Re: [squid-users] Re: WARNING! Your cache is running out of filedescriptors

On 17/06/2014 1:11 a.m., MrErr wrote:
> Yes this is a gateway machine. Here is my long iptables. Thanks for helping.
>

snipping away a great many empty chains ... you do realise that
calculating all those jumps and goto for each packet through the box is
slowing it down?

> -A POSTROUTING -o p2p1 ! -i lo -j MASQUERADE
> -A POSTROUTING ! -i lo -j MASQUERADE

Er, only need the second MASQUERADE rule here.

> -A PREROUTING -i p6p1 -p tcp -m tcp --dport 80 -j DNAT
> --to-destination 192.168.13.1:3129
> -A PREROUTING -i p6p1 -p tcp -m tcp --dport 443 -j DNAT
> --to-destination 192.168.13.1:3130
> -A PREROUTING -i p2p1 -p tcp -m tcp --dport 443 -j REDIRECT
> --to-ports 3130
> -A PREROUTING -i p2p1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
> 3129
> COMMIT

What I see these rules doing is NATing new connections from LAN *or* WAN
port 80 / 443 to Squid port 3129 and 3130 respectively.

Do you actually want the WAN traffic directed to the proxy?
 Why do you bother having the -i limitations if all interfaces are
redirected to the proxy anyway?

If you are operating a reverse-proxy then DNAT is the wrong way.
Instead:
 * configure the DNS with proxy IP for the hosted domains, and
 * squid.conf add "http_port 80 accel" and "http_port 443 accel", and
 * in iptables filter table add:
 -A INPUT -i p2p1 -p tcp -d 192.168.13.1 --dport 80 -j ACCEPT
 -A INPUT -i p2p1 -p tcp -d 192.168.13.1 --dport 443 -j ACCEPT

> # Completed on Mon Jun 16 08:10:44 2014
> # Generated by iptables-save v1.4.19.1 on Mon Jun 16 08:10:44 2014
> *mangle
> :PREROUTING ACCEPT [7079916:4367281964]
> :INPUT ACCEPT [6413821:4248905726]
> :FORWARD ACCEPT [666095:118376238]
> :OUTPUT ACCEPT [5547690:4295572741]
> :POSTROUTING ACCEPT [6213726:4413950361]
> :PRE_external - [0:0]
> :PRE_external_allow - [0:0]
> -A PREROUTING -i p2p1 -g PRE_external
> -A PRE_external -j PRE_external_allow
> -A PRE_external_allow -p tcp -m tcp --dport 2082 -j MARK --set-xmark
> 0x64/0xffffffff
> -A PRE_external_allow -p tcp -m tcp --dport 2072 -j MARK --set-xmark
> 0x65/0xffffffff
> -A PRE_external_allow -p tcp -m tcp --dport 5000:5020 -j MARK --set-xmark
> 0x66/0xffffffff
> -A PRE_external_allow -p tcp -m tcp --dport 2052 -j MARK --set-xmark
> 0x67/0xffffffff
> -A PRE_external_allow -p tcp -m tcp --dport 2092 -j MARK --set-xmark
> 0x68/0xffffffff
> -A PRE_external_allow -p tcp -m tcp --dport 2042 -j MARK --set-xmark
> 0x69/0xffffffff
> -A PRE_external_allow -p tcp -m tcp --dport 2062 -j MARK --set-xmark
> 0x6a/0xffffffff
> -A PRE_external_allow -p udp -m udp --dport 5000:5020 -j MARK --set-xmark
> 0x6b/0xffffffff
> -A PRE_external_allow -p tcp -m tcp --dport 2022 -j MARK --set-xmark
> 0x6c/0xffffffff
> COMMIT

You are missing the Squid NAT port protection in mangle table:

  iptables -A PREROUTING -p tcp --dport 3129 -j REJECT --reject-with
icmp-host-prohibited

  iptables -A PREROUTING -p tcp --dport 3130 -j REJECT --reject-with
icmp-host-prohibited

> # Completed on Mon Jun 16 08:10:44 2014
> # Generated by iptables-save v1.4.19.1 on Mon Jun 16 08:10:44 2014
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [5547690:4295572741]
...
> -A INPUT -s 192.168.13.0/24 -p tcp -m tcp --dport 3129 -j ACCEPT
> -A INPUT -s 192.168.13.0/24 -p tcp -m tcp --dport 3130 -j ACCEPT

Wrong. Input directly from _anywhere_ to the NAT ports is *bad*. This is
a loop.

On any connections (using 1 socket and 1 FD) made to port 3129 or 3130
directly (as permitted by the above rules) the OS will tell Squid the
destination IP was itself. On a MISS Squid fetches from the destination
server (using +1 socket and +2 FD) - that was apparently itself on port
3129 or 3130 ...
  which will still be a MISS, so Squid fetches from the destination
server (using +1 socket and +2 FD) - that was apparently itself on port
3129 or 3130 ...
  which will still be a MISS, so Squid fetches from the destination
server (using +1 socket and +2 FD) - that was apparently itself on port
3129 or 3130 ...

  ... and so on until one of TCP sockets, filedescriptors, or RAM
available on the machine run out. Whichever runs out first produces the
error message:
 - TCP sockets the reuqets fails with "Unable to connect"
 - FD shows "WARNING! Your cache is running out of filedescriptors"
 - RAM is a syslog message from the kernel about low RAM, possibly the
"oom killer" terminating Squid.

Amos
Received on Fri Jun 20 2014 - 06:45:09 MDT