Search squid archive

Problem with transparent proxy using WCCP2 + GRE on Linux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi squid-users,

I'm currently trying to replace an old netapp proxy with a squid+linux box.

I've some users behind a Cisco 7200 running IOS 12.4(12) using the proxy in 
transparent mode. The current proxy uses WCCP2+GRE to get the traffic from 
the router. The aim is to reproduce this behaviour with the squid box.

I've set up a box running Linux Debian, with kernel 2.6.18-3-k7 from debian 
and squid-2.6.STABLE8 compiled with the following options :

$ ./configure --prefix=/opt/package/squid-2.6.STABLE8
--enable-storeio=aufs,coss,diskd,null,ufs --enable-removal-policies=heap,lru
--enable-useragent-log --enable-referer-log --enable-wccp --enable-wccpv2
--enable-snmp --enable-linux-netfilter --enable-large-cache-files
--disable-ident-lookups --with-pthreads

my squid.conf file include these lines :

http_port 3128 transparent
wccp2_router <ip_of_the_cisco_router>
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service standard 0

I have set up an unnumbered GRE tunnel between the box and the router :

# iptunnel del gre0
# iptunnel add gre0 mode gre remote <ip_of_the_cisco_router> local 
<ip_of_the_linux_box> dev eth0
# ifconfig gre0 up

I've added these commands to enable routing and disable spoof protection.

# echo 1 > /proc/sys/net/ipv4/ip_forward
# for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 0 > $file
done

To do the redirection, i'm using iptables, with all default policies set to 
ACCEPT, plus this rule :

# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j 
DNAT --to-destination <ip_of_the_linux_box>:3128

The Cisco router has been doing the job for years, so I doubt the problem 
comes from it. The squid proxy is running, with no error messages. I've 
tested it by explicitely declaring it in my browser, and it works perfectly.

The router can see the proxy (it is in his WCCP list) and it sends the packets 
to the linux box. I can see the encapsulated packets coming to the linux box, 
i can see the packets coming out of the GRE tunnel (tcpdump -i gre0), they 
hit the iptable redirection rule (iptables -t nat -L -v (the couter is 
increasing)), but afterwards, they seem to disappear. No trace in the squid 
log. The tcp session is not established. I see no related traffic coming out 
of the box either.

Does someone has an idea of what could be happening ?

I'm also very interrested in knowing how (in therory) the answer is supposed 
to return to the client.

Thanks
-- 
Nicolas L.
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux