Search squid archive

Re: Problem with transparent proxy using WCCP2 + GRE on Linux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Nicolas,

Maybe, the packets are getting dropped when they are trying to get back
into your system on port 3128, try redirecting to the port only using
--to-ports instead of --to-destination.  I also use the REDIRECT
function as opposed to DNAT.  Here is my rule:

iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j
REDIRECT --to-ports 3128

Finally, i use the IP of my cache server with a /32 mask for the gre0
interface.  Hope this helps.

Thanks,
 Bryan

On Fri, 2007-02-23 at 04:09 -0500, Nicolas Limage wrote:
> Hi squid-users,
> 
> I'm currently trying to replace an old netapp proxy with a squid+linux
> box.
> 
> I've some users behind a Cisco 7200 running IOS 12.4(12) using the
> proxy in
> transparent mode. The current proxy uses WCCP2+GRE to get the traffic
> from
> the router. The aim is to reproduce this behaviour with the squid box.
> 
> I've set up a box running Linux Debian, with kernel 2.6.18-3-k7 from
> debian
> and squid-2.6.STABLE8 compiled with the following options :
> 
> $ ./configure --prefix=/opt/package/squid-2.6.STABLE8
> --enable-storeio=aufs,coss,diskd,null,ufs
> --enable-removal-policies=heap,lru
> --enable-useragent-log --enable-referer-log --enable-wccp
> --enable-wccpv2
> --enable-snmp --enable-linux-netfilter --enable-large-cache-files
> --disable-ident-lookups --with-pthreads
> 
> my squid.conf file include these lines :
> 
> http_port 3128 transparent
> wccp2_router <ip_of_the_cisco_router>
> wccp2_rebuild_wait on
> wccp2_forwarding_method 1
> wccp2_return_method 1
> wccp2_assignment_method 1
> wccp2_service standard 0
> 
> I have set up an unnumbered GRE tunnel between the box and the
> router :
> 
> # iptunnel del gre0
> # iptunnel add gre0 mode gre remote <ip_of_the_cisco_router> local
> <ip_of_the_linux_box> dev eth0
> # ifconfig gre0 up
> 
> I've added these commands to enable routing and disable spoof
> protection.
> 
> # echo 1 > /proc/sys/net/ipv4/ip_forward
> # for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
>         echo 0 > $file
> done
> 
> To do the redirection, i'm using iptables, with all default policies
> set to
> ACCEPT, plus this rule :
> 
> # iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j
> DNAT --to-destination <ip_of_the_linux_box>:3128
> 
> The Cisco router has been doing the job for years, so I doubt the
> problem
> comes from it. The squid proxy is running, with no error messages.
> I've
> tested it by explicitely declaring it in my browser, and it works
> perfectly.
> 
> The router can see the proxy (it is in his WCCP list) and it sends the
> packets
> to the linux box. I can see the encapsulated packets coming to the
> linux box,
> i can see the packets coming out of the GRE tunnel (tcpdump -i gre0),
> they
> hit the iptable redirection rule (iptables -t nat -L -v (the couter is
> increasing)), but afterwards, they seem to disappear. No trace in the
> squid
> log. The tcp session is not established. I see no related traffic
> coming out
> of the box either.
> 
> Does someone has an idea of what could be happening ?
> 
> I'm also very interrested in knowing how (in therory) the answer is
> supposed
> to return to the client.
> 
> Thanks
> --
> Nicolas L.
> 


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux