RE: [squid-users] Squid + RHEL4 + ip_gre issue from Arnold Wang on 2006-08-03 (squid-users)

From: Arnold Wang <arnold.wang@dont-contact.us>
Date: Thu, 3 Aug 2006 17:25:43 -0700

1. Can you explain to me your concern on the WCCP chat you saw on wccp0
interface? I thought they're belong there.
2. The iptables rules look like this.
[root@rcarhlp02 ~]# iptables-save
# Generated by iptables-save v1.2.11 on Thu Aug 3 17:17:18 2006
*filter
:INPUT ACCEPT [312:26614]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [226:28523]
COMMIT
# Completed on Thu Aug 3 17:17:18 2006
# Generated by iptables-save v1.2.11 on Thu Aug 3 17:17:18 2006
*nat
:PREROUTING ACCEPT [59:6147]
:POSTROUTING ACCEPT [4:352]
:OUTPUT ACCEPT [4:352]
-A PREROUTING -s 10.0.0.0/255.0.0.0 -d ! 10.0.0.0/255.0.0.0 -i wccp0 -p
tcp -m tcp --dport 80 -j DNAT --to-destination 10.17.2.146:3128
COMMIT
# Completed on Thu Aug 3 17:17:18 2006
3. Take a look the following, if I read it correctly, I'm not family
with iptables/netfilter, it doesn't looks like the DNAT rule has ever
been triggered, which makes me further believe the encapsulated WCCP
packets were decapsulted properly.
[root@rcarhlp02 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 10.0.0.0/8 !10.0.0.0/8 tcp
dpt:http to:10.17.2.146:3128

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@rcarhlp02 ~]# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 182 packets, 20521 bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- wccp0 any 10.0.0.0/8
!10.0.0.0/8 tcp dpt:http to:10.17.2.146:3128

Chain POSTROUTING (policy ACCEPT 19 packets, 1291 bytes)
pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 19 packets, 1291 bytes)
pkts bytes target prot opt in out source
destination

-----Original Message-----
From: Henrik Nordstrom [mailto:henrik@henriknordstrom.net]
Sent: Thursday, August 03, 2006 3:22 PM
To: Arnold Wang
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] Squid + RHEL4 + ip_gre issue

tor 2006-08-03 klockan 14:40 -0700 skrev Arnold Wang:
> I'm sorry I forgot it's from the eth0 packet. I do see traffics on
wccp0
> as well.
>
> [root@rcarhlp02 local]# tethereal -i wccp0
> tethereal: WARNING: arptype 778 not supported by libpcap - falling
back
> to cooked socket.
> Capturing on wccp0
> 0.000000 192.168.1.6 -> 192.168.1.7 WCCP 1.0 Here I am
> 0.000967 192.168.1.7 -> 192.168.1.6 WCCP 1.0 I see you
> 10.435223 192.168.1.6 -> 192.168.1.7 WCCP 1.0 Here I am
> 10.436387 192.168.1.7 -> 192.168.1.6 WCCP 1.0 I see you

Odd.. I would not expect the WCCP chatter to be seen here...

> 14.871173 10.17.11.20 -> 209.131.36.158 TCP 33340 > http [SYN] Seq=0
> Ack=0 Win=5840 Len=0 MSS=1460 TSV=77188263 TSER=0 WS=2

This looks like an intercepted packet. So the GRE probably works..
(maybe... the WCCP stuff above worries me..)

For now assuming the GRE does work. What does your iptables rules look
like?

iptables-save

Regards
Henrik
Received on Thu Aug 03 2006 - 18:24:24 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Sep 01 2006 - 12:00:01 MDT