Lentidão na rede - iptables + squid

[Lord Enigm@]

Mestres,

Subimos um servidor firewall (iptables + squid) no ar, todas as máquinas navegam bem mas, após uns 20 minutos a navegação começa a ficar lenta até o ponto de não acessar mais nada. Quando tiramos o servidor e colocamos um roteador no lugar, a internet funciona perfeitamente.

As máquinas são ligadas a um Switch, no qual também se liga o Linux ou roteador.
Modem: D-Link 500B Geração 2
Roteador D-link DI-524
Linux : AMD Duron 1100Mhz com 256mb de ram e placas de rede Realtek.

Conexão : ADSL Velox. (antes era CABO)

Antes funcionava perfeitamente, penso na possibilidade da mudança de ISP ou firmware do modem.

Segue script do iptables :

Código:

#!/bin/bash
# Firewall Mestre 
# 
################ Carregar Modulos ##################
#
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_mangle
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_state
/sbin/modprobe ipt_tos
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_ttl
/sbin/modprobe ip_gre
#
################# Variaveis #########################
#
IPT='/sbin/iptables'		# Filtro de pacotes iptables
IFEXT='eth2' 			# Interface Internet
IFLAN1='eth1' 			# Interface LAN1
IPIFLAN1='192.168.0.1'		# End. IP Interface LAN1
LAN1='192.168.0.0/24'		# End. de rede IP LAN1
#
################# Zerar Chains  #####################
#
$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -Z
#
############# Politicas Default das Chains ##########
#
# Tabela filter
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
# Tabela nat
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
# Tabela mangle
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
#---------------------------------#
# Ativar Filtros TCP/IP no Kernel #
#---------------------------------#
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
for i in /proc/sys/net/ipv4/conf/*; do
echo 0 > $i/accept_redirects
echo 0 > $i/accept_source_route
echo 1 > $i/log_martians
echo 0 > $i/rp_filter;
done
# Ativar Roteamento
echo "1" > /proc/sys/net/ipv4/ip_forward
#
##################### Filtros para todas as chains ###################
#
# Contra IP spoofing
$IPT -A INPUT -s $LAN1 -i $IFEXT -j DROP
$IPT -A FORWARD -s $LAN1 -i $IFEXT -j DROP
$IPT -A INPUT -s 127.0.0.0/8 -i $IFEXT -j DROP
$IPT -A FORWARD -s 127.0.0.0/8 -i $IFEXT -j DROP
$IPT -A INPUT -s 172.16.0.0/12 -i $IFEXT -j DROP
#$IPT -A INPUT -s 224.0.0.0/4 -i $IFEXT -j DROP
#$IPT -A INPUT -s 240.0.0.0/5 -i $IFEXT -j DROP
$IPT -t mangle -A PREROUTING -s $LAN1 -i $IFEXT -j DROP
# Contra Ping of Death
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Bloquear tracert
$IPT -A INPUT -p udp -i $IFEXT --dport 33435:33525 -j DROP
# Stateful Inspection
# Velox
iptables -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu 
$IPT -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
#
##################### Regras para VPN ##########################
#
# CHAIN INPUT
#
# OPENVPN
#UDP
$IPT -A INPUT -p udp --dport 5000 -j ACCEPT
# TCP
$IPT -A INPUT -p tcp --dport 5000 -j ACCEPT
$IPT -A INPUT -i tun+ -j ACCEPT
#
# OpenSSH
$IPT -A INPUT -p tcp --dport 4022 -j ACCEPT
# CHAIN FORWARD
#
# Liberar LAN
$IPT -A FORWARD -i tun+ -j ACCEPT
$IPT -A FORWARD -o tun+ -j ACCEPT
#
#-----------------------------------------------------------------------------------------
#
##################### Regras Tabela Filter ##########################
#
# CHAIN INPUT
#
# Interface Externa (Internet)
#-----------------------------
#
## Porta TCP SSH/FTP/HTTP/MYSQL/POSTGRES
$IPT -A INPUT -i $IFEXT -p tcp -m multiport --dport 20,21,4022 -j ACCEPT
#$IPT -A INPUT -i $IFEXT -s 200.10.10.10 -p tcp -m multiport --dport 8000,3306,5432 -j ACCEPT 
#
# Ativar log para INPUT e Bloquear
$IPT -A INPUT -i $IFEXT -p ! icmp -m state --state NEW,INVALID -j LOG --log-level 6 --log-prefix "INPUT: NEGADO-IFEXT"
$IPT -A INPUT -i $IFEXT -p ! icmp -m state --state NEW,INVALID -j DROP
#
# Interface Interna (LAN )
#-----------------------------
#
# Liberar serviços para loopback
$IPT -A INPUT -s 127.0.0.0/8 -i lo -j ACCEPT
# Liberar Servidor do AD
$IPT -A INPUT -s 192.168.0.100 -i $IFLAN1 -d $IPIFLAN1 -j ACCEPT
# Portas TCP/UDP (DNS)
$IPT -A INPUT -s $LAN1 -i $IFLAN1 -p udp --dport 53 -d $IPIFLAN1 -j ACCEPT
$IPT -A INPUT -s $LAN1 -i $IFLAN1 -p udp --sport 53 -d $IPIFLAN1 -j ACCEPT
$IPT -A INPUT -s $LAN1 -i $IFLAN1 -p tcp --dport 53 -d $IPIFLAN1 -j ACCEPT
$IPT -A INPUT -s $LAN1 -i $IFLAN1 -p tcp --sport 53 -d $IPIFLAN1 -j ACCEPT
# Portas TCP (SQUID,SSH,FTP,SAMBA,HTTP,POSTGRESQL)
$IPT -A INPUT -s $LAN1 -i $IFLAN1 -p tcp -m multiport --dport 3128,2022,20,21,8080,443,80 -d $IPIFLAN1 -j ACCEPT
#$IPT -A INPUT -s 192.168.10.0/24 -i $IFLAN1 -p tcp -m multiport --dport 3128,2124,8080 -d $IPIFLAN1 -j ACCEPT
# Portas UDP (SAMBA,POSTGRESQL)
$IPT -A INPUT -s $LAN1 -i $IFLAN1 -p udp -m multiport --dport 5432 -d $IPIFLAN1 -j ACCEPT
#
# Ativar log para INPUT e Bloquear
$IPT -A INPUT -i $IFLAN1 -p ! icmp -d $IPIFLAN1 -m state --state NEW,INVALID -j LOG --log-level 6 --log-prefix "[NEGADO-INPUT-IFLAN1]:"
$IPT -A INPUT -i $IFLAN1 -p ! icmp -d $IPIFLAN1 -m state --state NEW,INVALID -j DROP

