Question

Locked

Squid with WCCP help!

By R_O_L_A_N_D ·
Hi All,
i'm wrestling with my transparent proxy for the last 3 days..
i hope someone could give me a hint on wht im doing wrong..
i've installed squid and set the following but its still not connecting to my cisco router!!!

PS: as a none transparent proxy its working perfectly, but when it comes to being transparent and doing the iptables/interface(GRE tunnel) issue.. its failing big time!


==============squid.conf:======================
http_port 3128 transparent
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 512 MB
maximum_object_size 100 KB
cache_dir aufs /var/spool/squid 25000 16 256
access_log /var/spool/squid/squid_access.log squid
cache_log /var/log/squid_cache.log
cache_store_log none
debug_options ALL,1
#client_netmask 255.255.255.0
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
acl the_network src 192.168.0.0/24
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow the_network
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access deny all
miss_access deny !the_network
cache_mgr roland.abihanna@gotocme.com
cache_effective_user proxy
cache_effective_group proxy
visible_hostname silent
logfile_rotate 7
store_avg_object_size 14444 KB
client_db off
always_direct allow the_network
error_directory /usr/share/squid/errors/Spanish
wccp2_router 192.168.0.1
wccp_version 4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
uri_whitespace encode
strip_query_terms on
coredump_dir /home/proxy
ie_refresh on


============/etc/network/interfaces============
iface eth0 inet static
address 192.168.0.14
netmask 255.255.255.0
gateway 192.168.0.1
pre-up ( \
/sbin/modprobe ip_conntrack ; \
/sbin/modprobe iptable_nat ; \
/sbin/iptables-restore < /etc/default/iptables ; \
)
post-up ( \
/sbin/ip link set eth0 mtu 1476 ; \
/sbin/ip tunnel add wccp1 mode gre remote 192.168.10.3 \
local 192.168.0.14 dev eth0 ; \
/sbin/ip addr add 192.168.0.14 dev wccp1 ; \
/sbin/ip link set wccp1 up ; \
/sbin/sysctl -w net.ipv4.conf.wccp1.rp_filter=0 ; \
/sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0 ; \
)
pre-down ( \
/sbin/ip link set wccp1 down ; \
/sbin/ip tunnel del wccp1 ; \
)

===================/etc/default/iptables=======

*filter

:INPUT DROP [0:0]

:FORWARD ACCEPT [0:0]

UTPUT ACCEPT [0:0]

# Established connections

-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

# GRE tunnel traffic

-A INPUT -s 192.168.10.3 -d 192.168.0.14 -p gre -j ACCEPT

# HTTP rerouted requests

-A INPUT -s 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 3128 -j ACCEPT

# UDP DNS replies

-A INPUT -p udp -m udp --sport 53 -j ACCEPT

# Accept some ICMP echo request / 10 request per second

-A INPUT -p icmp -m limit --limit 10/sec --limit-burst 10 -j ACCEPT

# WCCP traffic

-A INPUT -s 192.168.0.1 -p udp -m udp --sport 2048 --dport 2048 -j ACCEPT

# Incoming HTTP traffic from origin servers

-A INPUT -s ! 192.168.0.1/255.255.255.0 -p tcp -m tcp --sport 80 -j ACCEPT

-A INPUT -s ! 192.168.0.1/255.255.255.0 -p tcp -m tcp --sport 8000 -j ACCEPT

-A INPUT -s ! 192.168.0.1/255.255.255.0 -p tcp -m tcp --sport 8080 -j ACCEPT

# TCP DNS replies. Just in case

-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT

# SSH conection from admin server

-A INPUT -s 192.168.0.2 -p tcp -m tcp --dport 22 -j ACCEPT

# Accept some traceroute. 3 per second

-A INPUT -p udp -m udp --dport 33434:33445 -m limit --limit 3/sec --limit-burst 3 -j ACCEPT

# Log everything else, maybe add explicit rules to block certain traffic.

# Unnecesary but useful monitoring

-A INPUT -j LOG

# Accept forwarded requests.

# Totally unnecesary, but allows for basic monitoring.

-A FORWARD -s 192.168.0.0/255.255.255.0 -d ! 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 80 -j ACCEPT

-A FORWARD -s 192.168.0.0/255.255.255.0 -d ! 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 3128 -j ACCEPT

-A FORWARD -s 192.168.0.0/255.255.255.0 -d ! 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 8000 -j ACCEPT

-A FORWARD -s 192.168.0.0/255.255.255.0 -d ! 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 8080 -j ACCEPT

COMMIT

*nat

REROUTING ACCEPT [0:0]

OSTROUTING ACCEPT [0:0]

UTPUT ACCEPT [0:0]

# Reroute HTTP requests to the proxy server

-A PREROUTING -i wccp1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A PREROUTING -i wccp1 -p tcp -m tcp --dport 8000 -j REDIRECT --to-ports 3128

-A PREROUTING -i wccp1 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

I could be wrong, but....

by robo_dev In reply to Squid with WCCP help!

Sometimes it works better to terminate the GRE tunnel in a loopback address,

see this thread:
http://www.gossamer-threads.com/lists/cisco/nsp/80648

see this link:
http://www.sublime.com.au/squid-wccp/

and this wiki:
http://wiki.squid-cache.org/ConfigExamples/SquidAndWccp2

Collapse -

Debug in the routers

by cjesus4 In reply to Squid with WCCP help!

run this command in the router:
sh version,
debug ip wccp events
and debug ip wccp packets
and send for to check...

i configured that in 2 catalyst 3560 + squid 2.7 and is good...

Back to Networks Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums