Nicolas, Maybe, the packets are getting dropped when they are trying to get back into your system on port 3128, try redirecting to the port only using --to-ports instead of --to-destination. I also use the REDIRECT function as opposed to DNAT. Here is my rule: iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 Finally, i use the IP of my cache server with a /32 mask for the gre0 interface. Hope this helps. Thanks, Bryan On Fri, 2007-02-23 at 04:09 -0500, Nicolas Limage wrote: > Hi squid-users, > > I'm currently trying to replace an old netapp proxy with a squid+linux > box. > > I've some users behind a Cisco 7200 running IOS 12.4(12) using the > proxy in > transparent mode. The current proxy uses WCCP2+GRE to get the traffic > from > the router. The aim is to reproduce this behaviour with the squid box. > > I've set up a box running Linux Debian, with kernel 2.6.18-3-k7 from > debian > and squid-2.6.STABLE8 compiled with the following options : > > $ ./configure --prefix=/opt/package/squid-2.6.STABLE8 > --enable-storeio=aufs,coss,diskd,null,ufs > --enable-removal-policies=heap,lru > --enable-useragent-log --enable-referer-log --enable-wccp > --enable-wccpv2 > --enable-snmp --enable-linux-netfilter --enable-large-cache-files > --disable-ident-lookups --with-pthreads > > my squid.conf file include these lines : > > http_port 3128 transparent > wccp2_router <ip_of_the_cisco_router> > wccp2_rebuild_wait on > wccp2_forwarding_method 1 > wccp2_return_method 1 > wccp2_assignment_method 1 > wccp2_service standard 0 > > I have set up an unnumbered GRE tunnel between the box and the > router : > > # iptunnel del gre0 > # iptunnel add gre0 mode gre remote <ip_of_the_cisco_router> local > <ip_of_the_linux_box> dev eth0 > # ifconfig gre0 up > > I've added these commands to enable routing and disable spoof > protection. > > # echo 1 > /proc/sys/net/ipv4/ip_forward > # for file in /proc/sys/net/ipv4/conf/*/rp_filter; do > echo 0 > $file > done > > To do the redirection, i'm using iptables, with all default policies > set to > ACCEPT, plus this rule : > > # iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j > DNAT --to-destination <ip_of_the_linux_box>:3128 > > The Cisco router has been doing the job for years, so I doubt the > problem > comes from it. The squid proxy is running, with no error messages. > I've > tested it by explicitely declaring it in my browser, and it works > perfectly. > > The router can see the proxy (it is in his WCCP list) and it sends the > packets > to the linux box. I can see the encapsulated packets coming to the > linux box, > i can see the packets coming out of the GRE tunnel (tcpdump -i gre0), > they > hit the iptable redirection rule (iptables -t nat -L -v (the couter is > increasing)), but afterwards, they seem to disappear. No trace in the > squid > log. The tcp session is not established. I see no related traffic > coming out > of the box either. > > Does someone has an idea of what could be happening ? > > I'm also very interrested in knowing how (in therory) the answer is > supposed > to return to the client. > > Thanks > -- > Nicolas L. >
