Ok. My iptable rule was not intercepting the packet as I had created the rule for eth0 not gre1. I created the rule for gre1 as shown below. Now the packets don't get forwarded to the router and loop as they were before, but still Squid does not reply via eth0 with a SYN ACK. A tcpdump on gre1 sees the incoming SYN packets while a tcpdump on eth0 only sees the GRE encrypted traffic. I have listed my squid.conf below also. iptables -t nat -L -v Chain PREROUTING (policy ACCEPT 139 packets, 7087 bytes) pkts bytes target prot opt in out source destination 187 8976 REDIRECT tcp -- gre1 any anywhere anywhere tcp dpt:http redir ports 3128 Chain POSTROUTING (policy ACCEPT 728 packets, 44476 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 608 packets, 38716 bytes) pkts bytes target prot opt in out source destination iptables-save -t nat # Generated by iptables-save v1.3.5 on Thu Jun 14 14:58:08 2007 *nat :PREROUTING ACCEPT [139:7087] :POSTROUTING ACCEPT [742:45345] :OUTPUT ACCEPT [622:39585] -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 COMMIT # Completed on Thu Jun 14 14:58:08 2007 http_port 3128 transparent hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache cache_mem 128 MB cache_dir ufs /usr/local/squid/var/cache 1024 16 256 access_log /usr/local/squid/var/logs/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl internal src MY_INTERNAL_IPS/255.255.255.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow internal http_access allow all http_access deny all http_reply_access allow all icp_access allow all cache_effective_user squid visible_hostname HOSTNAME.DOMAIN.COM always_direct allow all wccp2_router ROUTER_IP_ADDRESS wccp2_assignment_method 1 wccp2_address MY_IP_ADDRESS coredump_dir /usr/local/squid/var/cache -----Original Message----- From: Henrik Nordstrom [mailto:henrik@xxxxxxxxxxxxxxxxxxx] Sent: Tuesday, June 12, 2007 3:49 PM To: Van Der Hart, Kevin Cc: squid-users@xxxxxxxxxxxxxxx Subject: RE: Red Hat 5 - Squid 2.6 Stable 13 WCCP V2 and GRE tis 2007-06-12 klockan 10:16 -0500 skrev Van Der Hart, Kevin: > I have determined what is happening but am not sure what to do to fix > the problem. I ran tcpdump on my client and it sent 3 SYN requests. I > saw 378 SYN requests come in my GRE interface and saw 375 SYN requests > go out my ETH interface with a source IP of the client address. Since > the source address is not the Squid machine, WCCP is sending them back > to me again. Is Linux forwarding these packets acting as a router or > does Squid use the client IP address in its request to contact the > real web server? Then your iptables rule is not intercepting the packet. Triple check your nat rules again iptables-save -t nat remember that these SYNs is coming on on the gre interface, not eth. Regards Henrik
