Обстановка такая: сконфигурировал проски на работу с родительским прокси провайдера, но трафик с моего сквида продолжает переть напрямую в инет не заходя на родителя.[root@localgate squid]# uname -a
Linux localgate.adrem.local 2.6.18-std-smp-alt7 #1 SMP Sat Aug 4 00:07:54 MSD 2007 i686 GNU/Linux
[root@localgate squid]# squid -v
Squid Cache: Version 2.6.STABLE18
configure options: '--build=i586-alt-linux' '--host=i586-alt-linux' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/lib' '--localstatedir=/var/lib' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-dependency-tracking' '--without-included-gettext' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--datadir=/usr/share/squid' '--disable-poll' '--enable-epoll' '--enable-snmp' '--enable-removal-policies=lru heap' '--enable-delay-pools' '--enable-icmp' '--enable-htcp' '--enable-async-io=16' '--enable-useragent-log' '--enable-wccp' '--enable-wccpv2' '--with-gnu-regex' '--enable-arp-acl' '--enable-ssl' '--enable-forw-via-db' '--enable-follow-x-forwarded-for' '--enable-forward-log' '--enable-referer-log' '--enable-ident-lookups' '--enable-carp' '--enable-ntlm-fail-open' '--enable-cache-digests' '--enable-x-accelerator-vary' '--enable-auth=basic ntlm digest negotiate' '--enable-basic-auth-helpers=DB LDAP MSNT NCSA PAM POP3 SASL SMB YP getpwnam multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB fakeauth no_check' '--enable-digest-auth-helpers=ldap password eDirectory' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user ldap_group unix_group session wbinfo_group' '--enable-storeio=aufs coss diskd null ufs' '--enable-default-err-language=English' '--with-large-files' '--enable-large-cache-files' '--enable-icap-support' '--enable-multicast-miss' '--enable-underscores' '--enable-fd-config' '--with-maxfd=16384' 'build_alias=i586-alt-linux' 'host_alias=i586-alt-linux' 'CFLAGS=-pipe -Wall -O2 -march=i586 -mtune=i686'
[root@localgate squid]# iptables -L -v -n
Chain INPUT (policy DROP 4 packets, 1534 bytes)
pkts bytes target prot opt in out source destination
194 41479 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
12935 2164K ACCEPT 0 -- * * 192.168.0.0/24 0.0.0.0/0
125 14411 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 multiport sports 21,25,53,110,143,443,3128,3130,5190,5222,30025,30110
112 5224 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,22
12111 12M ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 multiport dports 1024:65535
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
95 5634 ACCEPT icmp -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 49 packets, 2841 bytes)
pkts bytes target prot opt in out source destination
184 11514 ACCEPT udp -- eth0 eth1 192.168.0.1 0.0.0.0/0 udp dpt:53
183 42503 ACCEPT udp -- eth1 eth0 0.0.0.0/0 192.168.0.1 udp spt:53
0 0 ACCEPT tcp -- eth0 eth1 192.168.0.1 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- eth1 eth0 0.0.0.0/0 192.168.0.1 tcp spt:53
4185 856K ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 multiport dports 25,110,443,5190,5222,30025,30110,4899
5281 3710K ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.0/24 multiport sports 25,110,443,5190,5222,30025,30110,4899
19 1596 ACCEPT udp -- * * 192.168.0.0/24 0.0.0.0/0 udp dpt:87
19 988 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.0/24 udp spt:87
0 0 ACCEPT tcp -- * * 192.168.0.11 193.109.114.130
0 0 ACCEPT tcp -- * * 193.109.114.130 192.168.0.11
0 0 ACCEPT 0 -- * ppp0 192.168.0.0/24 0.0.0.0/0
0 0 ACCEPT 0 -- ppp0 * 0.0.0.0/0 192.168.0.0/24
0 0 ACCEPT icmp -- * * 192.168.0.0/24 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.0/24
Chain OUTPUT (policy ACCEPT 1241K packets, 526M bytes)
pkts bytes target prot opt in out source destination
[root@localgate squid]# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 17772 packets, 1764K bytes)
pkts bytes target prot opt in out source destination
817 39216 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain POSTROUTING (policy ACCEPT 21814 packets, 1227K bytes)
pkts bytes target prot opt in out source destination
138 7372 MASQUERADE 0 -- * eth1 192.168.0.0/24 0.0.0.0/0
0 0 MASQUERADE 0 -- * ppp0 192.168.0.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 22078 packets, 1241K bytes)
pkts bytes target prot opt in out source destination
[root@localgate squid]# cat squid.conf|grep ^[^#]
acl _sams_47d785f4cf21d src "/etc/squid/47d785f4cf21d.sams"
acl _sams_47d79752d4b6e src "/etc/squid/47d79752d4b6e.sams"
acl _sams_47d79782ca8c6 src "/etc/squid/47d79782ca8c6.sams"
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl Rsync_ports port 873
acl Jabber_ports port 5222 5223
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 563 # snews
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
http_access allow _sams_47d785f4cf21d
http_access allow _sams_47d79752d4b6e
http_access allow _sams_47d79782ca8c6
http_access allow all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports !Jabber_ports !Rsync_ports
http_access allow localhost
http_access deny all
http_port 192.168.0.2:3128 transparent
cache_peer proxy.mplik.ru parent 3128 3130
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
url_rewrite_program /usr/bin/samsredir
url_rewrite_children 10
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: &n... 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
visible_hostname localgate
always_direct allow all
coredump_dir /var/spool/squid
[root@localgate squid]# tail -n 40 /var/log/squid/cache.log
2008/03/31 15:12:15| User-Agent logging is disabled.
