[tproxy] tproxy related error in squid?

Ritter, Nicholas Nicholas.Ritter at americantv.com
Tue Jul 22 20:19:18 CEST 2008


I want to add something to this....the setup is working, the client ip
is being seen on the the remote webserver....would loke to get rid of
those errors though. I checked the lists and there is a post about this
issue to the squid-devel listserv in June. I have not seen an solutions
yet.

________________________________

From: Ritter, Nicholas 
Sent: Tuesday, July 22, 2008 1:09 PM
To: 'tproxy at lists.balabit.hu'
Subject: tproxy related error in squid?


I see an error in my squid cache.log that I think is TProxy related, and
wanted to post it here to see if anyone had input before posting it to
the squid list.
 
The versions of everything I am using is listed below, followed by the
error.
 
Software versions:
 
squid-3.HEAD-20080721
iptables 1.4.0
kernel 2.6.25.11
 
This is part of a WCCP setup with a Cisco router.
 
My iptables setup is:
 
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
3    ACCEPT     47   --  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     47   --  0.0.0.0/0            0.0.0.0/0           
5    LocalFW    all  --  0.0.0.0/0            0.0.0.0/0           
 
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    LocalFW    all  --  0.0.0.0/0            0.0.0.0/0           
 
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
 
Chain LocalFW (2 references)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp
type 255 
3    ACCEPT     udp  --  10.48.33.2           0.0.0.0/0           udp
dpt:2048 
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
5    ACCEPT     tcp  --  10.9.7.206           0.0.0.0/0           tcp
dpt:22 state NEW 
6    ACCEPT     tcp  --  10.2.5.100           0.0.0.0/0           tcp
dpt:22 state NEW 
7    ACCEPT     tcp  --  10.9.7.206           0.0.0.0/0           tcp
dpt:10000 state NEW 
8    ACCEPT     udp  --  10.2.5.100           0.0.0.0/0           udp
spt:161 
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpt:8080 
10   ACCEPT     tcp  --  10.9.7.206           0.0.0.0/0           tcp
dpt:10000 
11   REJECT     all  --  0.0.0.0/0            0.0.0.0/0
reject-with icmp-host-prohibited 
 
Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    DIVERT     tcp  --  0.0.0.0/0            0.0.0.0/0           socket

2    TPROXY     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpt:80 TPROXY redirect 0.0.0.0:3128 mark 0x1/0x1
 
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
 
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
 
Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
 
Chain DIVERT (1 references)
num  target     prot opt source               destination         
1    MARK       all  --  0.0.0.0/0            0.0.0.0/0           MARK
set 0x1 
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
 
 
The squid clients are in the 10.48.1.0/24 subnet, the router is in both
the 10.48.1.0/24 and the 10.48.33.0/24 subnet. The squid box is
10.48.33.2, the router is 10.48.33.1. Both IP subnets are seperate layer
2 vlans.
 
In the errors below, 10.48.1.200 is my client test machine.
 
 
Error with "echo 0 > /proc/sys/net/ipv4/ip_nonlocal_bind":
 
2008/07/22 12:57:05| IPInterception.cc(137) NetfilterInterception:  NF
getsockopt(SO_ORIGINAL_DST) failed: (11) Resource temporarily
unavailable
2008/07/22 12:57:05| IPInterception.cc(171) NetfilterTransparent:  NF
getsockopt(IP_TRANSPARENT) failed: (92) Protocol not available
 
Error with "echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind":
 
2008/07/22 13:01:50| IPInterception.cc(137) NetfilterInterception:  NF
getsockopt(SO_ORIGINAL_DST) failed: (11) Resource temporarily
unavailable
2008/07/22 13:01:50| IPInterception.cc(171) NetfilterTransparent:  NF
getsockopt(IP_TRANSPARENT) failed: (92) Protocol not available
2008/07/22 13:01:54| commBind: Cannot bind socket FD 30 to
10.48.1.200:5675: (98) Address already in use
2008/07/22 13:01:54| comm.cc(997) commResetFD: bind: (98) Address
already in use
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20080722/84549d42/attachment-0001.htm 


More information about the tproxy mailing list