ons 2010-09-15 klockan 17:09 -0400 skrev Chris Abel: > I only have those 2 iptables rules set on my squid bos so I'm not sure how > my iptables could be the problem. This is all of my active iptables > printed out: iptables-save is recommended for inspecting iptables rules. but nothing obviously wrong in your iptables rules that I could see from the -L outputs. > wccp0 Link encap:UNSPEC HWaddr > C0-A8-00-15-00-00-65-74-00-00-00-00-00-00-00-00 > inet addr:192.168.0.21 P-t-P:192.168.0.21 Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 > RX packets:285 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:22823 (22.2 KiB) TX bytes:0 (0.0 B) What does the following say about the wccp interface? ip tunnel show wccp0 ip addr show dev wccp0 One thing about WCCP/GRE. Make sure that the router sends it's GRE packets with the source & destination address you think it's using. The gre tunnel definition must match this. Depending on router model and version it's not always entirely obvious which address the router will be using for the WCCP GRE traffic. The GRE tunnel addresses used by the router is easily visible with tcpdump -n -p -i eth0 proto gre If you also see TCP packets on the wccp0 interface then the GRE tunnel is defined correctly. tcpdump -n -p -i wccp0 If you see GRE packets on eth0 but no TCP packets on wccp0 then the GRE tunnel is not correctly defined. Basic requirements for WCCP/GRE intercept mode operation (proxy mode assumed to work already) - WCCP configuration needs to be correct so that router & proxy agrees on using WCCP, resulting in router sending any port 80 traffic to the cache server using WCCP redirection (GRE or layer2 depending on config & router capabilities) - When using GRE redirection method the GRE tunnel defined to match the GRE tunnel profile used by the router - rp_filter must be disabled on the wccp0 GRE interface. - A valid IP address needs to be assigned on the wccp0 GRE interface - iptables nat table need to have a rule to redirect incoming port80 traffic on the wcccp0 interface to the Squid proxy port. - Squid must be listening to the address of the wccp0 interface, or the default wildcard address. For TPROXY operation the requirements is similar, plus some more.. - iptables rule different. - policy routing table requires (ip rule & ip route) - wccp configuration more complex all three detailed in the wiki pages relating to TPROXY. in addition - proxy preferably on a separate leg from the router (physical or vlan) I recommend verifying intercept mode operation before trying tproxy. Most of the concept is the same, just a bit more complex when doing tproxy. Regards Henrik
