Thanks Antony.
Yes, new, established and related. The first rule in the INPUT chain
is --state RELATED,ESTABLISHED with all the --state NEW rules below
that.
With this configuration the vast majority of connections went through
fine but occasionally one timed out. If I remove the state analysis in
iptables everything works fine.
On 26 February 2014 10:46, Antony Stone
<Antony.Stone_at_squid.open.source.it> wrote:
> On Wednesday 26 February 2014 at 11:40:59, Paul Carew wrote:
>
>> Thanks Amos.
>>
>> This is now resolved and appears to have been related to iptables on
>> the upstream Squid server.
>>
>> Originally I was accepting --state NEW connections only on the
>> upstream Squid server's iptables configuration. By removing the
>> --state NEW component and just accepting all tcp connections between
>> the relevant IP addresses and ports all of the connection failed error
>> messages have vanished from Squid's cache logs.
>
> I assume you mean you were accepting both NEW and ESTABLISHED?
>
>> I'll look into iptables as I'm puzzled why it would block a SYN packet
>> on a --state NEW rule match.
>
> --state NEW would not block SYN, but it would block ACK and SYN,ACK
>
> You'd need --state ESTABLISHED to allow those through.
>
>
> Hope that helps,
>
>
> Antony.
>
> --
> All matter in the Universe can be placed into one of two categories:
>
> 1. Things which need to be fixed.
> 2. Things which need to be fixed once you've had a few minutes to play with
> them.
>
> Please reply to the list;
> please don't CC me.
Received on Wed Feb 26 2014 - 11:12:27 MST
This archive was generated by hypermail 2.2.0 : Wed Feb 26 2014 - 12:00:06 MST