Hello Ketua, You can't use REDIRECT target of iptables. You need use DNAT --to-destination: IP_OF_ETHERNET:3128 If you redirect to localhost, the packets are silent droped. Regards > On Mon, Jun 8, 2009 at 12:43 AM, ketua kampung <ketua@xxxxxxxxxxxxxx> wrote: >> >> Hi, >> >> I have problem to running up wccp on my squid. >> I follow the guide from >> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy and >> http://www.digitalnerds.net/linux/transparent-squid-with-wccp/ >> >> This is my system. >> >> i use ubuntu 8.04 64bit. >> squid 2.7stable6 (compile by myselft). >> >> root@box:~# squid -v >> Squid Cache: Version 2.7.STABLE6 >> configure options: '--sysconfdir=/etc/squid' '--prefix=/usr' '--enable-async-io' '--enable-removal-policies=lru,heap' '--disable-delay-pools' '--enable-kill-parent-hack' '--enable-snmp' >> '--enable-default-err-language=English' '--enable-err-languages=English' '--enable-cache-digests' >> '--enable-linux-netfilter' '--enable-gnuregex' '--enable-wccp' '--disable-auth' >> >> >> in squid.conf, i configure http_port 3128 transparent and enable the wccp. >> >> >> ifconfig wccp0 >> wccp0 Link encap:UNSPEC HWaddr 77-5C-40-03-00-00-F9-A1-00-00-00-00-00-00-00-00 >> inet addr:1.2.3.4 P-t-P:1.2.3.4 Mask:255.255.255.255 >> UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 >> RX packets:0 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:0 >> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) >> >> root@box:~# iptunnel >> gre0: gre/ip remote any local any ttl inherit nopmtudisc >> wccp0: gre/ip remote 110.92.64.255 local 119.92.64.3 dev eth0 ttl inherit >> >> root@box:~# cat /proc/sys/net/ipv4/ip_forward >> 1 >> >> >> root@box:~# sysctl -a | grep rp_filter >> error: permission denied on key 'net.ipv4.route.flush' >> net.ipv4.conf.lo.rp_filter = 0 >> net.ipv4.conf.lo.arp_filter = 0 >> net.ipv4.conf.all.rp_filter = 0 >> net.ipv4.conf.all.arp_filter = 0 >> net.ipv4.conf.default.rp_filter = 0 >> net.ipv4.conf.default.arp_filter = 0 >> net.ipv4.conf.eth0.rp_filter = 0 >> net.ipv4.conf.eth0.arp_filter = 0 >> net.ipv4.conf.eth1.rp_filter = 0 >> net.ipv4.conf.eth1.arp_filter = 0 >> net.ipv4.conf.gre0.rp_filter = 0 >> net.ipv4.conf.gre0.arp_filter = 0 >> net.ipv4.conf.wccp0.rp_filter = 0 >> net.ipv4.conf.wccp0.arp_filter = 0 >> error: permission denied on key 'net.ipv6.route.flush' >> >> From my cisco, i can see my squid can comunicate wccp with cisco. >> RTR-INT-2811#sh ip wccp >> Global WCCP information: >> Router information: >> Router Identifier: 110.92.64.255 >> Protocol Version: 1.0 >> >> Service Identifier: web-cache >> Number of Service Group Clients: 1 >> Number of Service Group Routers: 1 >> Total Packets s/w Redirected: 89 >> Process: 0 >> Fast: 0 >> CEF: 89 >> Redirect access-list: -none- >> Total Packets Denied Redirect: 0 >> Total Packets Unassigned: 0 >> Group access-list: -none- >> Total Messages Denied to Group: 0 >> Total Authentication failures: 0 >> >> terminal monitor >> debug ip wccp even >> *Jun 8 03:30:51.423: WCCP-PKT: Sending I_See_You packet to 110.92.64.3 w/ rcvd_id 00000296 >> *Jun 8 03:31:01.427: WCCP-EVNT: Built I_See_You msg body w/1 usable web caches, change # 0000000B >> *Jun 8 03:31:01.427: %WCCP-5-CACHEFOUND: Web Cache 110.92.64.3 acquired >> *Jun 8 03:31:01.427: WCCP-PKT: Received valid Here_I_Am packet from 110.92.64.3 w/rcvd_id 00000296 >> *Jun 8 03:31:01.427: WCCP-PKT: Sending I_See_You packet to 110.92.64.3 w/ rcvd_id 00000297 >> *Jun 8 03:31:01.427: WCCP-EVNT: Built I_See_You msg body w/1 usable web caches, change # 0000000C >> *Jun 8 03:31:01.427: WCCP-PKT: Received valid Assign_Buckets packet from 110.92.64.3 w/rcvd_id 00000297 >> *Jun 8 03:31:11.431: WCCP-PKT: Received valid Here_I_Am packet from 110.92.64.3 w/rcvd_id 00000297 >> *Jun 8 03:31:11.431: WCCP-PKT: Sending I_See_You packet to 110.92.64.3 w/ rcvd_id 00000298 >> >> >> When i tcpdump on interface wccp0, i can see the paket flow from cisco to server. >> root@box:~# tcpdump -i wccp0 -n >> listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes >> 10:34:42.461441 IP 110.92.65.5.41038 > 202.158.66.92.80: S 842039074:842039074(0) win 5840 <mss 1380,sackOK,timestamp 240146036 0,nop,wscale 7> >> 10:34:45.453372 IP 110.92.65.5.41038 > 202.158.66.92.80: S 842039074:842039074(0) win 5840 <mss 1380,sackOK,timestamp 240146336 0,nop,wscale 7> >> 10:34:51.453431 IP 110.92.65.5.41038 > 202.158.66.92.80: S 842039074:842039074(0) win 5840 <mss 1380,sackOK,timestamp 240146936 0,nop,wscale 7> >> 10:35:03.453562 IP 110.92.65.5.41038 > 202.158.66.92.80: S 842039074:842039074(0) win 5840 <mss 1380,sackOK,timestamp 240148136 0,nop,wscale 7> >> 10:35:27.453852 IP 110.92.65.5.41038 > 202.158.66.92.80: S 3717798278:3717798278(0) win 5840 <mss 1380,sackOK,timestamp 240150536 0,nop,wscale 7> >> >> >> >> and i can see the counter incrase in iptables. >> root@box:~# iptables -t nat -vnL >> Chain PREROUTING (policy ACCEPT 34 packets, 2784 bytes) >> pkts bytes target prot opt in out source destination >> 5 300 REDIRECT tcp -- wccp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128 >> >> >> the problem is, the squid doesn't work. >> looks like the paket from redirect is disapper and never touch the squid port (3128) >> >> please help, what i should do. >> >> regards >> >> ketua@kampung >
