Hold on, I lack compile option connection tracking NAT. let me compile first. On Tue, Jul 7, 2009 at 9:15 PM, Ritter, Nicholas<Nicholas.Ritter@xxxxxxxxxxxxxx> wrote: > Bridging is a completely different beast...I have not done a bridging > solution, so I can't help as much...with bridging I think you don't use > iptables, but the bridging netfilter tables. That is probably the issue. > > > -----Original Message----- > From: johan firdianto [mailto:johanfirdi@xxxxxxxxx] > Sent: Tuesday, July 07, 2009 1:50 AM > To: Ritter, Nicholas > Cc: Adrian Chadd; Alexandre DeAraujo; squid-users > Subject: Re: Updated CentOS/Squid/Tproxy Transparency > steps. > > Hi Nick, > > I already tried your example above, with exception I'm using bridge > with 2 ethernet not wccp. > but i don't see something in access_log, when I tried to browse some > sites. > But i still could open the sites. > > 2009/07/07 21:44:17| Reconfiguring Squid Cache (version 3.1.0.9)... > 2009/07/07 21:44:17| FD 10 Closing HTTP connection > 2009/07/07 21:44:17| FD 13 Closing HTTP connection > 2009/07/07 21:44:17| Processing Configuration File: > /usr/local/squid/etc/squid.conf (depth 0) > 2009/07/07 21:44:17| Starting IP Spoofing on port [::]:3129 > 2009/07/07 21:44:17| Disabling Authentication on port [::]:3129 (Ip > spoofing enabled) > 2009/07/07 21:44:17| Disabling IPv6 on port [::]:3129 (interception > enabled) > 2009/07/07 21:44:17| Initializing https proxy context > 2009/07/07 21:44:17| DNS Socket created at [::], FD 10 > 2009/07/07 21:44:17| Adding domain edgestream.com from /etc/resolv.conf > 2009/07/07 21:44:17| Adding nameserver 202.169.224.44 from > /etc/resolv.conf > 2009/07/07 21:44:17| Accepting HTTP connections at [::]:3128, FD 11. > 2009/07/07 21:44:17| Accepting spoofing HTTP connections at > 0.0.0.0:3129, FD 13. > 2009/07/07 21:44:17| HTCP Disabled. > 2009/07/07 21:44:17| Loaded Icons. > 2009/07/07 21:44:17| Ready to serve requests. > > iptables -t mangle -L -xvn > Chain PREROUTING (policy ACCEPT 9535 packets, 4088554 bytes) > pkts bytes target prot opt in out source > destination > 7326 946003 DIVERT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 socket > 3661 949270 TPROXY tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:80 TPROXY redirect 192.168.1.205:3129 > mark 0x1/0x1 > > Chain INPUT (policy ACCEPT 10693 packets, 1269475 bytes) > pkts bytes target prot opt in out source > destination > > Chain FORWARD (policy ACCEPT 13049 packets, 5011079 bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 6481 packets, 2011014 bytes) > pkts bytes target prot opt in out source > destination > > Chain POSTROUTING (policy ACCEPT 19530 packets, 7022093 bytes) > pkts bytes target prot opt in out source > destination > > Chain DIVERT (1 references) > pkts bytes target prot opt in out source > destination > 7326 946003 MARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK xset 0x1/0xffffffff > 7326 946003 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > ip rule > 0: from all lookup 255 > 32764: from all fwmark 0x1 lookup tproxy > 32765: from all fwmark 0x1 lookup tproxy > 32766: from all lookup main > 32767: from all lookup default > > ip route show table 100 > local default dev lo scope host > > > > > > On Thu, Jul 2, 2009 at 11:31 AM, Ritter, > Nicholas<Nicholas.Ritter@xxxxxxxxxxxxxx> wrote: >> I have not finished updating the wiki article for the CentOS example, > BTW. >> >> I will do this by tomorrow or possibly tonight yet. >> >> Nick >> >> >> -----Original Message----- >> From: adrian.chadd@xxxxxxxxx [mailto:adrian.chadd@xxxxxxxxx] On Behalf > Of Adrian Chadd >> Sent: Wednesday, July 01, 2009 11:10 PM >> To: Alexandre DeAraujo >> Cc: Ritter, Nicholas; squid-users >> Subject: Re: Updated CentOS/Squid/Tproxy Transparency > steps. >> >> This won't work. You're only redirecting half of the traffic flow with >> the wccp web-cache service group. The tproxy code is probably >> correctly trying to originate packets -from- the client IP address to >> the upstream server but because you're only redirecting half of the >> packets (ie, packets from original