Squid with WCCP help!

By R_O_L_A_N_D ·
Hi All,
i'm wrestling with my transparent proxy for the last 3 days..
i hope someone could give me a hint on wht im doing wrong..
i've installed squid and set the following but its still not connecting to my cisco router!!!

PS: as a none transparent proxy its working perfectly, but when it comes to being transparent and doing the iptables/interface(GRE tunnel) issue.. its failing big time!

http_port 3128 transparent
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 512 MB
maximum_object_size 100 KB
cache_dir aufs /var/spool/squid 25000 16 256
access_log /var/spool/squid/squid_access.log squid
cache_log /var/log/squid_cache.log
cache_store_log none
debug_options ALL,1
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl purge method PURGE
acl the_network src
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow the_network
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access deny all
miss_access deny !the_network
cache_effective_user proxy
cache_effective_group proxy
visible_hostname silent
logfile_rotate 7
store_avg_object_size 14444 KB
client_db off
always_direct allow the_network
error_directory /usr/share/squid/errors/Spanish
wccp_version 4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
uri_whitespace encode
strip_query_terms on
coredump_dir /home/proxy
ie_refresh on

iface eth0 inet static
pre-up ( \
/sbin/modprobe ip_conntrack ; \
/sbin/modprobe iptable_nat ; \
/sbin/iptables-restore < /etc/default/iptables ; \
post-up ( \
/sbin/ip link set eth0 mtu 1476 ; \
/sbin/ip tunnel add wccp1 mode gre remote \
local dev eth0 ; \
/sbin/ip addr add dev wccp1 ; \
/sbin/ip link set wccp1 up ; \
/sbin/sysctl -w net.ipv4.conf.wccp1.rp_filter=0 ; \
/sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0 ; \
pre-down ( \
/sbin/ip link set wccp1 down ; \
/sbin/ip tunnel del wccp1 ; \






# Established connections

-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

# GRE tunnel traffic

-A INPUT -s -d -p gre -j ACCEPT

# HTTP rerouted requests

-A INPUT -s -p tcp -m tcp --dport 3128 -j ACCEPT

# UDP DNS replies

-A INPUT -p udp -m udp --sport 53 -j ACCEPT

# Accept some ICMP echo request / 10 request per second

-A INPUT -p icmp -m limit --limit 10/sec --limit-burst 10 -j ACCEPT

# WCCP traffic

-A INPUT -s -p udp -m udp --sport 2048 --dport 2048 -j ACCEPT

# Incoming HTTP traffic from origin servers

-A INPUT -s ! -p tcp -m tcp --sport 80 -j ACCEPT

-A INPUT -s ! -p tcp -m tcp --sport 8000 -j ACCEPT

-A INPUT -s ! -p tcp -m tcp --sport 8080 -j ACCEPT

# TCP DNS replies. Just in case

-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT

# SSH conection from admin server

-A INPUT -s -p tcp -m tcp --dport 22 -j ACCEPT

# Accept some traceroute. 3 per second

-A INPUT -p udp -m udp --dport 33434:33445 -m limit --limit 3/sec --limit-burst 3 -j ACCEPT

# Log everything else, maybe add explicit rules to block certain traffic.

# Unnecesary but useful monitoring


# Accept forwarded requests.

# Totally unnecesary, but allows for basic monitoring.

-A FORWARD -s -d ! -p tcp -m tcp --dport 80 -j ACCEPT

-A FORWARD -s -d ! -p tcp -m tcp --dport 3128 -j ACCEPT

-A FORWARD -s -d ! -p tcp -m tcp --dport 8000 -j ACCEPT

-A FORWARD -s -d ! -p tcp -m tcp --dport 8080 -j ACCEPT






# Reroute HTTP requests to the proxy server

-A PREROUTING -i wccp1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A PREROUTING -i wccp1 -p tcp -m tcp --dport 8000 -j REDIRECT --to-ports 3128

-A PREROUTING -i wccp1 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

I could be wrong, but....

by robo_dev In reply to Squid with WCCP help!

Sometimes it works better to terminate the GRE tunnel in a loopback address,

see this thread:

see this link:

and this wiki:

Collapse -

Debug in the routers

by cjesus4 In reply to Squid with WCCP help!

run this command in the router:
sh version,
debug ip wccp events
and debug ip wccp packets
and send for to check...

i configured that in 2 catalyst 3560 + squid 2.7 and is good...

Back to Networks Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums