Squid with WCCP help! - TechRepublic
Question
December 11, 2008 at 06:47 AM
r_o_l_a_n_d

Squid with WCCP help!

by r_o_l_a_n_d . Updated 17 years, 3 months ago

Hi All,
i’m wrestling with my transparent proxy for the last 3 days..
i hope someone could give me a hint on wht im doing wrong..
i’ve installed squid and set the following but its still not connecting to my cisco router!!!

PS: as a none transparent proxy its working perfectly, but when it comes to being transparent and doing the iptables/interface(GRE tunnel) issue.. its failing big time!

==============squid.conf:======================
http_port 3128 transparent
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 512 MB
maximum_object_size 100 KB
cache_dir aufs /var/spool/squid 25000 16 256
access_log /var/spool/squid/squid_access.log squid
cache_log /var/log/squid_cache.log
cache_store_log none
debug_options ALL,1
#client_netmask 255.255.255.0
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
acl the_network src 192.168.0.0/24
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow the_network
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access deny all
miss_access deny !the_network
cache_mgr roland.abihanna@gotocme.com
cache_effective_user proxy
cache_effective_group proxy
visible_hostname silent
logfile_rotate 7
store_avg_object_size 14444 KB
client_db off
always_direct allow the_network
error_directory /usr/share/squid/errors/Spanish
wccp2_router 192.168.0.1
wccp_version 4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
uri_whitespace encode
strip_query_terms on
coredump_dir /home/proxy
ie_refresh on

============/etc/network/interfaces============
iface eth0 inet static
address 192.168.0.14
netmask 255.255.255.0
gateway 192.168.0.1
pre-up ( \
/sbin/modprobe ip_conntrack ; \
/sbin/modprobe iptable_nat ; \
/sbin/iptables-restore < /etc/default/iptables ; \ ) post-up ( \ /sbin/ip link set eth0 mtu 1476 ; \ /sbin/ip tunnel add wccp1 mode gre remote 192.168.10.3 \ local 192.168.0.14 dev eth0 ; \ /sbin/ip addr add 192.168.0.14 dev wccp1 ; \ /sbin/ip link set wccp1 up ; \ /sbin/sysctl -w net.ipv4.conf.wccp1.rp_filter=0 ; \ /sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0 ; \ ) pre-down ( \ /sbin/ip link set wccp1 down ; \ /sbin/ip tunnel del wccp1 ; \ ) ===================/etc/default/iptables======= *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Established connections -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT # GRE tunnel traffic -A INPUT -s 192.168.10.3 -d 192.168.0.14 -p gre -j ACCEPT # HTTP rerouted requests -A INPUT -s 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 3128 -j ACCEPT # UDP DNS replies -A INPUT -p udp -m udp --sport 53 -j ACCEPT # Accept some ICMP echo request / 10 request per second -A INPUT -p icmp -m limit --limit 10/sec --limit-burst 10 -j ACCEPT # WCCP traffic -A INPUT -s 192.168.0.1 -p udp -m udp --sport 2048 --dport 2048 -j ACCEPT # Incoming HTTP traffic from origin servers -A INPUT -s ! 192.168.0.1/255.255.255.0 -p tcp -m tcp --sport 80 -j ACCEPT -A INPUT -s ! 192.168.0.1/255.255.255.0 -p tcp -m tcp --sport 8000 -j ACCEPT -A INPUT -s ! 192.168.0.1/255.255.255.0 -p tcp -m tcp --sport 8080 -j ACCEPT # TCP DNS replies. Just in case -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT # SSH conection from admin server -A INPUT -s 192.168.0.2 -p tcp -m tcp --dport 22 -j ACCEPT # Accept some traceroute. 3 per second -A INPUT -p udp -m udp --dport 33434:33445 -m limit --limit 3/sec --limit-burst 3 -j ACCEPT # Log everything else, maybe add explicit rules to block certain traffic. # Unnecesary but useful monitoring -A INPUT -j LOG # Accept forwarded requests. # Totally unnecesary, but allows for basic monitoring. -A FORWARD -s 192.168.0.0/255.255.255.0 -d ! 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -s 192.168.0.0/255.255.255.0 -d ! 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 3128 -j ACCEPT -A FORWARD -s 192.168.0.0/255.255.255.0 -d ! 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 8000 -j ACCEPT -A FORWARD -s 192.168.0.0/255.255.255.0 -d ! 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 8080 -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Reroute HTTP requests to the proxy server -A PREROUTING -i wccp1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A PREROUTING -i wccp1 -p tcp -m tcp --dport 8000 -j REDIRECT --to-ports 3128 -A PREROUTING -i wccp1 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128

This discussion is locked

All Comments