Re: [squid-users] transparent Proxy with WCCP

Regardt van de Vyver wrote:
> Roland Roland wrote:
>> ...
>>
>> ------------------added to Squid.conf:------------------
>>
>> acl MyNet src 192.168.0.0/24
>> http_access allow MyNet (this is set before the deny all rule)
>> wccp_router 192.168.0.1
>> http_port 3128 transparent
>>
>>
>> ------------------connectivity------------------
>>
>> ip tunnel add wccp0 mode gre remote 192.168.0.1 local 192.168.0.108
>> dev eth0
>> ip addr add 192.168.0.108/24 dev wccp0
>> ip link set wccp0 up
>>
>> iptables -t nat -A PREROUTING -i wccp0 -j REDIRECT -p tcp --to-port
>> 80 <<-- to direct from GRE to port 80
>>
>>
>>
>> ...
> Hi Roland,
>
> My experience is almost exclusively with wccp2 but off the bat the
> only think that looks 'funky' to me is your iptables rule and a few
> /proc tweaks.
>
> Try the following after doing the "ip link set wccp0 up":
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
I guess you don't need to set ip_forward = 1 when you aren't NATing your
private to public IP in proxy. ( I mean in your case If the router is
the default gw for the proxy ).
> echo 0 > /proc/sys/net/ipv4/conf/wccp0/rp_filter
>
> The GRE tunnel is only there to provide decapsulation of the WCCP
> traffic from the router. Once that is done the traffic is essentially
> still pointing towards port 80. Since you're running your squid on
> port 3128 your iptables rule NEEDS to redirect incomming port 80
> traffic to that port, so it should read:
>
> iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
>
> regards,
>
> Regardt vd Vyver
> ------------------------------------------------------------------------
>
>
> Internal Virus Database is out of date.
> Checked by AVG - http://www.avg.com
> Version: 8.0.175 / Virus Database: 270.8.2/1741 - Release Date: 10/23/2008 7:54 AM
>
>
It is working with following configuration in my case:

1. A script to set up GRE interface in proxy:

---------------->
#!/bin/bash

case "$1" in
up)
echo -n "Setting gre1 UP: "
        /sbin/modprobe ip_gre
        /sbin/iptunnel add gre1 mode gre remote <router-loopbackIP>
local <proxy-server-ip> dev eth0
        /sbin/ip addr add <proxy-server-ip>/32 dev gre1
        /sbin/ip link set gre1 up
        /sbin/sysctl -w net.ipv4.conf.gre1.rp_filter=0
        /sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0
        exit
        ;;
down)
        /sbin/ip link set gre1 down
        /sbin/ip tunnel del gre1
        exit
        ;;
esac

exit 0
------------------>

2. Configuration in my router:

conf t

!
ip wccp version 1
ip wccp web-cache redirect-list squid-acl

!
int fa 1/0
!
! The interface is facing towards my-LAN

ip wccp web-cache redirect in
!
! But you can apply redirection either at IN/OUT direction and in more
than one interface. This way is what I have prefered
 
ip access-list extended squid-acl
 deny ip host <proxy-ip> any
 deny ip <your-LAN-net> <wild-card-mask> any
 permit ip any any
!

Regards,

Pritam
Received on Thu Dec 18 2008 - 20:28:29 MST