# Protecao contra SynFlood & Port scanners
#-----------------------------------------
#
# SynFlood
$IPT -A INPUT -p tcp --syn -m limit --limit 2/s -j ACCEPT
$IPT -A INPUT -p udp -m limit --limit 2/s -j ACCEPT
# Port scanners 
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 15/m -j ACCEPT
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 15/m -j ACCEPT
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 15/m -j ACCEPT
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,SYN -m limit --limit 15/m -j ACCEPT
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 15/m -j ACCEPT
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 15/m -j ACCEPT
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 15/m -j ACCEPT
#--------------------------------------------------------------------------------------------------
#
# CHAIN FORWARD
#
# Servidor do AD - liberado
$IPT -A FORWARD -s 192.168.0.100 -i $IFLAN1 -o $IFEXT -j ACCEPT
# Bloqueio para Serviços P2P
# Bloqueando NAPSTER
$IPT -A FORWARD -d 64.124.41.0/24 -j DROP
# Bloqueando IMESH
$IPT -A FORWARD -d 216.35.208.0/24 -j DROP
# Bloqueando Bearshare
$IPT -A FORWARD -p tcp --dport 6346 -j DROP
# Bloqueando WinMX
$IPT -A FORWARD -d 209.61.186.0/24 -j DROP
$IPT -A FORWARD -d 64.49.201.0/24 -j DROP
# Bloqueando Napigator
$IPT -A FORWARD -d 209.25.178.0/24 -j DROP
# Bloqueando Morpheus
$IPT -A FORWARD -d 206.142.53.0/24 -j DROP
$IPT -A FORWARD -p tcp --dport 1214 -j DROP
# Bloqueando KaZaa
$IPT -A FORWARD -d 213.248.112.0/24 -j DROP
$IPT -A FORWARD -p tcp --dport 1214 -j DROP
# Bloqueando Limewire
$IPT -A FORWARD -p tcp --dport 6346 -j DROP
# Bloqueando Audiogalax
$IPT -A FORWARD -d 64.245.58.0/23 -j DROP
# Bloqueando ICQ
$IPT -A FORWARD -p tcp --dport 5190 -j DROP
$IPT -A FORWARD -d login.icq.com -j DROP
# Bloqueando Yahoo Messenger
$IPT -A FORWARD -d scsa.yahoo.com -j DROP
# Bloqueando AIM
$IPT -A FORWARD -p tcp --dport 5190 -j DROP
$IPT -A FORWARD -d login.oscar.aol.com -j DROP
$IPT -A FORWARD -p tcp --dport 6667 -j DROP
$IPT -A FORWARD -p tcp --dport 6668 -j DROP
# MSN Messenger
$IPT -A FORWARD -d gateway.messenger.hotmail.com -j ACCEPT
$IPT -A FORWARD -d 64.4.13.0/24 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 1863 -j ACCEPT
# Orkut
$IPT -A FORWARD -d www.orkut.com -j DROP
$IPT -A FORWARD -d orkut.com -j DROP
# Proteger NAT
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
#
# Liberar LAN FORWARD (ADMINISTRATIVO)
#-------------------------------------
#
# Liberar Maquina - Servidor AD
$IPT -A FORWARD -s 192.168.0.100 -i $IFLAN1 -o $IFEXT -j ACCEPT
# Portas UDP (DNS)
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -p udp -m multiport --dport 53 -j ACCEPT
#
# Portas TCP (FTP,SMTP,AUTH,POP3,HTTP,HTTPS, DansGuardian)
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -p tcp -m multiport --dport 20,21,25,110,993,25,113,995,587,80,443,8080 -j ACCEPT
#
# SOFTWARES DO GOVERNO
#---------------------
#
# CONECTIVADE SOCIAL
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 2631 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 8301 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -d 200.201.174.0/24  -j ACCEPT
# RECEITANET
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 3456 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 8800 -j ACCEPT
# CEF
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 2004 -j ACCEPT
# Rais ( PROGRAMA )
#$IPT -A FORWARD -s 192.168.0.59 -i $IFLAN1 -p tcp --dport 3007 -j ACCEPT