2008/03/31 15:12:15| Referer logging is disabled.
2008/03/31 15:12:15| DNS Socket created at 0.0.0.0, port 32813, FD 8
2008/03/31 15:12:15| Adding nameserver 192.168.0.1 from /etc/resolv.conf
2008/03/31 15:12:15| Adding domain adrem.local from /etc/resolv.conf
2008/03/31 15:12:15| helperOpenServers: Starting 10 'samsredir' processes
2008/03/31 15:12:15| Unlinkd pipe opened on FD 26
2008/03/31 15:12:15| Accepting transparently proxied HTTP connections at 192.168.0.2, port 3128, FD 24.
2008/03/31 15:12:15| Accepting ICP messages at 0.0.0.0, port 3130, FD 25.
2008/03/31 15:12:15| HTCP Disabled.
2008/03/31 15:12:15| WCCP Disabled.
2008/03/31 15:12:15| Pinger socket opened on FD 27
2008/03/31 15:12:15| Configuring Parent proxy.mplik.ru/3128/3130
2008/03/31 15:12:15| Loaded Icons.
2008/03/31 15:12:15| Ready to serve requests.
2008/03/31 15:12:45| netdbExchangeHandleReply: corrupt data, aborting
2008/03/31 15:20:35| WARNING: All url_rewriter processes are busy.
2008/03/31 15:20:35| WARNING: up to 11 pending requests queued
2008/03/31 15:45:12| NETDB state saved; 370 entries, 2 msec
2008/03/31 15:48:37| Reconfiguring Squid Cache (version 2.6.STABLE18)...
2008/03/31 15:48:37| FD 24 Closing HTTP connection
2008/03/31 15:48:37| Closing Pinger socket on FD 27
2008/03/31 15:48:37| FD 25 Closing ICP connection
2008/03/31 15:48:37| Closing unlinkd pipe on FD 26
2008/03/31 15:48:37| Initialising SSL.
2008/03/31 15:48:37| User-Agent logging is disabled.
2008/03/31 15:48:37| Referer logging is disabled.
2008/03/31 15:48:37| DNS Socket created at 0.0.0.0, port 32814, FD 8
2008/03/31 15:48:37| Adding nameserver 192.168.0.1 from /etc/resolv.conf
2008/03/31 15:48:37| Adding domain adrem.local from /etc/resolv.conf
2008/03/31 15:48:37| helperOpenServers: Starting 10 'samsredir' processes
2008/03/31 15:48:37| Unlinkd pipe opened on FD 26
2008/03/31 15:48:37| Accepting transparently proxied HTTP connections at 192.168.0.2, port 3128, FD 24.
2008/03/31 15:48:37| Accepting ICP messages at 0.0.0.0, port 3130, FD 25.
2008/03/31 15:48:37| HTCP Disabled.
2008/03/31 15:48:37| WCCP Disabled.
2008/03/31 15:48:37| Pinger socket opened on FD 27
2008/03/31 15:48:37| Configuring Parent proxy.mplik.ru/3128/3130
2008/03/31 15:48:37| Loaded Icons.
2008/03/31 15:48:37| Ready to serve requests.
2008/03/31 15:49:15| netdbExchangeHandleReply: corrupt data, aborting
[root@localgate squid]#
для того чтоб наверняка мой шлюз не шел в инет самостоятельно по http пишу в iptables
iptables -A OUTPUT -p tcp -o "внешняя сетевка" --dport 80 -j DROP
пробую из внутренней сети вылезти на какойнидь сайт - ничего не происходит, а если посмотреть счетчики iptables по новому правилу - они растут ка раз в соответствии с запросами клиентского браузера.
У кого есть мысли по этому поводу буду очень благодарен