The docs are accurate for rules and marking. Exactly what you need to do varies on if you need to do NAT or not.
Generally, in a Cisco environment where WCCP is used, and NAT is done on the outside egress interface of the router, a Squid/WCCP/TProxy setup can be done with no NAT being taken into consideration because all of the redirection, etc. happens behind the NAT point for the network as a whole.
You should open up a port for the WCCP control traffic though. The doc on the squid wiki mentions the port number. Although not always needed, I have found from experience that depending on the IOS code level, the port is needed and sometimes not....but logically it is needed, so it is safe to always open it up.
Here is what I have for iptables rules:
# Allow all incoming traffic on the GRE interface
-A INPUT -i gre0 -j ACCEPT
-A INPUT -p gre -j ACCEPT
# Allow GRE Protocol on physical interface which the GRE is expected on
-A INPUT -i eth0 -p gre -j ACCEPT
-A LocalFW -p icmp -m icmp --icmp-type any -j ACCEPT
# Allow WCCP "control" traffic to UDP port 2048
-A LocalFW -s <address of router>/32 -p udp -m udp --dport 2048 -j ACCEPT
#divert, mangling, etc. of inbound HTTP request traffic redirected by WCCP on the router to the squid box
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 --on-ip <IP of GRE0 interface of squid box> --tproxy-mark 0x1/0x1
-A DIVERT -j MARK --set-mark 0x1
-A DIVERT -j ACCEPT
The rules above are not exactly optimal. The "-A PREROUTING -p tcp -m socket -j DIVERT" line can break some other functionality on the linux box hosting squid, but for a dedicated cache box, this is ok.
I am going to start working on a updated CentOS 5.2/TProxy/Squid setup and HOWTO because the one I put up on the Squid wiki is a little incorrect and the new version of TProxy has ICMP support that is important.
Nicholas
________________________________
From: rihad [mailto:rihad_at_mail.ru]
Sent: Mon 12/22/2008 12:28 AM
To: Squid Users
Subject: [squid-users] TProxy setup
Hello there,
How should TProxy/Cisco be configured in iptables/netfilter:
0) as outlined in SquidFaq with just two lines
(http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-5887c3744368f290e63fda47fd1e4715c9bdbc9b):
iptables -t nat -A PREROUTING -i wccp0 -j REDIRECT --redirect-to 3128
iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j
TPROXY --on-port 80
1) As described in the official TProxy docs
(http://www.balabit.com/downloads/files/tproxy/README.txt):
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
# DIVERT chain: mark packets and accept
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
--tproxy-mark 0x1/0x1 --on-port 50080
2) Both :-/
3) Something else.
I'm totally confused...
Received on Mon Dec 22 2008 - 15:00:48 MST
This archive was generated by hypermail 2.2.0 : Mon Dec 22 2008 - 12:00:02 MST