Zeller, Jan wrote:
Sorry Henrik for my lack of knowledge here. But on the squid box I have done this :
The message occurs in three cases:
* missing/broken NAT support on the box
* packet did not arrive via NAT
* packet src before NAT was the Squid receiving box (looping bounce!)
There are a few things to try, one at a time to see what happens. Squid
doe not need to be changed at all during these so if cache.log simply
stops reporting the message you have success...
$ iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 8080
$ iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 885 packets, 49584 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- eth0 any anywhere anywhere tcp dpt:www redir ports 8080
Anything change if you add " ! -s 192.168.1.10 " to that rule or add a
"... -s 192.168.1.10 -j ACCEPT" above it?
Chain POSTROUTING (policy ACCEPT 59 packets, 3777 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 59 packets, 3777 bytes)
pkts bytes target prot opt in out source destination
The gw/router rule is done by :
# iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 2 -p tcp --dport 80
# iptables -t mangle -vL PREROUTING
Chain PREROUTING (policy ACCEPT 122K packets, 49M bytes)
pkts bytes target prot opt in out source destination
553 61889 MARK tcp -- eth1 any anywhere anywhere tcp dpt:www MARK xset 0x2/0xffffffff
The policy routing config example has these rules here (it assumes Squid
inside same router NIC as clients):
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -s $PROXYIP -j ACCEPT
# mark everything else on port 80 to be routed to the Squid box
$IPTABLES -t mangle -A PREROUTING -i $INPUTINTERFACE -p tcp --dport 80
-j MARK --set-mark 2
$IPTABLES -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT
I assume that the squid box only has one NIC and the Squid box has zero
ways to send packets _in_ the router eth1, right?
Amos
# ip rule add fwmark 2 table 2
# ip rule show
0: from all lookup local
32765: from all fwmark 0x2 lookup 2
32766: from all lookup main
32767: from all lookup default
# ip r a default via 192.168.1.10 dev eth2 table 2
# ip route sh table 2
default via 192.168.1.10 dev eth2
Where 192.168.1.10 is the IP address of the squidbox. Anyway it works well despite of the warnings.
They are non-fatal from a client point of view. But you loose any hope
of seeing or accounting for particular clients traffic at the IP level
when it happens. Not to mention the log size :(
Amos
-----Ursprüngliche Nachricht-----
Von: Henrik Nordstrom [mailto:henrik@xxxxxxxxxxxxxxxxxxx]
Gesendet: Mittwoch, 8. Juli 2009 02:22
An: Zeller, Jan
Cc: squid-users@xxxxxxxxxxxxxxx
Betreff: Re: AW: squid-3.1.0.9 - error directory not created automatically
fre 2009-07-03 klockan 08:30 +0200 skrev Zeller, Jan:
Thank you Amos that works !
But now squid-3.1.0.9 produces nearly every second this message :
squid[6609]: IpIntercept.cc(137) NetfilterInterception:
NF getsockopt(SO_ORIGINAL_DST) failed on FD 403: (92) Protocol not available
This error indicates that your Squid is configured for
Netfilter/Iptables transparent interception, but there apparently is no
netfilter NAT rules installed on the server.. (NAT engine not loaded in
kernel).
How have you done your transparent interception?
Regards
Henrik
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
Current Beta Squid 3.1.0.9
