Squid parando de funcionar

yathal
(usa Debian)

Enviado em 29/08/2012 - 09:38h

bom dia pessoal, estou com o seguinte problema, tenho 2 links de internet,
a 1 e principal passa pelo proxy/squid e distribui internet para a rede
a 2 não passa pelo squid e é usada somente para acesso externo.

Porém quando o link principal cai, obviamente ficamos sem internet,
mas quando ele volta, o squid não funciona, se eu tirar as configurações de proxy do windows e tentar acessar a internet, acesso normalmente. Ai eu tenho que reiniciar a máquina do proxy por inteira para que volte a funcionar.
Alguém sabe me dizer o por que? Será que o outro link de internet está me atrapalhando?

Obrigado.

phrich
(usa Slackware)

Enviado em 29/08/2012 - 09:46h

Pode ser problema de rotas, pode ser problema de versão do squid, pode ser algum detalhes no script de firewall...

Vamos ter que ir debugando isto ai, você pode enviar o seu script de firewall e squid?

yathal
(usa Debian)

Enviado em 30/08/2012 - 09:59h

Amigo, pelo o que reparei é o firewall mesmo.
Quando eu clico em Apply Configuration no Firewall pelo Webmin, a internet fica liberada.
Quando eu paro o firewall pelo terminal, e ligo novamente, ele volta a bloquear.
Porém algumas regras que estão no script não são aplicadas.
Se você puder me ajudar.

O script:

