Nicolas,
Maybe, the packets are getting dropped when they are trying to get back
into your system on port 3128, try redirecting to the port only using
--to-ports instead of --to-destination. I also use the REDIRECT
function as opposed to DNAT. Here is my rule:
iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j
REDIRECT --to-ports 3128
Finally, i use the IP of my cache server with a /32 mask for the gre0
interface. Hope this helps.
Thanks,
Bryan
On Fri, 2007-02-23 at 04:09 -0500, Nicolas Limage wrote:
> Hi squid-users,
>
> I'm currently trying to replace an old netapp proxy with a squid+linux
> box.
>
> I've some users behind a Cisco 7200 running IOS 12.4(12) using the
> proxy in
> transparent mode. The current proxy uses WCCP2+GRE to get the traffic
> from
> the router. The aim is to reproduce this behaviour with the squid box.
>
> I've set up a box running Linux Debian, with kernel 2.6.18-3-k7 from
> debian
> and squid-2.6.STABLE8 compiled with the following options :
>
> $ ./configure --prefix=/opt/package/squid-2.6.STABLE8
> --enable-storeio=aufs,coss,diskd,null,ufs
> --enable-removal-policies=heap,lru
> --enable-useragent-log --enable-referer-log --enable-wccp
> --enable-wccpv2
> --enable-snmp --enable-linux-netfilter --enable-large-cache-files
> --disable-ident-lookups --with-pthreads
>
> my squid.conf file include these lines :
>
> http_port 3128 transparent
> wccp2_router <ip_of_the_cisco_router>
> wccp2_rebuild_wait on
> wccp2_forwarding_method 1
> wccp2_return_method 1
> wccp2_assignment_method 1
> wccp2_service standard 0
>
> I have set up an unnumbered GRE tunnel between the box and the
> router :
>
> # iptunnel del gre0
> # iptunnel add gre0 mode gre remote <ip_of_the_cisco_router> local
> <ip_of_the_linux_box> dev eth0
> # ifconfig gre0 up
>
> I've added these commands to enable routing and disable spoof
> protection.
>
> # echo 1 > /proc/sys/net/ipv4/ip_forward
> # for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 0 > $file
> done
>
> To do the redirection, i'm using iptables, with all default policies
> set to
> ACCEPT, plus this rule :
>
> # iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j
> DNAT --to-destination <ip_of_the_linux_box>:3128
>
> The Cisco router has been doing the job for years, so I doubt the
> problem
> comes from it. The squid proxy is running, with no error messages.
> I've
> tested it by explicitely declaring it in my browser, and it works
> perfectly.
>
> The router can see the proxy (it is in his WCCP list) and it sends the
> packets
> to the linux box. I can see the encapsulated packets coming to the
> linux box,
> i can see the packets coming out of the GRE tunnel (tcpdump -i gre0),
> they
> hit the iptable redirection rule (iptables -t nat -L -v (the couter is
> increasing)), but afterwards, they seem to disappear. No trace in the
> squid
> log. The tcp session is not established. I see no related traffic
> coming out
> of the box either.
>
> Does someone has an idea of what could be happening ?
>
> I'm also very interrested in knowing how (in therory) the answer is
> supposed
> to return to the client.
>
> Thanks
> --
> Nicolas L.
>
Received on Fri Feb 23 2007 - 05:49:02 MST
This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST