Regardt van de Vyver wrote:
Roland Roland wrote:
...
------------------added to Squid.conf:------------------
acl MyNet src 192.168.0.0/24
http_access allow MyNet (this is set before the deny all rule)
wccp_router 192.168.0.1
http_port 3128 transparent
------------------connectivity------------------
ip tunnel add wccp0 mode gre remote 192.168.0.1 local 192.168.0.108
dev eth0
ip addr add 192.168.0.108/24 dev wccp0
ip link set wccp0 up
iptables -t nat -A PREROUTING -i wccp0 -j REDIRECT -p tcp --to-port
80 <<-- to direct from GRE to port 80
...
Hi Roland,
My experience is almost exclusively with wccp2 but off the bat the
only think that looks 'funky' to me is your iptables rule and a few
/proc tweaks.
Try the following after doing the "ip link set wccp0 up":
echo 1 > /proc/sys/net/ipv4/ip_forward
I guess you don't need to set ip_forward = 1 when you aren't NATing your
private to public IP in proxy. ( I mean in your case If the router is
the default gw for the proxy ).
echo 0 > /proc/sys/net/ipv4/conf/wccp0/rp_filter
The GRE tunnel is only there to provide decapsulation of the WCCP
traffic from the router. Once that is done the traffic is essentially
still pointing towards port 80. Since you're running your squid on
port 3128 your iptables rule NEEDS to redirect incomming port 80
traffic to that port, so it should read:
iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
regards,
Regardt vd Vyver
------------------------------------------------------------------------
Internal Virus Database is out of date.
Checked by AVG - http://www.avg.com
Version: 8.0.175 / Virus Database: 270.8.2/1741 - Release Date: 10/23/2008 7:54 AM
It is working with following configuration in my case:
1. A script to set up GRE interface in proxy:
---------------->
#!/bin/bash
case "$1" in
up)
echo -n "Setting gre1 UP: "
/sbin/modprobe ip_gre
/sbin/iptunnel add gre1 mode gre remote <router-loopbackIP>
local <proxy-server-ip> dev eth0
/sbin/ip addr add <proxy-server-ip>/32 dev gre1
/sbin/ip link set gre1 up
/sbin/sysctl -w net.ipv4.conf.gre1.rp_filter=0
/sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0
exit
;;
down)
/sbin/ip link set gre1 down
/sbin/ip tunnel del gre1
exit
;;
esac
exit 0
------------------>
2. Configuration in my router:
conf t
!
ip wccp version 1
ip wccp web-cache redirect-list squid-acl
!
int fa 1/0
!
! The interface is facing towards my-LAN
ip wccp web-cache redirect in
!
! But you can apply redirection either at IN/OUT direction and in more
than one interface. This way is what I have prefered
ip access-list extended squid-acl
deny ip host <proxy-ip> any
deny ip <your-LAN-net> <wild-card-mask> any
permit ip any any
!
Regards,
Pritam
