紧急求助SQUID+IPTABLES问题.

milanman

偶在单位用SQUID+IPTABLES做的,能够使用代理上网,透明代理也能实现.但是最近发现,SQUID代理只有在机器重新启动后1个小时内能用,过一段时间以后不但局网内的机器都不能通过代理上网(但是透明代理还可以用的),服务器自己也上不了网(这是SQUID进程还在).分析过SQUID的CACHE.LOG,没有发现异常的错误.
偶的机器是HP的LH3000,,256MREM,10G硬盘.自己实在解决不了(看了好多帖子了,没有找到解决方法),现贴出我的配置文件,请大家帮忙解决.
[SUIQD.CONF]
http_port  8080
ssl_unclean_shutdown off
udp_incoming_address 0.0.0.0
udp_outgoing_address 255.255.255.255
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 80 MB
cache_swap_low  90
cache_swap_high 95
half_closed_clients off
maximum_object_size 1024 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
cache_dir ufs /var/spool/squid 4096 16 256
cache_access_log  none
cache_log /var/log/squid/cache.log
cache_store_log  none
emulate_httpd_log on
dns_nameservers 1.2.3.4
dns_timeout 1 minutes
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
redirect_rewrites_host_header off
error_directory /usr/share/squid/errors/Simplify_Chinese
icon_directory /usr/share/squid/icons

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl allow_ip2 src 10.139.0.0/255.255.0.0
acl SSL_ports port 443 563
acl Safe_ports port 80                # http
acl Safe_ports port 21                # ftp
acl Safe_ports port 443 563        # https, snews
acl Safe_ports port 70                # gopher
acl Safe_ports port 210                # wais
acl Safe_ports port 1025-65535        # unregistered ports
acl Safe_ports port 280                # http-mgmt
acl Safe_ports port 488                # gss-http
acl Safe_ports port 591                # filemaker
acl Safe_ports port 777                # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow allow_ip2
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow all
visible_hostname jhpost
httpd_accel_host virtual
httpd_accel_with_proxy on
coredump_dir /var/spool/squid

IPTABLES规则如下
# Generated by iptables-save v1.2.7a on Mon Jun  7 13:14:46 2004
*filter
:INPUT ACCEPT [213830]
:FORWARD ACCEPT [225371]
:OUTPUT ACCEPT [241423]
COMMIT
# Completed on Mon Jun  7 13:14:46 2004
# Generated by iptables-save v1.2.7a on Mon Jun  7 13:14:46 2004
*mangle
REROUTING ACCEPT [798986]
:INPUT ACCEPT [508545]
:FORWARD ACCEPT [254663]
:OUTPUT ACCEPT [585077]
OSTROUTING ACCEPT [838895]
COMMIT
# Completed on Mon Jun  7 13:14:46 2004
# Generated by iptables-save v1.2.7a on Mon Jun  7 13:14:46 2004
*nat
REROUTING ACCEPT [30531]
OSTROUTING ACCEPT [12411]
:OUTPUT ACCEPT [10465]
[1937] -A POSTROUTING -s 10.139.153.0/255.255.255.0 -o eth1 -j MASQUERADE
[11390] -A POSTROUTING -s 10.139.154.0/255.255.255.0 -o eth1 -j MASQUERADE
[69] -A POSTROUTING -s 10.139.232.10 -o eth1 -j MASQUERADE
[69] -A POSTROUTING -s 10.139.129.212 -o eth1 -j MASQUERADE
COMMIT
# Completed on Mon Jun  7 13:14:46 2004


请大家帮忙看看,急切求助.

unixli

你把透明代理理解错了，你只用了NAT（网络地址转换）功能，没起透明代理功能！还有你的squid　ACL规则有些顺序不对，达不到你想要的功能！
把你的CACHE.LOG内容帖出来吧！

我看你应该是有固定的公网IP的，所以这样几句
iptables -t nat -A POSTROUTING -s 10.139.153.0/255.255.255.0 -o eth1 -j MASQUERADE
最好换成
iptables -t nat -A POSTROUTING -s 10.139.153.0/255.255.255.0 -o eth1 -j SNAT --to x.x.x.x #x是你的公网IP

