[squid-users] NAT/TPROXY lookup failed to locate original IPs
Amos Jeffries
squid3 at treenet.co.nz
Wed Jan 6 12:18:27 UTC 2016
On 7/01/2016 1:08 a.m., Ben Barker wrote:
> Thanks Amos - good points - thanks. Both now fixed - thought I still seem
> to be getting errors...sorry to be a bit inept here!
>
> squid -v
> Squid Cache: Version 3.5.12
> Service Name: squid
> configure options:
> '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid'
> '--datadir=/share/squid' '--sysconfdir=/etc/squid'
> '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
> '--enable-icap-client' '--enable-linux-netfilter' '--enable-ssl-crtd'
> '--with-default-user=squid' '--with-openssl'
>
> cctv at bridgebox ~/squid-3.5.12 $ 2016/01/06 11:56:58 kid1| Current Directory
> is /home/cctv/squid-3.5.12
> 2016/01/06 11:56:58 kid1| Starting Squid Cache version 3.5.12 for
> i686-pc-linux-gnu...
<snip>
> 2016/01/06 11:58:57 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
> local=10.163.17.250:13129 remote=xxxxx:48616 FD 16 flags=33: (92) Protocol
> not available
The first error means the kernel NAT tables do not have any record of
the connection that arrived on the Squid intercept port.
* Do not make test connections directly to the intercept port. Test it
*exactly* as if you are a client going straight to the Internet.
* Do not perform the NAT on any other machine.
Compare your NAT rules with these to ensure you have them all right
(notice how there are 4 rules):
<http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat>
Amos
More information about the squid-users
mailing list