Solving squid's pinger error: IcmpSquid.cc(155) Recv: recv: (111) Connection refused

I've installed latest squid (3.2.0.3) recently from source. I configured it with --with-icmp to enable incoming icmp request. After compiling and installing it, it's time to run it. From the log I noticed that the pinger program produced an error like this:

IcmpSquid.cc(155) Recv: recv: (111) Connection refused

and filtering the log of the word pinger (using grep) :

pinger: Initialising ICMP pinger ...

2010/12/18 10:57:16| pinger: Unable to start ICMP pinger.

2010/12/18 10:57:16| pinger: Unable to start ICMPv6 pinger.

2010/12/18 10:57:16| FATAL: pinger: Unable to open any ICMP sockets.

From the errors above, I knew that they were related to permission problem (connection refused, unable to open socket). It solved when I setuid the pinger program to enable it to open the required socket :

chmod 4755 pinger (run this as root of course)

This pinger program is usually located in the bin directory of squid path e.g /usr/local/squid/bin (this is the default if you compile from source). Please consult your distro if you install it using package manager.

After restarting squid, I could see in the log as below:

pinger: Initialising ICMP pinger ...

2010/12/18 16:58:48| pinger: ICMP socket opened.

2010/12/18 16:58:48| pinger: ICMPv6 socket opened

That I think solved the problem. Have fun.

Transparent proxy with squid 2.6

I have upgraded my squid from 2.5 STABLE13 to 2.6 STABLE18. Transparent proxy is setup differently in this version. You need this directives in squid.conf (usually in /etc or /usr/local/etc or /usr/local/squid/etc, check with your distro).

acl our_networks src 192.168.2.0/24 127.0.0.1
http_access allow our_networks
http_port 192.168.2.1:3128 transparent
always_direct allow all

where 192.168.2.1 is your proxy server IP address.


If you have flushed your iptables, create new rule:

iptables -t nat -A PREROUTING -i  eth0 -p tcp –dport  80 -j REDIRECT –to-port 3128

where 3128 is the port where squid is running.

References:
http://www.deckle.co.za/squid-users-guide/Transparent_Caching/Proxy

Squid - File size limit exceeded

Yesterday (15th Feb 2008) my squid died unexpectedly. I tried to restart it several times but to no avail. So I tried to see what went wrong by debugging and ran it in foreground. So,

squid -NCd3

N = put it in foreground
C = don't catch fatal signals
d = set debug level (3 is the level)

It threw a bunch of messages with the last line was File size limit exceeded. Just like this but I got no core dumped!. With no clue how to solve it, I recompiled squid (2.6-stable17) with extra parameters (with-max-fd=8192 and --with-large-files):

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-icmp --enable-kill-parent-hack --enable-ssl --enable-linux-netfilter --enable-large-cache-files --enable-follow-x-forwarded-for --with-large-files

It solved it. Shane reported here that this happens when file store.log is bigger that 2 GB. Disabling the use of store.log (or other relevant files for that matter) will get rid of this problem.

An encounter with VLAN

2 days ago, I helped my friend setting up internet connection for his office's LAN. As he showed me the network diagram, I realised that there are 6 VLAN that I need to cover to make them connect to the internet.

6 VLANS-->CORE SWITCH-->ROUTER+PROXY+DNS-->GATEWAY-->INTERNET

The problem was to get the clients in each VLAN to communicate each other and to communicate with router. All clients should also be able to access dhcp server located in one of the VLANS. After struggling about two days, I managed to get all clients in different VLANS talking to each other and the router. The problem was that I didn't understand how each VLAN talk to each other. The solution was located on coe switch. The commands below did the job:

route add -net 172.20.10.0 netmask 255.255.255.0 gw 172.20.30.254 eth0
route add -net 172.20.20.0 netmask 255.255.255.0 gw 172.20.30.254 eth0
route add -net 172.20.30.0 netmask 255.255.255.0 gw 172.20.30.254 eth0
route add -net 172.20.40.0 netmask 255.255.255.0 gw 172.20.30.254 eth0
route add -net 172.20.50.0 netmask 255.255.255.0 gw 172.20.30.254 eth0
route add -net 172.20.60.0 netmask 255.255.255.0 gw 172.20.30.254 eth0

If you can see above, the gateway is the same to be able all VLANs talking to each other and .30.254 is the gateway of the router.

route add default gw xxx.xxx.xxx.xxx

xxx.xxx.xxx.xxx is the gateway public IP (usually a modem). Don't forget that the router should enable ip forwarding. change it in /etc/sysctl.conf and run sysctl -p to make it effective. NAT and forward table really depends on it.

iptables and squid

I setup squid for faster internet access and save internet bandwidth. For each VLAN, we have to make rules.

iptables -t nat -A PREROUTING -s 172.20.10.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -s 172.20.20.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -s 172.20.30.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -s 172.20.40.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -s 172.20.50.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -s 172.20.60.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128

Note that 3128 is the squid port.

That's it. Now the clients on every VLAN can access to the internet and communicate with each other.

squid and iptables - revisited

One of best combinations for internet connected LAN is squid, a proxy server and iptables, a packet filtering ruleset. To make it useful, this combination is used to configure transparent proxy for a LAN or more.

iptables -t nat -I PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128

Above command is for LAN (192.168.0.0/24) connecting to the internet via proxy server running on port 3128.

To make https proxied( it is not actually because we can't proxied encrypted packets but they are just forwarded), the command is as below :

iptables -t nat -I PREROUTING -s 192.168.0.0/24 -p tcp --dport 443 -j REDIRECT --to-port 3128

You can NOT do the same for ftp (port 21). For ftp, you have manually inserted the proxy address for ftp protocol in your browser connection setting.

By above command executed on a proxy server (a.k.a firewall), the PCs in the LAN need not be configured one by one to use the proxy server. Less work for system/network administrator :). They are said to be connected to the internet using proxy server transparently. Now you got it? :)

There's one more way to handle https connection. Instead of going through squid, you can also NAT it. Drop the above https command and use this :

iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -p tcp --dport 443 -j SNAT --to 111.222.333.444

where 111.222.333.444 is your proxy server public IP address.

It is up to you which way you want to use. I can say that from my experience, there's no noticeable difference in terms of performance. If you do not agree, please do not hesitate to write comment and state your experience.

Setting up transparent proxy server

Hi all,

Today, while setting up ip for my internal network, i found out that i have run out of IPs and the internet access was very slow. I ran into a situation called "bottleneck". A situation where a road becomes narrow with heavy traffic. How to speed up this? The answer is proxy server.

On with the theory

Proxy server is a server that can cache visited web pages. Dynamic web pages are not cached. When a client access a website, the proxy server , on behalf of the client access the website and cache it. the next the client or other client wants to connect to the site, the proxy server just give the cached site to the client. Thus reducing the response time from the actual site.

Transparent proxy

In a normal proxy case, you have to set manually for each client to connect to outside. It is not a practical solution if you have a lot of workstations + many apps to connect to the internet. What is more practical solution? The answer is "transparent proxy" and now iptables comes into play.

What you have to do first?
1. Setup a server
OS : Linux (whatever flavor you want)
proxy server : Squid (install the latest one)
utilities : netfilter packages (for iptables)

Squid.conf

Your squid.conf location is dependent on how you install squid package. If u use source code and compile it without tweaking ./configure options, meaning it is in /usr/local/squid/etc. If you use your package manager, it is in /etc. Wherever it is, you have to edit it before you can use it as a transparent proxy.

What to edit
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan


Please change "lan" to suit your network environment. This file is heavily documented. Please read the comments before you change anything unless you know what you're doing.

I don't want to explain in detail on how to setup linux for your server. Please consult your spesific Linux distribution HOWTOs and FAQs. After you have complete setting up Linux, you should setup SQUID. More information on squid, pls visit http://www.squid-cache.org. squid usually readily packaged for your distro. You should check that first whether you can just install it from CD. If not, you have to download from the link above.

After you have edited squid.conf, this is the iptables command you should run on the proxy server.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

provided that your proxy server is using port 3128. If not, change it accordingly.