Search squid archive

Re: AW: AW: squid-3.1.0.9 - error directory not created automatically

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Zeller, Jan wrote:
Sorry Henrik for my lack of knowledge here. But on the squid box I have done this :


The message occurs in three cases:

 * missing/broken NAT support on the box
 * packet did not arrive via NAT
 * packet src before NAT was the Squid receiving box (looping bounce!)


There are a few things to try, one at a time to see what happens. Squid doe not need to be changed at all during these so if cache.log simply stops reporting the message you have success...


$ iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 8080
$ iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 885 packets, 49584 bytes)
pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- eth0 any anywhere anywhere tcp dpt:www redir ports 8080


Anything change if you add " ! -s 192.168.1.10 " to that rule or add a "... -s 192.168.1.10 -j ACCEPT" above it?


Chain POSTROUTING (policy ACCEPT 59 packets, 3777 bytes)
pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 59 packets, 3777 bytes)
pkts bytes target     prot opt in     out     source               destination



The gw/router rule is done by :

# iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 2 -p tcp --dport 80
# iptables -t mangle -vL PREROUTING
 Chain PREROUTING (policy ACCEPT 122K packets, 49M bytes)
pkts bytes target prot opt in out source destination 553 61889 MARK tcp -- eth1 any anywhere anywhere tcp dpt:www MARK xset 0x2/0xffffffff


The policy routing config example has these rules here (it assumes Squid inside same router NIC as clients):

$IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -s  $PROXYIP -j ACCEPT

# mark everything else on port 80 to be routed to the Squid box
$IPTABLES -t mangle -A PREROUTING -i $INPUTINTERFACE -p tcp --dport 80 -j MARK --set-mark 2
$IPTABLES -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT


I assume that the squid box only has one NIC and the Squid box has zero ways to send packets _in_ the router eth1, right?


Amos


# ip rule add fwmark 2 table 2
# ip rule show
0: from all lookup local 32765: from all fwmark 0x2 lookup 2 32766: from all lookup main 32767: from all lookup default
# ip r a default via 192.168.1.10 dev eth2 table 2
# ip route sh table 2
 default via 192.168.1.10 dev eth2

Where 192.168.1.10 is the IP address of the squidbox. Anyway it works well despite of the warnings.

They are non-fatal from a client point of view. But you loose any hope of seeing or accounting for particular clients traffic at the IP level when it happens. Not to mention the log size :(

Amos

-----Ursprüngliche Nachricht-----
Von: Henrik Nordstrom [mailto:henrik@xxxxxxxxxxxxxxxxxxx] Gesendet: Mittwoch, 8. Juli 2009 02:22
An: Zeller, Jan
Cc: squid-users@xxxxxxxxxxxxxxx
Betreff: Re: AW:  squid-3.1.0.9 - error directory not created automatically

fre 2009-07-03 klockan 08:30 +0200 skrev Zeller, Jan:
Thank you Amos that works ! But now squid-3.1.0.9 produces nearly every second this message :

squid[6609]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 403: (92) Protocol not available

This error indicates that your Squid is configured for
Netfilter/Iptables transparent interception, but there apparently is no
netfilter NAT rules installed on the server.. (NAT engine not loaded in
kernel).

How have you done your transparent interception?

Regards
Henrik



--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
  Current Beta Squid 3.1.0.9

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux