Repost : Router problems with transparent proxy

Sneppe Filip Filip.Sneppe@cronos.be
Thu, 12 Jul 2001 15:03:07 +0200 

Steffen Persvold [SMTP:sp@scali.no] wrote:
>
>Hi,
>
>Has anybody found out anything about this problem ???
>
>Steffen Persvold wrote:
>> 
>> Hi,
>> 
>> I think I've triggered a bug in the ipchains/iptables part of the
>kernel. Here is the
>> story :
>> 
>> The server was a 866MHz PIII with 384 MByte of RAM running RH7.1 with
>a 2.4.5-ac21 kernel.
>> It was used as a router/firewall with 2 netcards (not sure which type,
>but I don't think
>> that's important). Using this machine as a plain router was no problem
>at all, and serving
>> a class C net onto a 3 MBit line was a just a walk in the park, the
>machine was idle for
>> most of the time. Then we decided to set up transparent proxy and used
>a pretty standard
>> setup redirecting all port 80 accesses with ipchains to squid. Things
>worked fine for a
>> while (about 2 hrs) until we noticed that the machine got extremly
>unresponsive on the
>> console. A 'top' session showed us that the machine was almost a 100%
>in system time. If
>> we disconnected some of the segments on the C net, system time went
>down a bit. We
>> rebooted the machine and noticed that the system time started at zero
>and went slowly
>> upwards until it reached 100 (after about 2hrs) and we just needed to
>reboot again. We
>> just disabled the ipchains stuff, and now the server is rock solid
>with a 'normal' proxy
>> setup (and 100% idle almost all the time). Just for the record : We
>also tried standard
>> RH7.1 kernels (2.4.2-2 and 2.4.3) with the same results.
>> 
>> Any ideas ? Anybody experienced similar behaviour ? It looks like a
>resource leak
>> somewhere in the IP filter code to me.
>> 

I have no problems to report about iptables/netfilter+Squid 2.2-STABLE5+hno
running on the same box, and I have deployed this scenario on 4 boxes, one
of which with a couple hundred clients behind it. That box had an uptime of
over 80 days when it was rebooted for a kernel upgrade. I must say that,
although there is a redirect rule catching traffic on port 80, almost all
clients have a proxy set in their browsers, so the redirect rule is not
kicking in a lot.

Can you post your squid config & firewall rules.
What if you use iptables firewall rules instead of ipchains ?
Do you get into problems if you remove the redirect rule.

This is more of a question to linux gurus out there, as I have never been
confronted with a linux box pegged at 100% system cpu, but is there any way
to find out where things are going wrong via the /proc filesystem. That's
where I would be looking...

-Filip