RE: Updated CentOS/Squid/Tproxy Transparency steps.

"Alexandre DeAraujo" <alexd@xxxxxxx> · Wed, 1 Jul 2009 16:59:03 -0700

I am giving this one more try, but have been unsuccessful. Any help is always greatly appreciated.

Here is the setup:
Router:
Cisco 7200 IOS 12.4(25)
ip wccp web-cache redirect-list 11
access-list 11 permits only selective ip addresses to use wccp

Wan interface (Serial)
ip wccp web-cache redirect out

Global WCCP information:
Router information:
Router Identifier:			192.168.20.1
Protocol Version:			2.0

Service Identifier: web-cache
Number of Service Group Clients:	1
Number of Service Group Routers:	1
Total Packets s/w Redirected:	8797
Process:				4723
Fast:					0
CEF:					4074
Redirect access-list:			11
Total Packets Denied Redirect:	124925546
Total Packets Unassigned:		924514
Group access-list:			-none-
Total Messages Denied to Group:	0
Total Authentication failures:		0
Total Bypassed Packets Received:	0

WCCP Client information:
WCCP Client ID:	192.168.20.2
Protocol Version:	2.0
State:			Usable
Initial Hash Info:	00000000000000000000000000000000
			00000000000000000000000000000000
Assigned Hash Info:	FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
			FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment:	256 (100.00%)
Packets s/w Redirected:	306
Connect Time:		00:21:33
Bypassed Packets
Process:		0
Fast:			0
CEF:			0
Errors:			0

Clients are on FEthernet0/1
Squid server is the only device on FEthernet0/3
--------------------------------------------------------------------
Squid Server:
eth0      Link encap:Ethernet  HWaddr 00:14:22:21:A1:7D  
          inet addr:192.168.20.2  Bcast:192.168.20.7  Mask:255.255.255.248
          inet6 addr: fe80::214:22ff:fe21:a17d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3325 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2606 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:335149 (327.2 KiB)  TX bytes:394943 (385.6 KiB)

gre0      Link encap:UNSPEC  HWaddr 00-00-00-00-CB-BF-F4-FF-00-00-00-00-00-00-00-00  
          inet addr:192.168.20.2  Mask:255.255.255.248
          UP RUNNING NOARP  MTU:1476  Metric:1
          RX packets:400 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:31760 (31.0 KiB)  TX bytes:0 (0.0 b)
--------------------------------------------------------------------
/etc/rc.d/rc.local file:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
modprobe ip_gre
ifconfig gre0 192.168.20.2 netmask 255.255.255.248 up
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
--------------------------------------------------------------------
/etc/sysconfig/iptables file:
# Generated by iptables-save v1.4.4 on Wed Jul  1 03:32:55 2009
*mangle
:PREROUTING ACCEPT [166:11172]
:INPUT ACCEPT [164:8718]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [130:12272]
:POSTROUTING ACCEPT [130:12272]
:DIVERT - [0:0]
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff 
-A DIVERT -j ACCEPT 
-A PREROUTING -p tcp -m socket -j DIVERT 
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 --on-ip 192.168.20.2 --tproxy-mark 0x1/0x1 
COMMIT
# Completed on Wed Jul  1 03:32:55 2009
# Generated by iptables-save v1.4.4 on Wed Jul  1 03:32:55 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [160:15168]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i gre0 -j ACCEPT 
-A INPUT -p gre -j ACCEPT 
-A INPUT -i eth0 -p gre -j ACCEPT 
-A INPUT -j RH-Firewall-1-INPUT 
-A FORWARD -j RH-Firewall-1-INPUT 
-A RH-Firewall-1-INPUT -s 192.168.20.1/32 -p udp -m udp --dport 2048 -j ACCEPT 
-A RH-Firewall-1-INPUT -i lo -j ACCEPT 
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
-A RH-Firewall-1-INPUT -p esp -j ACCEPT 
-A RH-Firewall-1-INPUT -p ah -j ACCEPT 
-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT 
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT 
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Wed Jul  1 03:32:55 2009

---------------------squid.conf------------------------------------
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl testing src 10.10.10.0/24
acl SSL_ports port 443
acl SSL_ports port 8443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 8443        # Plesk
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow testing
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
http_port 192.168.20.2:3128 tproxy disable-pmtu-discovery=always
hierarchy_stoplist cgi-bin ?
hosts_file /etc/hosts
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
coredump_dir /var/spool/squid

logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
access_log /var/log/squid/access.log squid
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
debug_options ALL,3

cache allow testing
cache deny all
cache_dir ufs /var/spool/squid 200000 256 256
cache_effective_user squid
cache_swap_high 100%
cache_swap_low 80%
cache_mem 2 GB
maximum_object_size  8192 KB
half_closed_clients on
client_db off

wccp2_router 192.168.20.1
wccp_version 2
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service standard 0

visible_hostname Server

forwarded_for off
---------------------------------end of squid.conf-------------------------------------
This is the timeout error when trying to go to www.google.com

ERROR
The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: http://www.google.com/

	Connection to 74.125.45.100 failed.

The system returned: (110) Connection timed out

The remote host or network may be down. Please try the request again.

Generated Wed, 01 Jul 2009 21:41:07 GMT by Server (squid/3.1.0.9)

Thanks for your help,

Alex