Правила squid то работают, то нет

[ArcFi]

VKP28, если одолевает паранойя, то можете замазать внешний IP, но без нормальной диагностики далеко мы не уедем.

[VKP28]

вот что получилось при диагностике

(Нажмите, чтобы показать/скрыть)

ip a
   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
       inet 127.0.0.1/8 scope host lo
       inet6 ::1/128 scope host
          valid_lft forever preferred_lft forever
   2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
       link/ether 00:07:e9:a5:2c:08 brd ff:ff:ff:ff:ff:ff
       inet 192.168.0.241/24 brd 192.168.0.255 scope global eth0
       inet6 fe80::207:e9ff:fea5:2c08/64 scope link
          valid_lft forever preferred_lft forever
   3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
       link/ether 00:07:e9:a5:2c:09 brd ff:ff:ff:ff:ff:ff
   4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
       link/ether 00:07:e9:a5:2a:fa brd ff:ff:ff:ff:ff:ff
       inet 111.111.111.111/30 scope global eth2
       inet6 ffff::ffff:ffff:ffff:ffff/64 scope link
          valid_lft forever preferred_lft forever
   5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
       link/ether 00:07:e9:a5:2a:fb brd ff:ff:ff:ff:ff:ff
   223: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1396 qdisc pfifo_fast state UNKNOWN qlen 3
       link/ppp
       inet 192.168.0.241 peer 192.168.0.20/32 scope global ppp0

ip r
   default via 111.111.111.111 dev eth2  metric 100
   192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.241
   192.168.0.20 dev ppp0  proto kernel  scope link  src 192.168.0.241
   192.168.10.0/28 via 192.168.0.2 dev eth0  metric 1
   192.168.10.16/28 via 192.168.0.2 dev eth0  metric 1
   192.168.10.32/28 via 192.168.0.2 dev eth0  metric 1
   192.168.10.48/28 via 192.168.0.2 dev eth0  metric 1
   192.168.100.0/27 via 192.168.0.2 dev eth0  metric 1
   111.111.111.110/30 dev eth2  proto kernel  scope link  src 111.111.111.112

sysctl net.ipv4.ip_forward
   net.ipv4.ip_forward = 1

[ArcFi]

Забыли

Код: [Выделить]

sudo iptables-save

[VKP28]

результаты sudo iptables-save

(Нажмите, чтобы показать/скрыть)

$ sudo iptables-save

# Generated by iptables-save v1.4.10 on Fri Oct 10 19:36:29 2014
*nat
:PREROUTING ACCEPT [46095019:3539019284]
:INPUT ACCEPT [11041205:662643368]
:OUTPUT ACCEPT [3906290:268944897]
:POSTROUTING ACCEPT [545029:63147499]
-A PREROUTING -d 111.111.111.111/32 -p tcp -m tcp --dport 80 -j DNAT --to-destinati                                              on 192.168.0.72
-A PREROUTING -d 192.168.0.241/32 -p tcp -m tcp --dport 80 -j DNAT --to-destinat                                              ion 192.168.0.72
-A PREROUTING -s 192.168.0.0/24 -p udp -m udp --dport 53 -j DNAT --to-destinatio                                              n 194.85.128.10
-A PREROUTING -s 192.168.0.0/24 -p udp -m udp --dport 53 -j DNAT --to-destinatio                                              n 212.44.130.6
-A PREROUTING -p tcp -m tcp --dport 1110 -j DNAT --to-destination 178.208.83.99:                                              110
-A PREROUTING -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.10.5:2                                              2
-A PREROUTING -d 111.111.111.111/32 -p tcp -m tcp --dport 1313 -j DNAT --to-destina                                              tion 192.168.100.16:80
-A PREROUTING -d 111.111.111.111/32 -p tcp -m tcp --dport 1314 -j DNAT --to-destina                                              tion 192.168.100.16:554
-A PREROUTING -d 111.111.111.111/32 -p tcp -m tcp --dport 69 -j DNAT --to-destinati                                              on 192.168.100.16:69
-A POSTROUTING -o eth2 -j MASQUERADE
COMMIT
# Completed on Fri Oct 10 19:36:29 2014
# Generated by iptables-save v1.4.10 on Fri Oct 10 19:36:29 2014
*mangle
:PREROUTING ACCEPT [1180307452:905606210388]
:INPUT ACCEPT [163268354:116812652483]
:FORWARD ACCEPT [1008887354:787690207317]
:OUTPUT ACCEPT [155083208:120566646749]
:POSTROUTING ACCEPT [1163518906:908231705279]
COMMIT
# Completed on Fri Oct 10 19:36:29 2014
# Generated by iptables-save v1.4.10 on Fri Oct 10 19:36:29 2014
*filter
:INPUT ACCEPT [2011100:2114024919]
:FORWARD DROP [3916:223895]
:OUTPUT ACCEPT [3763163:3039447679]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJEC                                              T --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j                                               LOG --log-prefix "New not syn:"
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j                                               DROP
-A INPUT -s 127.0.0.1/32 -p tcp -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m multiport --dports 21,22,25,110,995,8080,31                                              28,1723 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m multiport --dports 22,3128,80 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p udp -m udp ! --dport 53 -j DROP
-A INPUT -s 192.168.0.241/32 -p udp -m multiport ! --dports 123,53 -j DROP
-A INPUT -s 192.168.100.0/27 -j ACCEPT
-A INPUT -s 198.168.10.0/28 -j ACCEPT
-A INPUT -s 198.168.10.16/28 -j ACCEPT
-A INPUT -s 198.168.10.32/28 -j ACCEPT
-A INPUT -s 198.168.10.48/28 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -p tcp -m multiport --dports 21,25,160,110,995,587,                                              993,1024,87,9080,9443,8470,465,1723,1701 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -p tcp -m multiport --dports 143,587,9443,1110 -j A                                              CCEPT
-A FORWARD -p udp -m udp --dport 123 -j ACCEPT
-A FORWARD -s 192.168.0.2/32 -p udp -m udp --dport 123 -j ACCEPT
-A FORWARD -s 192.168.0.3/32 -p udp -m udp --dport 123 -j ACCEPT
-A FORWARD -s 192.168.0.5/32 -p udp -m udp --dport 123 -j ACCEPT
-A FORWARD -s 192.168.0.50/32 -p udp -m udp --dport 123 -j ACCEPT
-A FORWARD -s 192.168.0.80/32 -p udp -m udp --dport 123 -j ACCEPT
-A FORWARD -s 192.168.0.244/32 -p udp -m udp --dport 123 -j ACCEPT
-A FORWARD -s 192.168.0.250/32 -p udp -m udp --dport 123 -j ACCEPT
-A FORWARD -d 192.168.0.72/32 -i eth2 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.0.20/32 -p tcp -m multiport --dports 3389,1723,4899,139,55                                              00,160,53 -j ACCEPT
-A FORWARD -s 192.168.0.21/32 -p tcp -m multiport --dports 3389,1723,4899,139,55                                              00,160,53 -j ACCEPT
-A FORWARD -s 192.168.0.22/32 -p tcp -m multiport --dports 3389,1723,4899,139,55                                              00,160,53 -j ACCEPT
-A FORWARD -s 192.168.0.23/32 -p tcp -m multiport --dports 3389,1723,4899,139,55                                              00,160,53 -j ACCEPT
-A FORWARD -s 192.168.0.24/32 -p tcp -m multiport --dports 3389,1723,4899,139,55                                              00,160,53 -j ACCEPT
-A FORWARD -s 192.168.0.19/32 -p tcp -m multiport --dports 3389,1723,4899,139,55                                              00,160,53,445 -j ACCEPT
-A FORWARD -s 192.168.0.18/32 -j ACCEPT
-A FORWARD -s 192.168.0.26/32 -j ACCEPT
-A FORWARD -s 192.168.0.27/32 -p tcp -m multiport --dports 3389,1723,4899,139,55                                              00,160,53 -j ACCEPT
-A FORWARD -s 192.168.0.28/32 -p tcp -m multiport --dports 3389,1723,4899,139,55                                              00,160,53 -j ACCEPT
-A FORWARD -s 192.168.0.29/32 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.0.75/32 -p tcp -m multiport --dports 3400:3800 -j ACCEPT
-A FORWARD -s 192.168.0.75/32 -p udp -m multiport --dports 3400:3800 -j ACCEPT
-A FORWARD -s 192.168.0.75/32 -j ACCEPT
-A FORWARD -s 192.168.0.248/32 -p tcp -m multiport --dports 80,443,1025:60000 -j                                               ACCEPT
-A FORWARD -s 192.168.0.248/32 -p udp -m multiport --dports 80,443,1025:60000 -j                                               ACCEPT
-A FORWARD -s 192.168.0.148/32 -j ACCEPT
-A FORWARD -s 192.168.0.222/32 -j ACCEPT
-A FORWARD -s 192.168.0.135/32 -p tcp -m multiport --dports 8585,9080,9443 -j AC                                              CEPT
-A FORWARD -s 192.168.0.67/32 -j ACCEPT
-A FORWARD -s 192.168.0.124/32 -j ACCEPT
-A FORWARD -s 192.168.0.160/32 -j ACCEPT
-A FORWARD -s 192.168.0.1/32 -j ACCEPT
-A FORWARD -s 192.168.0.33/32 -j ACCEPT
-A FORWARD -s 192.168.0.70/32 -p tcp -m multiport --dports 80,52500:52900 -j ACC                                              EPT
-A FORWARD -s 192.168.0.92/32 -j ACCEPT
-A FORWARD -s 192.168.0.195/32 -j ACCEPT
-A FORWARD -s 192.168.0.74/32 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -p udp -m multiport --dports 5060:5061,87,53,1701 -                                              j ACCEPT
-A FORWARD -d 91.207.165.0/24 -p udp -m udp --dport 16384:32768 -j ACCEPT
-A FORWARD -s 192.168.0.51/32 -p udp -m udp --dport 16384:32768 -j ACCEPT
-A FORWARD -s 192.168.0.51/32 -p udp -m udp --sport 16384:32768 -j ACCEPT
-A FORWARD -s 192.168.0.25/32 -p udp -m udp --dport 4100:4200 -j ACCEPT
-A FORWARD -s 192.168.0.25/32 -p tcp -m tcp --dport 4100:4200 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -p icmp -j ACCEPT
-A FORWARD -p tcp -m multiport --dports 22,2222 -j ACCEPT
-A FORWARD -d 192.168.10.5/32 -p icmp -j ACCEPT
-A FORWARD -s 192.168.10.5/32 -p icmp -j ACCEPT
-A FORWARD -d 192.168.100.16/32 -i eth2 -p tcp -m tcp --dport 1313 -j ACCEPT
-A FORWARD -d 192.168.100.16/32 -p tcp -m multiport --dports 80 -j ACCEPT
-A FORWARD -d 192.168.100.16/32 -i eth2 -p tcp -m tcp --dport 1314 -j ACCEPT
-A FORWARD -d 192.168.100.16/32 -p tcp -m multiport --dports 554 -j ACCEPT
-A FORWARD -d 192.168.100.16/32 -i eth2 -p tcp -m tcp --dport 69 -j ACCEPT
-A FORWARD -d 192.168.100.16/32 -p tcp -m multiport --dports 69 -j ACCEPT
-A FORWARD -s 192.168.100.0/27 -j ACCEPT
-A FORWARD -s 198.168.10.0/28 -j ACCEPT
-A FORWARD -s 198.168.10.16/28 -j ACCEPT
-A FORWARD -s 198.168.10.32/28 -j ACCEPT
-A FORWARD -s 198.168.10.48/28 -j ACCEPT
-A FORWARD -s 192.168.10.52/32 -p tcp -m multiport --dports 80,26948 -j ACCEPT
-A FORWARD -s 192.168.10.52/32 -p udp -m multiport --dports 26948 -j ACCEPT
-A FORWARD -s 192.168.10.53/32 -p tcp -m multiport --dports 80,26948 -j ACCEPT
-A FORWARD -s 192.168.10.53/32 -p udp -m multiport --dports 26948 -j ACCEPT
-A FORWARD -s 192.168.10.54/32 -p tcp -m multiport --dports 80,26948 -j ACCEPT
-A FORWARD -s 192.168.10.54/32 -p udp -m multiport --dports 26948 -j ACCEPT
-A FORWARD -s 192.168.10.36/32 -p tcp -m multiport --dports 80,26948 -j ACCEPT
-A FORWARD -s 192.168.10.36/32 -p udp -m multiport --dports 26948 -j ACCEPT
-A FORWARD -s 192.168.10.20/32 -p tcp -m multiport --dports 80,26948 -j ACCEPT
-A FORWARD -s 192.168.10.20/32 -p udp -m multiport --dports 26948 -j ACCEPT
-A FORWARD -s 192.168.10.4/32 -p tcp -m multiport --dports 80,26948 -j ACCEPT
-A FORWARD -s 192.168.10.4/32 -p udp -m multiport --dports 26948 -j ACCEPT
-A FORWARD -s 192.168.10.5/32 -p udp -m multiport --dports 500,4500 -j ACCEPT
-A FORWARD -s 192.168.0.111/32 -j ACCEPT
-A FORWARD -s 192.168.0.65/32 -p tcp -m multiport --dports 3389,139,160,53 -j AC                                              CEPT
-A FORWARD -s 192.168.0.66/32 -p tcp -m multiport --dports 3389,139,160,53 -j AC                                              CEPT
-A FORWARD -s 192.168.10.53/32 -j ACCEPT
-A FORWARD -s 192.168.10.53/32 -j ACCEPT
-A FORWARD -s 192.168.10.52/32 -j ACCEPT
-A FORWARD -s 192.168.10.54/32 -j ACCEPT
-A FORWARD -s 192.168.10.4/32 -j ACCEPT
-A FORWARD -s 192.168.10.36/32 -j ACCEPT
-A FORWARD -s 192.168.10.20/32 -j ACCEPT

-A FORWARD -s 192.168.0.0/24 -i eth0 -m conntrack --ctstate NEW -j DROP

-A FORWARD -s 192.168.0.124/32 -i eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i eth0 -m conntrack --ctstate NEW -j DROP
-A FORWARD -s 192.168.0.124/32 -i eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 192.168.0.84/32 -j ACCEPT
-A OUTPUT -s 192.168.100.0/27 -j ACCEPT
-A OUTPUT -s 198.168.10.0/28 -j ACCEPT
-A OUTPUT -s 198.168.10.16/28 -j ACCEPT
-A OUTPUT -s 198.168.10.32/28 -j ACCEPT
-A OUTPUT -s 198.168.10.48/28 -j ACCEPT
COMMIT

[ArcFi]

Вот это правило разрешает весь транзитный трафик из локалки:

Код: [Выделить]

-A FORWARD -s 192.168.0.0/24 -i eth0 -m conntrack --ctstate NEW -j ACCEPTПо сути, все нижележащие FORWARD-правила становятся до лампочки.