On Wed, 12 May 2010 07:03:59 -0700 (PDT), Jiffy 1111 <jiffy1111@xxxxxxxxx> wrote: > --- On Sun, 5/9/10, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > >> From: Amos Jeffries <squid3@xxxxxxxxxxxxx> >> Subject: Re: squid in load balanced wccpv2 configuration >> To: squid-users@xxxxxxxxxxxxxxx >> Date: Sunday, May 9, 2010, 6:55 AM >> Jiffy 1111 wrote: >> > Hi, all, >> > >> > In a nutshell, I am trying to install squid as a third >> proxy to alleviate some pressure from our two Bluecoat >> proxies into a currently working wccpv2 configuration. >> > We now have 5000+ users. >> > >> > My current squid configuration works perfectly fine in >> explicit mode. >> > The problem I am having, is that squid can't seem to >> join the wccp service groups. >> > I've tried the configuration examples from >> > http://wiki.squid-cache.org/ConfigExamples/ to no >> avail. >> > >> > We have two Cisco 6513's in our core and we are using >> wccp to load balance between the proxies. >> > >> > I'm posting my sanitized configs hoping someone can >> shed some light on this and show me what my squid.conf, >> iptables and network interfaces should look like. >> > I would also appreciate any recommended settings for >> memory and disk use based on the hardware spec I am posting. >> This server will be dedicated to squid. >> > >> > Server: >> > cat /etc/redhat-release >> > Fedora release 12 (Constantine) >> > >> > rpm -qa squid >> > squid-3.1.1-1.fc12.i686 >> > >> > 4 x Intel(R) Xeon(R) CPU 5160 @ 3.00GHz >> > >> > free -m >> > total >> > Mem: 7991 >> > 600 Gig on /var >> > >> > ip tunnel add wccp1 mode gre remote x.x.0.1 local >> x.x.1.77 dev eth0 >> > ifconfig wccp1 inet x.x.1.76 netmask 255.255.255.192 >> up >> > >> > ifconfig >> > eth0 >> > inet addr:x.x.1.77 Bcast:x.x.1.127 >> Mask:255.255.255.192 >> > >> > wccp1 >> > inet addr:x.x.1.76 P-t-P:x.x.1.76 >> Mask:255.255.255.192 >> > >> > iptables: >> > echo 1 > /proc/sys/net/ipv4/ip_forward >> > echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter >> > echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter >> > echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter >> > echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter >> > echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter >> > echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter >> > iptables -F -t nat >> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp >> --dport 80 -j DNAT --to-destination x.x.1.77:55555 >> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp >> --dport 20 -j DNAT --to-destination x.x.1.77:20 >> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp >> --dport 21 -j DNAT --to-destination x.x.1.77:21 >> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp >> --dport 443 -j DNAT --to-destination x.x.1.77:443 >> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp >> --dport 1755 -j DNAT --to-destination x.x.1.77:1755 >> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp >> --dport 7070 -j DNAT --to-destination x.x.1.77:7070 >> > >> >> DNAT used on TCP links (only) with no sign of a matching >> source fix-up. (MASQUERADE or SNAT). >> >> Everything else looks good at a quick glance. >> >> Amos >> -- Please be using >> Current Stable Squid 2.7.STABLE9 or 3.1.3 >> > > Hi, Amos, > > Thank you for the hint, but, I guess you are speaking about iptables. I am > not overly familiar with that. Would you be so kind as to provide an > example or an explanation for this set up? > > I am in training this week and will be back in the office on Monday ready > and willing to try this and if it works, provide a working config for > others to reference. > > Thanks again, > Jeff http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat Your use of "-i wccp1" effectively implements line 1 and 2 of the iptables config in one entry. You seem to be missing line 3 for the nat POSTROUTING part. Amos