# Generated by iptables-save v1.4.2 on Tue Feb 14 11:49:32 2012
*mangle
:PREROUTING ACCEPT [16890:10310732]
:INPUT ACCEPT [8788:8642812]
:FORWARD ACCEPT [8101:1667872]
:OUTPUT ACCEPT [8143:1180608]
:POSTROUTING ACCEPT [16244:2848480]
COMMIT
# Completed on Tue Feb 14 11:49:32 2012
# Generated by iptables-save v1.4.2 on Tue Feb 14 11:49:32 2012
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 53 -j ACCEPT
-A INPUT -p udp -m udp -i eth1 --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT
-A INPUT -d 200.18.118.12/32 -j ACCEPT
-A INPUT -d 189.42.17.115/32 -j ACCEPT
-A INPUT -d 200.180.118.11/32 -j ACCEPT
-A INPUT -d 200.180.118.64/32 -j ACCEPT
-A INPUT -d 189.42.17.120/32 -j ACCEPT
-A INPUT -d 200.180.118.65/32 -j ACCEPT
-A INPUT -d 189.42.17.121/32 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 3128 -j ACCEPT
-A FORWARD -d 65.49.14.0/24 -j LOG --log-prefix "=UltraSurf="
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp -m tcpmss --tcp-flags SYN,RST SYN -j TCPMSS --mss 1400:1536 --clamp-mss-to-pmtu
-A FORWARD -p tcp -m multiport -i eth1 -j ACCEPT --dports 80,443
-A FORWARD -p tcp -m tcp --dport 20 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 1863 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 64.4.12.76/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 64.4.12.97/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 64.4.13.0/24 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 65.54.165.179/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 65.54.186.77/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 65.54.186.107/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 65.54.186.109/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 65.54.165.137/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 204.13.162.123 -j REJECT
-A FORWARD -d 65.54.186.10/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 65.49.14.148 -j REJECT
-A FORWARD -d 65.54.165.177/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 65.54.186.17/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 64.4.12.96/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 65.54.52.254/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 65.49.14.0/24 -j REJECT
-A FORWARD -d 65.49.14.144 -j REJECT
-A FORWARD -d 65.49.14.58 -j REJECT
-A FORWARD -d 69.171.224.40 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 65.49.14.77 -j REJECT
-A FORWARD -d 65.49.14.93 -j REJECT
-A FORWARD -d 65.49.2.17 -j REJECT
-A FORWARD -d 69.171.227.55 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 66.220.149.11 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 1863 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 69.171.224.37/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 64.4.12.76/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 64.4.12.97/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 64.4.13.0/24 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 66.220.149.11 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 65.54.165.137/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 65.54.186.10/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 65.54.165.177/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 65.54.186.17/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 65.54.165.179/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 65.49.2.23 -j REJECT
-A OUTPUT -d 65.54.186.77/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 65.54.186.107/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 65.54.186.109/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 65.49.14.0/24 -j REJECT
-A OUTPUT -d 65.49.14.77 -j REJECT
-A OUTPUT -d 204.13.162.123 -j REJECT
-A OUTPUT -d 64.4.12.96/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 65.49.14.93 -j REJECT
-A OUTPUT -d 65.49.2.15 -j REJECT
-A OUTPUT -d 65.54.52.254/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 65.49.14.58 -j REJECT
-A OUTPUT -d 65.49.14.144 -j REJECT
-A OUTPUT -d 201.6.5.25 -j REJECT
-A OUTPUT -d 69.171.224.40 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 69.171.227.55 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 23.61.143.139 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 65.49.14.148 -j REJECT
-A OUTPUT -d 65.49.14.0/24 -j REJECT
-A OUTPUT -d 66.220.158.74 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 69.171.229.11 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 69.63.190.70 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 69.171.242.11 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 69.171.227.47 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 69.171.247.23 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 64.13.161.61 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 66.220.158.11 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m multiport -o eth0 -j REJECT --reject-with icmp-port-unreachable --dports 1863,7001
-A OUTPUT -p udp -m udp -o eth0 --dport 7001 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp -i eth1 --dport 80 -j ACCEPT
-A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/sec -j ACCEPT
# Rede
-A INPUT -j ACCEPT
-A INPUT -d 204.16.252.79 -j ACCEPT
-A FORWARD -d 66.220.158.11 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 69.171.227.55 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 23.61.143.139 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 69.171.229.11 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 65.49.14.0/24 -j REJECT
-A FORWARD -d 201.6.5.25 -j REJECT
-A FORWARD -d 69.171.247.23 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 69.171.242.11 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 65.49.2.15 -j REJECT
-A FORWARD -d 66.220.158.74 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 65.49.2.21 -j REJECT
-A FORWARD -d 69.171.242.11 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 69.63.190.70 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 69.171.227.47 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 66.220.158.11 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 64.13.161.61 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 204.16.252.79 -j ACCEPT
-A FORWARD -p tcp -m multiport -j ACCEPT --dports 25,110,587
-A FORWARD -p tcp -m multiport -j REJECT --reject-with icmp-port-unreachable --dports 1863,7001
-A FORWARD -p udp -m multiport -j REJECT --reject-with icmp-port-unreachable --dports 7001
-A OUTPUT -d 65.49.2.17 -j REJECT
COMMIT
# Completed on Tue Feb 14 11:49:32 2012
# Generated by iptables-save v1.4.2 on Tue Feb 14 11:49:32 2012
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -d 200.198.239.21/32 -i eth1 --dport 3443 -j ACCEPT
-A PREROUTING -p tcp -m tcp -d 200.198.239.21/32 -i eth0 --dport 3443 -j ACCEPT
-A PREROUTING -p tcp -m tcp -d 200.198.239.22/32 -i eth1 --dport 3443 -j ACCEPT
-A PREROUTING -p tcp -m tcp -d 200.198.239.22/32 -i eth0 --dport 3443 -j ACCEPT
-A PREROUTING -p tcp -m tcp -i eth1 --dport 3443 -j ACCEPT
-A PREROUTING -p udp -m udp -i eth1 --dport 3443 -j ACCEPT
-A PREROUTING -p tcp -d 201.24.80.42/32 -j ACCEPT
-A PREROUTING -p tcp -d 201.24.80.43/32 -j ACCEPT
-A PREROUTING -p tcp -d 200.180.119.41/32 -j ACCEPT
-A PREROUTING -p tcp -d 201.24.80.46/32 -j ACCEPT
-A PREROUTING -p tcp -d 189.42.17.116/32 -j ACCEPT
-A PREROUTING -p tcp -d 187.5.132.219/32 -j ACCEPT
-A PREROUTING -p tcp -m mac -m tcp --dport 80 --mac-source 00:15:C5:BC:79:24 -j ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -p tcp -m mac -m tcp --dport 80 --mac-source 1C:C1:DE:BB:A6:FD -j ACCEPT
-A PREROUTING -p tcp -m mac -m tcp --dport 80 --mac-source 00:23:15:57:4E:40 -j ACCEPT
COMMIT

phrich
(usa Slackware)

Enviado em 30/08/2012 - 13:11h

Olhando rápido não tem nada, está tudo como ACCEPT...

phrich
(usa Slackware)

Enviado em 30/08/2012 - 13:12h

Depois com mais calma, vou dar uma olhada no seu iptables-save, mas talvez o erro esteja no webmin, como eu não uso ele, não posso dar "pitaco"...