gostaria que vcs avaliasse o meu firewall e pergunto porque o SQUID fica lento? pior do que uma discada.
Processador 2.3 celeron
768 RAM
HD 40 GB
Link 2MB telemar
Clientes 203
sistema conectiva 10 "firewall"
REDES: 3
eth0 ______ link de internet
eth1 ______ rede 1 192.168.255.254
eth2 ______ rede 2 192.168.252.254
REDE Virtual
eth2:200 192.168.252.60.1 (servidor apache "página de aviso")
Cotrole de banda com CBQ 128 k para cada clientes
AS REGRAS:
/roo/firewall
#!/bin/sh
################limpado tabelas ###########################
iptables -t nat -F
iptables -t filter -F
########################MOD##########################
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
#####################liberando Internet #############
#NAT PARA SERVIDOR WEB
iptables -A PREROUTING -t nat -d 200.217.166.173/32 -j DNAT --to 192.168.252.233
iptables -A POSTROUTING -t nat -s 192.168.252.233/32 -j SNAT --to 200.217.166.173
##########################MASQ###############################
iptables -t nat -A POSTROUTING -s 192.168.252.0/24 -d 0.0.0.0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.255.0/24 -d 0.0.0.0/0 -j MASQUERADE
##############################SQUID##########################
iptables -A PREROUTING -t nat -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
#########################Setagem para controle de UPLOAD via CBQ
iptables -A PREROUTING -t mangle -s 192.168.252.0/24 -j MARK --set-mark 2
iptables -A PREROUTING -t mangle -s 192.168.255.0/24 -j MARK --set-mark 1
##########-Bloqueios de portas-######################
#TFTP
iptables -I INPUT -s 0/0 -p tcp --dport 69 -j DROP
iptables -I FORWARD -s 0/0 -p udp --dport 69 -j DROP
#Srv Local
iptables -I INPUT -s 0/0 -p tcp --dport 135 -j DROP
iptables -I FORWARD -s 0/0 -p udp --dport 135 -j DROP
#Netbio
iptables -I INPUT -s 0/0 -p tcp --dport 137 -j DROP
iptables -I FORWARD -s 0/0 -p udp --dport 137 -j DROP
iptables -I INPUT -s 0/0 -p tcp --dport 138 -j DROP
iptables -I FORWARD -s 0/0 -p udp --dport 138 -j DROP
iptables -I INPUT -s 0/0 -p tcp --dport 139 -j DROP
iptables -I FORWARD -s 0/0 -p udp --dport 139 -j DROP
#Direcionamento de pagina para aviso do cliente
#gisele
iptables -t nat -A PREROUTING -p tcp -s 192.168.252.201 --dport 80 -j DNAT --to-dest 192.168.60.1
#montmor
iptables -t nat -A PREROUTING -p tcp -s 192.168.252.131 --dport 80 -j DNAT --to-dest 192.168.60.1
#tico
iptables -t nat -A PREROUTING -p tcp -s 192.168.252.217 --dport 80 -j DNAT --to-dest 192.168.60.1
CONTROLE COM MAC:
/root/mac.sh
#!/bin/sh
########################---MAC DOS RADIOS---##############################
iptables -t filter -F
iptables -t filter -A INPUT -s 0.0.0.0/0 -i eth1 -j DROP
iptables -t filter -A INPUT -s 0.0.0.0/0 -i eth2 -j DROP
iptables -t filter -A FORWARD -s 0.0.0.0/0 -i eth1 -j DROP
iptables -t filter -A FORWARD -s 0.0.0.0/0 -i eth2 -j DROP
iptables -t filter -I INPUT -s 200.217.166.190 -j ACCEPT
iptables -t filter -I INPUT -d 200.217.166.190 -j ACCEPT
iptables -t filter -I FORWARD -s 200.217.166.190 -j ACCEPT
iptables -t filter -I FORWARD -d 200.217.166.190 -j ACCEPT
#AP NETFACIL1
#iptables -t filter -I INPUT -m mac --mac-source 00:17:0e:db:06:66 -j ACCEPT
#iptables -t filter -I FORWARD -m mac --mac-source 00:17:0e:db:06:66 -j ACCEPT
#AP-ZIWELL-HORIZONTE
#iptables -t filter -I INPUT -m mac --mac-source 00:05:9e:81:12:91 -j ACCEPT
#iptables -t filter -I FORWARD -m mac --mac-source 00:05:9e:81:12:91 -j ACCEPT
#firewall-Server-HORIZONTE
iptables -t filter -I INPUT -m mac --mac-source 00:05:9e:81:1d:33 -j ACCEPT
iptables -t filter -I FORWARD -m mac --mac-source 00:05:9e:81:1d:33 -j ACCEPT
######################---FIM DAS MAC DOS RADIOS---#######################
#cliente1
iptables -t filter -I INPUT -m mac --mac-source 00:60:08:8c:61:4f -j ACCEPT
iptables -t filter -I FORWARD -m mac --mac-source 00:60:08:8c:61:4f -j ACCEPT
#cliente2
iptables -t filter -I INPUT -m mac --mac-source 00:07:95:13:b9:0e -j ACCEPT
iptables -t filter -I FORWARD -m mac --mac-source 00:07:95:13:b9:0e -j ACCEPT
#cliente3
iptables -t filter -I INPUT -m mac --mac-source 10:e0:16:b8:cb:ed -j ACCEPT
iptables -t filter -I FORWARD -m mac --mac-source 10:e0:16:b8:cb:ed -j ACCEPT
#cliente4
iptables -t filter -I INPUT -m mac --mac-source 00:40:f4:5e:4c:6e -j ACCEPT
iptables -t filter -I FORWARD -m mac --mac-source 00:40:f4:5e:4c:6e -j ACCEPT
SQUID:
/etc/squid/squid.conf
hierarchy_stoplist cgi-bin ?
http_port 3128
cache_mem 256 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 2048 KB
client_netmask 255.255.255.0
dns_nameservers 200.194.228.1
cache_dir aufs /var/cache/squid 2048 16 256
cache_access_log /var/log/squid/access.log
ftp_user Squid@
# ACLS
acl all src 0.0.0.0/0.0.0.0
acl localnet src 192.168.252.0/255.255.255.0
acl manager proto cache_object
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localnet
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
icp_access allow all
visible_hostname on
httpd_accel_host virtual
httpd_accel_port 80 21 443
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
o Que podeestá de errado?