# Portas Altas
#$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 1024: -j ACCEPT
# Ativar log P/ Forward e Bloquear (LAN)
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p ! icmp -m state --state NEW,INVALID -j LOG --log-level 6 --log-prefix "FORWARD: NEGADO-IFLAN1"
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p ! icmp -m state --state NEW,INVALID -j DROP
#
# Protecao contra Synflood & Port scanners
#-----------------------------------------
#
# Synflood
$IPT -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
$IPT -A FORWARD -p udp -m limit --limit 2/s -j ACCEPT
# Port scanners 
$IPT -A FORWARD -p tcp -m limit --limit 15/m -j ACCEPT
$IPT -A FORWARD -p udp -m limit --limit 1/s -j ACCEPT
#--------------------------------------------------------------------------------------------------
#
######################## Regras Tabela NAT ###########################
#
# CHAIN POSTROUTING
#
# Liberar Servidor do AD
$IPT -t nat -A POSTROUTING -s 192.168.0.100 -o $IFEXT -j MASQUERADE
# LIBERAR END. P/ SOFTWARES DO GOVERNO (Conectivade Social)
$IPT -t nat -A POSTROUTING -s $LAN1 -d cmt.caixa.gov.br -o $IFEXT -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $LAN1 -d 200.201.174.0/24 -o $IFEXT -j MASQUERADE
# Ativar log P/ Postrouting Porta 80 e Bloquear (LAN)
#$IPT -t nat -A POSTROUTING -s $LAN1 -o $IFEXT -p tcp --dport 80 -j LOG --log-prefix "POSTROUTING: HTTP-NEGADO"
#$IPT -t nat -A POSTROUTING -s $LAN1 -o $IFEXT -p tcp --dport 80 -j DROP
# Ativar SNAT
# SNAT LAN1
$IPT -t nat -A POSTROUTING -s $LAN1 -o $IFEXT -j MASQUERADE
# Liberar acesso de todos pela VPN
#iptables -t nat -s 172.16.10.0/24 -A POSTROUTING -o eth1 -j MASQUERADE
#
# CHAIN PREROUTING
#
# Liberar Conectividade Social
$IPT -t nat -A PREROUTING -s $LAN1 -i $IFLAN1 -d 200.201.174.0/24 -p tcp --dport 80 -j RETURN
# Proxy Transp. com Squid
$IPT -t nat -A PREROUTING -s $LAN1 -i $IFLAN1 -p tcp --dport 80 -j REDIRECT --to-port 8080
#
# REDIRECIONAMENTOS
# VNC
$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 5900 -j DNAT --to 192.168.0.100:5900
# AREA TRABALHO REMOTA - Servidor do AD
$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 3389 -j DNAT --to 192.168.0.100
#
######################## Regras Tabela Mangle #########################
#
# CHAIN OUTPUT
#
# Mínimo de espera para os serviços Internet (Minimize-Delay)
$IPT -t mangle -A OUTPUT -o $IFEXT -p tcp --dport 21 -j TOS --set-tos 0x10
$IPT -t mangle -A OUTPUT -o $IFEXT -p tcp --dport 80 -j TOS --set-tos 0x10
$IPT -t mangle -A OUTPUT -o $IFEXT -p udp --dport 53 -j TOS --set-tos 0x10
# Máximo Processamento
$IPT -t mangle -A OUTPUT -o $IFEXT -p tcp --dport 20:21 -j TOS --set-tos 0x8
#------------------------------------------------------------------------
# FIM

squid.conf:

Código:

http_port 3128 transparent
visible_hostname natalcor
cache_mem 64 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 80
cache_swap_high 95
cache_dir ufs /var/spool/squid 8192 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 21 80 443 563 70 210 280 488 59 777 901 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl redelocal src 192.168.0.0/24
http_access allow localhost
http_access allow redelocal
http_access deny all

[Lord Enigm@]

Pessoal... dando um feedback. Aplicamos a regra do tamanho do MTU e parece que está funcionando certinho. Parece que era esse o problema.

[ ]'s