milanman

谢了

milanman

2004/06/09 17:29:14| Squid Cache (Version 2.5.STABLE1): Exiting normally.
2004/06/09 17:32:27| Starting Squid Cache version 2.5.STABLE1 for i386-redhat-linux-gnu...
2004/06/09 17:32:27| Process ID 1428
2004/06/09 17:32:27| With 1024 file descriptors available
2004/06/09 17:32:27| DNS Socket created at 0.0.0.0, port 32769, FD 5
2004/06/09 17:32:27| Adding nameserver 211.136.18.171 from squid.conf
2004/06/09 17:32:27| Adding nameserver 210.52.207.2 from squid.conf
2004/06/09 17:32:27| Unlinkd pipe opened on FD 9
2004/06/09 17:32:27| Swap maxSize 4194304 KB, estimated 322638 objects
2004/06/09 17:32:27| Target number of buckets: 16131
2004/06/09 17:32:27| Using 16384 Store buckets
2004/06/09 17:32:27| Max Mem  size: 81920 KB
2004/06/09 17:32:27| Max Swap size: 4194304 KB
2004/06/09 17:32:27| Store logging disabled
2004/06/09 17:32:27| Rebuilding storage in /var/spool/squid (CLEAN)
2004/06/09 17:32:27| Using Least Load store dir selection
2004/06/09 17:32:27| Set Current Directory to /var/spool/squid
2004/06/09 17:32:27| Loaded Icons.
2004/06/09 17:32:28| Accepting HTTP connections at 0.0.0.0, port 8080, FD 10.

2004/06/10 08:57:34| ipcacheParse: No Address records
2004/06/10 08:57:34| ipcacheParse: No Address records
2004/06/10 08:57:34| ipcacheParse: No Address records
2004/06/10 08:57:34| ipcacheParse: No Address records
2004/06/10 08:58:53| ipcacheParse: No Address records
2004/06/10 08:58:54| ipcacheParse: No Address records
2004/06/10 08:58:54| ipcacheParse: No Address records


2004/06/10 09:16:01| WARNING: 1 swapin MD5 mismatches
2004/06/10 10:19:38| clientReadRequest: FD 48 Invalid Request
2004/06/10 10:19:38| clientReadRequest: FD 48 Invalid Request
2004/06/10 10:19:39| clientReadRequest: FD 48 Invalid Request
2004/06/10 10:19:39| clientReadRequest: FD 48 Invalid Request
2004/06/10 10:19:39| clientReadRequest: FD 48 Invalid Request
2004/06/10 10:19:39| clientReadRequest: FD 48 Invalid Request
2004/06/10 10:19:39| clientReadRequest: FD 48 Invalid Request

2004/06/10 10:54:31| sslReadServer: FD 41: read failure: (104) Connection reset by peer
2004/06/10 13:30:08| urlParse: Illegal character in hostname 'felix_.html.533.net'
2004/06/10 13:56:58| urlParse: Illegal character in hostname '%20http'
2004/06/10 14:33:11| urlParse: Illegal character in hostname '%b7%bd%c0%f2'
2004/06/10 15:15:07| clientReadRequest: FD 14 Invalid Request
2004/06/10 15:15:07| clientReadRequest: FD 14 Invalid Request
2004/06/10 15:15:07| clientReadRequest: FD 14 Invalid Request


2004/06/10 15:19:38| urlParse: Illegal character in hostname 'samba%20server'
2004/06/10 15:23:54| urlParse: Illegal character in hostname 'samba%20server'
2004/06/10 15:24:05| urlParse: Illegal character in hostname 'samba%20server'
2004/06/10 15:33:15| urlParse: Illegal character in hostname 'samba%20server'
2004/06/10 15:33:17| urlParse: Illegal character in hostname 'samba%20server'
2004/06/10 15:33:22| urlParse: Illegal character in hostname 'samba%20server'
2004/06/10 15:33:22| urlParse: Illegal character in hostname 'samba%20server'
2004/06/10 15:33:24| urlParse: Illegal character in hostname 'samba%20server'
这是CACHE.LOG.

milanman

修改过硬件防火墙设置以后,代理可以用了.   
谢谢UNIXLI兄的回复.还请你多指教,请问该如何调整SQUID.(我是刚学的这个东西,不太懂.就只在网上找了些帖子配置的).

unixli

2004/06/10 08:57:34| ipcacheParse: No Address records
2004/06/10 08:57:34| ipcacheParse: No Address records
2004/06/10 08:57:34| ipcacheParse: No Address records
2004/06/10 08:57:34| ipcacheParse: No Address records
2004/06/10 08:58:53| ipcacheParse: No Address records
2004/06/10 08:58:54| ipcacheParse: No Address records
2004/06/10 08:58:54| ipcacheParse: No Address records

从上面的LOG看，你的域名解析有点问题，是不是有时打不开网页提示无法解析？
你在squid.conf中真的用1.2.3.4做DNS服务器地址还是用公网的DNS？
dns_nameservers 1.2.3.4
你最好设二个比较稳定的DNS服务器IP

http_access allow allow_ip2
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
从上面的规则看，你应该是想做端口限制。同类型的acl规则是从上到下的顺序被对比，如有匹配的规则，那它就不会再去匹配同类型的下一条规则了。所以你应该把顺序按一下，如下：
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow allow_ip2
http_access deny all
这样就能对10.139.0.0/255.255.0.0这网段做端口限制了。
你可参考我的帖子或其它的。如要适合你用，那就要按你实际环境设置了。
有问题给我发邮件。

milanman

用的是公网的DNS,,,域名解析还是有点问题.
谢谢你的意见..