Hi,
At 02:14 p.m. 25/02/2005, Jesse Guardiani wrote:
Henrik Nordstrom wrote:
> On Thu, 24 Feb 2005, Jesse Guardiani wrote: > >> I don't think it is anymore. It seems like the packets are just >> dissappearing after they hit my iptables rule. I tried placing OUTPUT and >> POSTROUTING LOG rules around the NAT table, and their hit counters >> increment if I hit the cache directly from a web browser, but if I hit it >> transparently the packet just dissappears after the REDIRECT to port >> 3128. > > Try using DNAT instead of REDIRECT.
I thought you might say that, so I tried it with DNAT earlier in the day. I tried destination addresses 192.168.10.2 (my ip alias on eth0:22) and 192.168.1.2 (my "real" eth0 ip). Neither worked. Here's an example of the latter:
# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 425 packets, 61769 bytes)
pkts bytes target prot opt in out source destination
43 2580 DNAT tcp -- gre1 any anywhere anywhere tcp dpt:www to:192.168.1.2:3128
Do you see anything wrong with the above?
I'm starting to think that something is wrong with linux's gre WCCP decapsulation. That's why I keep asking if anyone actually has this working on my kernel and my squid. But I guess, judging from the silence, that nobody has it working yet.
Is there a better alternative to WCCP? I'm particularly interested in the fail-over feature. I'd hate for my user's internet access to go down just because my squid server rebooted.
No need. I can confirm it does work, but it does need to be set up in a specific way.
I have been using 2.6 series right the way through, now running 2.6.11-rc5, and switched to using the gre tunnel method when it became supported by the Linux kernel. ip_wccp is good, but it is not in the kernel and it's a lot easier to just use a GRE tunnel built into the kernel instead.
If you wish to use ip_wccp, I suggest you start by getting this config below to work properly first, and then change to ip_wccp and then take down the GRE interface, start from a position of it working before you start experimenting ;) The router config and squid config would be the same, the iptables config is slightly different though.
Router config: --------------
* My router is running 12.3(11)T3. BE CAREFUL, some versions of IOS do NOT work without also turning off CEF and/or fast switching, although most recent ones do work OK. Stick to a stable (non T or branch) release if you can, such as latest 12.2 or 12.3.
interface Ethernet0 ip address 192.168.0.1 255.255.255.0 ip wccp web-cache redirect in
interface Loopback0 ip address 172.16.1.5 255.255.255.252 end
(Note the loopback IP range matches that on the GRE tunnel on my linux box)
Linux box core config: -----------------
/etc/sysconfig/network-scripts/ifcfg-gre0
DEVICE=gre0 BOOTPROTO=static IPADDR=172.16.1.6 NETMASK=255.255.255.252 ONBOOT=yes IPV6INIT=no
iptables config: ----------------
iptables -A PREROUTING -s 192.168.0.0/255.255.0.0 -d ! 192.168.0.0/255.255.0.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to 192.168.0.3:3128
This makes sure that traffic from 192.168.0.0/255.255.0.0 destined for 192.168.0.0/255.255.0.0 is not redirected to the cache.
Squid config: -------------
wccp_router 192.168.0.1 wccp_version 4 wccp_outgoing_address 192.168.0.3 <<---- I have two IP addresses on this box
I'm not sure if it is optimal or not, but it works with every squid version I have ever tried. If I remember correctly, some of these instructions came from a page by Joe Cooper @ Swelltech, but I can't put my hands on it right now.
Hope this helps.
reuben
