Re: AW: AW: [squid-users] squid-3.1.0.9 - error directory not created automatically

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 09 Jul 2009 20:03:33 +1200

Zeller, Jan wrote:
> Sorry Henrik for my lack of knowledge here. But on the squid box I have done this :
>

The message occurs in three cases:

  * missing/broken NAT support on the box
  * packet did not arrive via NAT
  * packet src before NAT was the Squid receiving box (looping bounce!)

There are a few things to try, one at a time to see what happens. Squid
doe not need to be changed at all during these so if cache.log simply
stops reporting the message you have success...

> $ iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 8080
> $ iptables -t nat -vL
> Chain PREROUTING (policy ACCEPT 885 packets, 49584 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 REDIRECT tcp -- eth0 any anywhere anywhere tcp dpt:www redir ports 8080
>

Anything change if you add " ! -s 192.168.1.10 " to that rule or add a
"... -s 192.168.1.10 -j ACCEPT" above it?

> Chain POSTROUTING (policy ACCEPT 59 packets, 3777 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 59 packets, 3777 bytes)
> pkts bytes target prot opt in out source destination
>
>
>
> The gw/router rule is done by :
>
> # iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 2 -p tcp --dport 80
> # iptables -t mangle -vL PREROUTING
> Chain PREROUTING (policy ACCEPT 122K packets, 49M bytes)
> pkts bytes target prot opt in out source destination
> 553 61889 MARK tcp -- eth1 any anywhere anywhere tcp dpt:www MARK xset 0x2/0xffffffff
>

The policy routing config example has these rules here (it assumes Squid
inside same router NIC as clients):

$IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -s $PROXYIP -j ACCEPT

# mark everything else on port 80 to be routed to the Squid box
$IPTABLES -t mangle -A PREROUTING -i $INPUTINTERFACE -p tcp --dport 80
-j MARK --set-mark 2
$IPTABLES -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT

I assume that the squid box only has one NIC and the Squid box has zero
ways to send packets _in_ the router eth1, right?

Amos

> # ip rule add fwmark 2 table 2
> # ip rule show
> 0: from all lookup local
> 32765: from all fwmark 0x2 lookup 2
> 32766: from all lookup main
> 32767: from all lookup default
>
> # ip r a default via 192.168.1.10 dev eth2 table 2
> # ip route sh table 2
> default via 192.168.1.10 dev eth2
>
> Where 192.168.1.10 is the IP address of the squidbox. Anyway it works well despite of the warnings.

They are non-fatal from a client point of view. But you loose any hope
of seeing or accounting for particular clients traffic at the IP level
when it happens. Not to mention the log size :(

Amos

> -----Ursprüngliche Nachricht-----
> Von: Henrik Nordstrom [mailto:henrik_at_henriknordstrom.net]
> Gesendet: Mittwoch, 8. Juli 2009 02:22
> An: Zeller, Jan
> Cc: squid-users_at_squid-cache.org
> Betreff: Re: AW: [squid-users] squid-3.1.0.9 - error directory not created automatically
>
> fre 2009-07-03 klockan 08:30 +0200 skrev Zeller, Jan:
>> Thank you Amos that works !
>> But now squid-3.1.0.9 produces nearly every second this message :
>>
>> squid[6609]: IpIntercept.cc(137) NetfilterInterception:
>> NF getsockopt(SO_ORIGINAL_DST) failed on FD 403: (92) Protocol not available
>
> This error indicates that your Squid is configured for
> Netfilter/Iptables transparent interception, but there apparently is no
> netfilter NAT rules installed on the server.. (NAT engine not loaded in
> kernel).
>
> How have you done your transparent interception?
>
> Regards
> Henrik
>

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.9
Received on Thu Jul 09 2009 - 08:03:41 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 09 2009 - 12:00:03 MDT