > 0x6a/0xffffffff > -A PRE_external_allow -p udp -m udp --dport 5000:5020 -j MARK --set-xmark > 0x6b/0xffffffff > -A PRE_external_allow -p tcp -m tcp --dport 2022 -j MARK --set-xmark > 0x6c/0xffffffff > COMMIT You are missing the Squid NAT port protection in mangle table: iptables -A PREROUTING -p tcp --dport 3129 -j REJECT --reject-with icmp-host-prohibited iptables -A PREROUTING -p tcp --dport 3130 -j REJECT --reject-with icmp-host-prohibited > # Completed on Mon Jun 16 08:10:44 2014 > # Generated by iptables-save v1.4.19.1 on Mon Jun 16 08:10:44 2014 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [5547690:4295572741] ... > -A INPUT -s 192.168.13.0/24 -p tcp -m tcp --dport 3129 -j ACCEPT > -A INPUT -s 192.168.13.0/24 -p tcp -m tcp --dport 3130 -j ACCEPT Wrong. Input directly from _anywhere_ to the NAT ports is *bad*. This is a loop. On any connections (using 1 socket and 1 FD) made to port 3129 or 3130 directly (as permitted by the above rules) the OS will tell Squid the destination IP was itself. On a MISS Squid fetches from the destination server (using +1 socket and +2 FD) - that was apparently itself on port 3129 or 3130 ... which will still be a MISS, so Squid fetches from the destination server (using +1 socket and +2 FD) - that was apparently itself on port 3129 or 3130 ... which will still be a MISS, so Squid fetches from the destination server (using +1 socket and +2 FD) - that was apparently itself on port 3129 or 3130 ... ... and so on until one of TCP sockets, filedescriptors, or RAM available on the machine run out. Whichever runs out first produces the error message: - TCP sockets the reuqets fails with "Unable to connect" - FD shows "WARNING! Your cache is running out of filedescriptors" - RAM is a syslog message from the kernel about low RAM, possibly the "oom killer" terminating Squid. Amos