client to upstream, and not also >> the packets from the upstream to the client <- and this is the flow >> that needs to be hijacked!) things will "hang". >> >> You need to read the TPROXY2 examples and look at the Cisco/Squid WCCP >> setup. There are two service groups configured - 80 and 90 - which >> redirect client -> server and server->client respectively. They have >> the right bits set in the service group definitions to redirect the >> traffic correctly. >> >> The WCCPv2/TPROXY4 pages are hilariously unclear. I ended up having to >> find the TPROXY2 pages to extract the "right" WCCPv2 setup to use, >> then combine that with the TPROXY4 rules. That is fine for me (I know >> a thing or two about this) but it should all be made much, much >> clearer for people trying to set this up. >> >> As I suggested earlier, you may wish to consider fleshing out an >> interception section in the Wiki complete with explanations about how >> all of the various parts of the puzzle hold together. >> >> 2c, >> >> >> adrian >> >> 2009/7/2 Alexandre DeAraujo <alexd@xxxxxxx>: >>> I am giving this one more try, but have been unsuccessful. Any help > is always greatly appreciated. >>> >>> Here is the setup: >>> Router: >>> Cisco 7200 IOS 12.4(25) >>> ip wccp web-cache redirect-list 11 >>> access-list 11 permits only selective ip addresses to use wccp >>> >>> Wan interface (Serial) >>> ip wccp web-cache redirect out >>> >>> Global WCCP information: >>> Router information: >>> Router Identifier: 192.168.20.1 >>> Protocol Version: 2.0 >>> >>> Service Identifier: web-cache >>> Number of Service Group Clients: 1 >>> Number of Service Group Routers: 1 >>> Total Packets s/w Redirected: 8797 >>> Process: 4723 >>> Fast: 0 >>> CEF: 4074 >>> Redirect access-list: 11 >>> Total Packets Denied Redirect: 124925546 >>> Total Packets Unassigned: 924514 >>> Group access-list: -none- >>> Total Messages Denied to Group: 0 >>> Total Authentication failures: 0 >>> Total Bypassed Packets Received: 0 >>> >>> WCCP Client information: >>> WCCP Client ID: 192.168.20.2 >>> Protocol Version: 2.0 >>> State: Usable >>> Initial Hash Info: 00000000000000000000000000000000 >>> 00000000000000000000000000000000 >>> Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >>> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >>> Hash Allotment: 256 (100.00%) >>> Packets s/w Redirected: 306 >>> Connect Time: 00:21:33 >>> Bypassed Packets >>> Process: 0 >>> Fast: 0 >>> CEF: 0 >>> Errors: 0 >>> >>> Clients are on FEthernet0/1 >>> Squid server is the only device on FEthernet0/3 >>> -------------------------------------------------------------------- >>> Squid Server: >>> eth0 Link encap:Ethernet HWaddr 00:14:22:21:A1:7D >>> inet addr:192.168.20.2 Bcast:192.168.20.7 > Mask:255.255.255.248 >>> inet6 addr: fe80::214:22ff:fe21:a17d/64 Scope:Link >>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >>> RX packets:3325 errors:0 dropped:0 overruns:0 frame:0 >>> TX packets:2606 errors:0 dropped:0 overruns:0 carrier:0 >>> collisions:0 txqueuelen:1000 >>> RX bytes:335149 (327.2 KiB) TX bytes:394943 (385.6 KiB) >>> >>> gre0 Link encap:UNSPEC HWaddr > 00-00-00-00-CB-BF-F4-FF-00-00-00-00-00-00-00-00 >>> inet addr:192.168.20.2 Mask:255.255.255.248 >>> UP RUNNING NOARP MTU:1476 Metric:1 >>> RX packets:400 errors:0 dropped:0 overruns:0 frame:0 >>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 >>> collisions:0 txqueuelen:0 >>> RX bytes:31760 (31.0 KiB) TX bytes:0 (0.0 b) >>> -------------------------------------------------------------------- >>> /etc/rc.d/rc.local file: >>> ip rule add fwmark 1 lookup 100 >>> ip route add local 0.0.0.0/0 dev lo table 100 >>> modprobe ip_gre >>> ifconfig gre0 192.168.20.2 netmask 255.255.255.248 up >>> echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind >>> -------------------------------------------------------------------- >>> /etc/sysconfig/iptables file: >>> # Generated by iptables-save v1.4.4 on Wed Jul 1 03:32:55 2009 >>> *mangle >>> :PREROUTING ACCEPT [166:11172] >>> :INPUT ACCEPT [164:8718] >>> :FORWARD ACCEPT [0:0] >>> :OUTPUT ACCEPT [130:12272] >>> :POSTROUTING ACCEPT [130:12272] >>> :DIVERT - [0:0] >>> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff >>> -A DIVERT -j ACCEPT >>> -A PREROUTING -p tcp -m socket -j DIVERT >>> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 > --on-ip 192.168.20.2 --tproxy-mark 0x1/0x1 >>> COMMIT >>> # Completed on Wed Jul 1 03:32:55 2009 >>> # Generated by iptables-save v1.4.4 on Wed Jul 1 03:32:55 2009 >>> *filter >>> :INPUT ACCEPT [0:0] >>> :FORWARD ACCEPT [0:0] >>> :OUTPUT ACCEPT [160:15168] >>> :RH-Firewall-1-INPUT - [0:0] >>> -A INPUT -i gre0 -j ACCEPT >>> -A INPUT -p gre -j ACCEPT >>> -A INPUT -i eth0 -p gre -j ACCEPT >>> -A INPUT -j RH-Firewall-1-INPUT >>> -A FORWARD -j RH-Firewall-1-INPUT >>> -A RH-Firewall-1-INPUT -s 192.168.20.1/32 -p udp -m udp --dport 2048 > -j ACCEPT >>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT >>> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT >>> -A RH-Firewall-1-INPUT -p esp -j ACCEPT >>> -A RH-Firewall-1-INPUT -p ah -j ACCEPT >>> -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 > -j ACCEPT >>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT >>> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 > -j ACCEPT >>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited >>> COMMIT >>> # Completed on Wed Jul 1 03:32:55 2009 >>> >>> ---------------------squid.conf------------------------------------ >>> acl manager proto cache_object >>> acl localhost src 127.0.0.1/32 >>> acl to_localhost dst 127.0.0.0/8 >>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >>> acl testing src 10.10.10.0/24 >>> acl SSL_ports port 443 >>> acl SSL_ports port 8443 >>> acl Safe_ports port 80 # http >>> acl Safe_ports port 21 # ftp >>> acl Safe_ports port 443 # https >>> acl Safe_ports port 70 # gopher >>> acl Safe_ports port 210 # wais >>> acl Safe_ports port 1025-65535 # unregistered ports >>> acl Safe_ports port 280 # http-mgmt >>> acl Safe_ports port 488 # gss-http >>> acl Safe_ports port 591 # filemaker >>> acl Safe_ports port 777 # multiling http >>> acl Safe_ports port 8443 # Plesk >>> acl CONNECT method CONNECT >>> http_access allow manager localhost >>> http_access allow testing >>> http_access deny manager >>> http_access deny !Safe_ports >>> http_access deny CONNECT !SSL_ports >>> http_access allow localnet >>> http_access deny all >>> http_port 192.168.20.2:3128 tproxy disable-pmtu-discovery=always >>> hierarchy_stoplist cgi-bin ? >>> hosts_file /etc/hosts >>> refresh_pattern ^ftp: 1440 20% 10080 >>> refresh_pattern ^gopher: 1440 0% 1440 >>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >>> refresh_pattern . 0 20% 4320 >>> coredump_dir /var/spool/squid >>> >>> logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A > %mt >>> access_log /var/log/squid/access.log squid >>> cache_access_log /var/log/squid/access.log >>> cache_log /var/log/squid/cache.log >>> cache_store_log /var/log/squid/store.log >>> debug_options ALL,3 >>> >>> cache allow testing >>> cache deny all >>> cache_dir ufs /var/spool/squid 200000 256 256 >>> cache_effective_user squid >>> cache_swap_high 100% >>> cache_swap_low 80% >>> cache_mem 2 GB >>> maximum_object_size 8192 KB >>> half_closed_clients on >>> client_db off >>> >>> wccp2_router 192.168.20.1 >>> wccp_version 2 >>> wccp2_rebuild_wait on >>> wccp2_forwarding_method 1 >>> wccp2_return_method 1 >>> wccp2_assignment_method 1 >>> wccp2_service standard 0 >>> >>> visible_hostname Server >>> >>> forwarded_for off >>> ---------------------------------end of > squid.conf------------------------------------- >>> This is the timeout error when trying to go to www.google.com >>> >>> ERROR >>> The requested URL could not be retrieved >>> >>> The following error was encountered while trying to retrieve the URL: > http://www.google.com/ >>> >>> Connection to 74.125.45.100 failed. >>> >>> The system returned: (110) Connection timed out >>> >>> The remote host or network may be down. Please try the request again. >>> >>> Generated Wed, 01 Jul 2009 21:41:07 GMT by Server (squid/3.1.0.9) >>> >>> >>> Thanks for your help, >>> >>> Alex >>> >>> >>> >>> >> >> > >
