Please, ignore this post. I found I need to add more configuration as in http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2#Linux_and_Squid_Configuration On Wed, Feb 6, 2013 at 9:27 AM, Roman Gelfand <rgelfand2@xxxxxxxxx> wrote: > I have configured the tproxy as follows, but it appears packets are > not hitting squid. Please note, the wccp configuration on the router > is already working with squid http_port transparent configuration and, > obviously, different iptables configuration. Any help is appreciated. > > Thanks in advance. > > squid.conf > --------------- > > http_port 3228 tproxy > https_port 3229 tproxy ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/domain.crt > key=/etc/ssl/private/domain.key > > # FortiGate interface of wccp > wccp2_router 192.168.5.1 > > wccp2_service dynamic 90 > wccp2_service_info 90 protocol=tcp flags=src_ip_hash priority=240 ports=80,443 > > wccp2_service dynamic 95 > wccp2_service_info 95 protocol=tcp flags=dst_ip_hash,ports_source > priority=240 ports=80,443 > > # tunneling method GRE for forward traffic > wccp2_forwarding_method 1 > > # tunneling method GRE for return traffic > wccp2_return_method 1 > > # Assignemment method (default), only relevant if multiple caches used > wccp2_assignment_method 1 > > # wccp weight (default) ,only relevant if multiple caches used > wccp2_weight 10000 > > # which interface to use for WCCP (0.0.0.0 determines the interface > from routing) > wccp2_address 0.0.0.0 > > rc.local > ----------- > > modprobe ip_gre > modprobe ip_tables > modprobe x_tables > ip tunnel add wccp0 mode gre remote 192.168.5.1 local 192.168.5.21 dev eth0 > ip addr add 192.168.5.21/32 dev wccp0 > ip link set wccp0 up > > # Route to send the content back to the GRE tunnel > route add -net {wan interface ip} netmask 255.255.255.255 dev wccp0 > > # Disabling reverse path filtering and enable routing in the kernel > echo 0 > /proc/sys/net/ipv4/conf/wccp0/rp_filter > echo 1 > /proc/sys/net/ipv4/ip_forward > > # Setup the redirection of traffic from the GRE tunnel to squid port 3128 > > iptables -t mangle -N DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > > iptables -t mangle -A PREROUTING -i wccp0 -p tcp --dport 80 -j TPROXY > --tproxy-mark 0x1/0x1 --on-port 3228 > iptables -t mangle -A PREROUTING -i wccp0 -p tcp --dport 443 -j > TPROXY --tproxy-mark 0x1/0x1 --on-port 3229 > > exit 0
