У меня было неудачное удаление сквида, после чего он не хотел ставиться обратно, но после ковыряний с aptitude purge и dpkg получилось, диску пара месяцев отроду, предлагаете проверить? Как то можно проверить целостность пакетов? Модули в iptables может лишние тоже поотключать, только опять же не знаю какие.
(через минут 30 прикреплю конфиг iptables)
Параллельно готовится новая железка на debian 7.7, но вопрос добить хочется.
/sbin/modprobe nfnetlink
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
# Helpers
#
/sbin/modprobe ip_conntrack_amanda
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_conntrack_netbios_ns
/sbin/modprobe ip_conntrack_pptp
#/sbin/modprobe ip_conntrack_tftp
/sbin/modprobe ip_nat_amanda
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_nat_pptp
/sbin/modprobe ip_nat_snmp_basic
/sbin/modprobe ip_nat_tftp
#
# Traffic Shaping
#
#/sbin/modprobe sch_sfq
#/sbin/modprobe sch_ingress
#/sbin/modprobe sch_htb
#/sbin/modprobe cls_u32
#
# Extensions
#
/sbin/modprobe ipt_ah
/sbin/modprobe ipt_addrtype
/sbin/modprobe ipt_CLASSIFY
#/sbin/modprobe ipt_CLUSTERIP
/sbin/modprobe ipt_comment
/sbin/modprobe ipt_connmark
/sbin/modprobe ipt_CONNMARK
/sbin/modprobe ipt_conntrack
/sbin/modprobe ipt_dscp
/sbin/modprobe ipt_DSCP
/sbin/modprobe ipt_ecn
/sbin/modprobe ipt_ECN
/sbin/modprobe ipt_esp
/sbin/modprobe ipt_hashlimit
/sbin/modprobe ipt_helper
/sbin/modprobe ipt_iprange
/sbin/modprobe ipt_length
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_MARK
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_NETMAP
/sbin/modprobe ipt_NOTRACK
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_physdev
/sbin/modprobe ipt_pkttype
/sbin/modprobe ipt_policy
/sbin/modprobe ipt_realm
/sbin/modprobe ipt_recent
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_SAME
/sbin/modprobe ipt_sctp
/sbin/modprobe ipt_state
/sbin/modprobe ipt_tcpmss
/sbin/modprobe ipt_TCPMSS
/sbin/modprobe ipt_tos
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_ttl
/sbin/modprobe ipt_TTL
/sbin/modprobe ipt_ULOG
IPT="/sbin/iptables" # Location of iptables on your system
INET_IFACE="em1" # Internet-connected interface
LOCAL_IFACE="p2p1" # Localnet-connected interface
INET_IP="zzz.zzz.zzz.zzz" # Internet IP address
LOCAL_IP="xxx.xxx.xxx.xxx" # Localnet IP address
DNS_ISP_NTS1="xxx.xxx.xxx.xxx"
DNS_ISP_NTS2="xxx.xxx.xxx.xxx"
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well-known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -t nat -F
####### Default Rule
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
####### Traff of LO
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
####### SSH for Server
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j LOG --log-level DEBUG
#iptables -A INPUT -p tcp -d $INET_IP --dport 22 --syn -m limit --limit 3/minute -j ACCEPT
iptables -A INPUT -p tcp -d $LOCAL_IP --dport 22 --syn -m limit --limit 3/minute -j ACCEPT
iptables -A INPUT -p tcp -d $LOCAL_IP --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
####### DNS for Localhost
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
####### SQUID
iptables -A INPUT -p tcp -i $LOCAL_IFACE --dport 8080 -j ACCEPT
iptables -A OUTPUT -p tcp -o $LOCAL_IFACE --sport 8080 -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#######
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.xxx.xxx/24 --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.xxx.xxx/24 --sport 1024:65535 --dport 110 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.xxx.xxx/24 --sport 1024:65535 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p udp -s 192.168.xxx.xxx/24 --dport 10:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.xxx.yyy --dport 25:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.xxx.yyy --dport 25:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
####### Allow forvard established connections
iptables -A FORWARD -i em1 -o p2p1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i p2p1 -o em1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP