Добрый день!
Имеем Fedora 17 i386 + SQUID 3.2.0.16 + NTLM. В качестве шлюза используется Cisco 800 series, c внутренним IPv4 10.110.100.255
При обращении к сайтам имеющим IPv6 получаю:
При получении URL http://vk.com/ произошла следующая ошибка
Соединение с 2a00:bdc0:3:103:1:0:403:908 не удалось
Система вернула: (107) Transport endpoint is not connected
Удаленный узел или сеть недоступен. Повторите запрос позднее
Почему запрос идет по IPv6, хотя я вырубил его вот так:
# echo "install ipv6 /bin/true
blacklist ipv6" > /etc/modprobe.d/blacklist-ipv6.conf
# service ip6tables stop && chkconfig ip6tables off
SELinux вырублен, Firewall тоже отключен:
-SELINUX=disabled
-Setup->Firewall configuration......
В iptables ничего не настраивал
Вот информация о сквиде:
# squid -v
Squid Cache: Version 3.2.0.16
configure options: '--build=i386-redhat-linux-gnu' '--host=i386-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--with-large-files' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=i386-redhat-linux-gnu' 'host_alias=i386-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables -fpie' 'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables -fpie' 'PKG_CONFIG_PATH=/usr/lib/pkgconfig:/usr/share/pkgconfig'
Вот squid.conf
cache_mgr admin@domain.local
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 25
auth_param ntlm keep_alive off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 15
auth_param basic realm Proxy Autentification Required
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
# Перловый обработчик для разруливания по группам
external_acl_type nt_group %LOGIN /usr/lib/squid/ext_wbinfo_group_acl
# Объявление групп, которые ссылаются на группы в домене
acl inet_users_full external nt_group inet_full # Полный доступ в Инет
# Доступ к кэш-менеджеру
acl manager_crystal proto cache_object
# Доступы к подсетям
acl crystal src 10.110.100.0/24
# Порты, на которые можно ходить
acl SSL_ports port 443 5190 5222 2042
acl Safe_ports port 5190 # icq
acl Safe_ports port 5222 # jabber, qip
acl Safe_ports port 5060 # sip
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Access list
acl domain.local proxy_auth REQUIRED
acl monitor src 10.110.100.1/32
visible_hostname proxy.domain.local
http_access allow manager_crystal localhost
http_access deny manager_crystal
# Полный доступ в интернет
http_access allow inet_users_full all
# Deny access to rest safe ports and ssl who are not in the list
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Разрешаем SNMP
snmp_access allow monitor
snmp_access deny all
# And finally deny all other access to this proxy
http_access deny all
# Pull entire files from the start when a range is requested; for Windows Updates
range_offset_limit -1
# Google what this does. I.m too lazy to type it all out, but has to do with Windows Updates
quick_abort_min -1
# Squid normally listens to port 3128
http_port 3128
# SNMP port; 3401 is the official port
snmp_port 3401
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Store large objects
maximum_object_size 200 MB
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 4096 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
refresh_pattern -i download.windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i download.microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i update.microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i ntservicepack.microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i wustat.windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Вот что выдает ifconfig:
em1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.110.100.1 netmask 255.255.255.0 broadcast 10.110.100.255
inet6 fe80::216:76ff:fe79:d4de prefixlen 64 scopeid 0x20<link>
ether 00:16:76:79:d4:de txqueuelen 1000 (Ethernet)
RX packets 328081 bytes 163247059 (155.6 MiB)
RX errors 0 dropped 3700 overruns 0 frame 0
TX packets 361682 bytes 250914245 (239.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 16436
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 121 bytes 9379 (9.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 121 bytes 9379 (9.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# ip -6 addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 fe80::216:76ff:fe79:d4de/64 scope link
valid_lft forever preferred_lft forever
# ip -6 route
unreachable ::/96 dev lo metric 1024 error -101
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -101
unreachable 2002:a00::/24 dev lo metric 1024 error -101
unreachable 2002:7f00::/24 dev lo metric 1024 error -101
unreachable 2002:a9fe::/32 dev lo metric 1024 error -101
unreachable 2002:ac10::/28 dev lo metric 1024 error -101
unreachable 2002:c0a8::/32 dev lo metric 1024 error -101
unreachable 2002:e000::/19 dev lo metric 1024 error -101
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -101
unreachable fe80::/64 dev lo proto kernel metric 256 error -101
fe80::/64 dev em1 proto kernel metric 256
При всем при этом, на сайты google.com, youtube.com, yandex.ru и прочие, спокойно заходит. Почему именно на vk.com, лезет именно по ipv6?
Помогите разобраться, почему идет обращение к некоторым сайтам не по ipv4, а по ipv6?