Re: [squid-users] transparent proxy not working!! any advice?

Nicholas

ports are open now, however I'm still not seeing traffic on the tunnel
(tcpdump -i gre0). Also I'm not certain if the ip_gre module is enough. I'm
seeing many configurations using ip_wccp, but I do not have that one on my
centos
What is the proper way to verify that tunnel is working properly? I tried to
create 2 VMs, and setup a GRE tunnel between them, and it worked.

--------------------------------------------------
From: "Ritter, Nicholas" <Nicholas.Ritter_at_americantv.com>
Sent: Tuesday, January 06, 2009 11:25 PM
To: "Roland Roland" <R_O_L_A_N_D_at_hotmail.com>
Cc: <squid-users_at_squid-cache.org>
Subject: RE: [squid-users] transparent proxy not working!! any advice?

> Ok...so the squid server and the router are seeing eachother
> initially....then it fails. On the squid box you need to make sure the
> firewall is allowing UDP port 2048 from the the router and that the GRE
> tunnel is functioning properly, and is setup in iptables properly.
>
> The other issue is that may be needed is that access-list (access-list
> 180, from my last email) should have the ip of the squid box in it as a
> deny entry. The reason for this is that you want to avoid traffic being
> 'looped' from the router to the squid box.
>
> You can setup WCCP where you are using no service groups and just the
> web-cache and web-cache redirect, etc. The two things that can break doing
> that are: multiple squid servers in a WCCP setup, and support for
> apps/ports other than port 80.
>
> Nick
>
> ________________________________
>
> From: Roland Roland [mailto:R_O_L_A_N_D_at_hotmail.com]
> Sent: Tue 1/6/2009 1:48 PM
> To: Ritter, Nicholas; squid_at_vdvyver.net
> Cc: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] transparent proxy not working!! any advice?
>
>
>
> Hello,
>
> after adding the ACL below.
> I've got the following result.
> if im not mistaken, it has something to due with the "dynamic" issue?
> should
> I set it as standard 0
> or ?!
>
> *Jan 6 20:21:39.294: WCCP-PKT:D90: Sending I_See_You packet to
> 192.168.0.183 w/ rcv_id 00000019
> *Jan 6 20:21:39.298: WCCP-PKT:D80: Sending I_See_You packet to
> 192.168.0.183 w/ rcv_id 00000019
> *Jan 6 20:21:57.290: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183
> w/bad rcv_id 00000000
> *Jan 6 20:21:57.290: WCCP-PKT:D90: Sending I_See_You packet to
> 192.168.0.183 w/ rcv_id 0000001A
> *Jan 6 20:21:57.290: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183
> w/bad rcv_id 00000000
> *Jan 6 20:21:57.290: WCCP-PKT:D80: Sending I_See_You packet to
> 192.168.0.183 w/ rcv_id 0000001A
> *Jan 6 20:22:04.294: WCCP-PKT:D90: Sending Removal_Query packet to
> 192.168.0.183w/ rcv_id 0000001B
> *Jan 6 20:22:04.298: WCCP-PKT:D80: Sending Removal_Query packet to
> 192.168.0.183w/ rcv_id 0000001B
> *Jan 6 20:22:09.294: %WCCP-1-SERVICELOST: Service 90 lost on WCCP client
> 192.168.0.183
> *Jan 6 20:22:09.298: %WCCP-1-SERVICELOST: Service 80 lost on WCCP client
> 192.168.0.183
> *Jan 6 20:22:15.298: WCCP-PKT:D90: Sending I_See_You packet to
> 192.168.0.183 w/ rcv_id 0000001C
> *Jan 6 20:22:15.298: WCCP-PKT:D80: Sending I_See_You packet to
> 192.168.0.183 w/ rcv_id 0000001C
>
> --------------------------------------------------
> From: "Roland Roland" <R_O_L_A_N_D_at_hotmail.com>
> Sent: Monday, January 05, 2009 9:50 PM
> To: "Ritter, Nicholas" <Nicholas.Ritter_at_americantv.com>;
> <squid_at_vdvyver.net>
> Cc: <squid-users_at_squid-cache.org>
> Subject: Re: [squid-users] transparent proxy not working!! any advice?
>
>>
>> Hello,
>> thanks for the advice ill proceed and add the new ACL.
>> in the meantime, to answer your question
>> yes Squid is on the same interface as all the other clients. what sort of
>> entries should I add to tht access list?
>>
>> PS: my IOS is Version 12.4(17b), RELEASE SOFTWARE (fc2) Cisco 2811
>> (revision 53.51)
>>
>>
>> --------------------------------------------------
>> From: "Ritter, Nicholas" <Nicholas.Ritter_at_americantv.com>
>> Sent: Monday, January 05, 2009 9:23 PM
>> To: <R_O_L_A_N_D_at_hotmail.com>; <squid_at_vdvyver.net>
>> Cc: <squid-users_at_squid-cache.org>
>> Subject: RE: [squid-users] transparent proxy not working!! any advice?
>>
>>> The error on the Cisco router is stating that the squid box is trying to
>>> tell the router that it is able to service the wccp group 80 and 90, but
>>> for some reason the router does not see those groups as ones it is
>>> servicing.
>>>
>>> This is odd. Try doing the following in the router:
>>>
>>> ip access-list 180 permit any any
>>> ip wccp web-cache redirect-list 180
>>> ip wccp 80 redirect-list 180
>>> ip wccp 90 redirect-list 180
>>>
>>> Is the squid box on the same router interface as the rest of the
>>> clients?
>>> If it is, you may need to add lines to the access-list 180, or put the
>>> squid box on the secondary interface of the router and do a "ip wccp
>>> redirect exclude in" statement on that interface.
>>>
>>> Which IOS feature set and version is this?
>>>
>>> WCCP is buggy in some IOS releases.
>>>
>>>
>>>
>>> ________________________________
>>>
>>> From: R_O_L_A_N_D_at_hotmail.com [mailto:R_O_L_A_N_D_at_hotmail.com]
>>> Sent: Mon 1/5/2009 8:43 AM
>>> To: squid_at_vdvyver.net
>>> Cc: squid-users_at_squid-cache.org
>>> Subject: Re: [squid-users] transparent proxy not working!! any advice?
>>>
>>>
>>>
>>> Hello,
>>> actually I have both of set on the lan interface ( am I mistaken to set
>>> the
>>> "redirect out" on the lan interface? should I be setting it on the
>>> interface
>>> facing the internet?)
>>>
>>> ip wccp 80 redirect in
>>> ip wccp 90 redirect out
>>>
>>> as for the wiki provided, I fail to see what's missing!
>>> obviously there is something, but I'm not detecting it!
>>>
>>>
>>>
>>> --------------------------------------------------
>>> From: "Regardt van de Vyver" <squid_at_vdvyver.net>
>>> Sent: Monday, January 05, 2009 12:46 AM
>>> Cc: <squid-users_at_squid-cache.org>
>>> Subject: Re: [squid-users] transparent proxy not working!! any advice?
>>>
>>>> Roland Roland wrote:
>>>>> Hello,
>>>>> the output of the debugging is as such:
>>>>>
>>>>>
>>>>>
>>>>> *Jan 4 23:16:43.205: WCCP-EVNT:D90: Here_I_Am packet from
>>>>> 192.168.0.183:
>>>>> service not active
>>>>> *Jan 4 23:16:43.205: WCCP-EVNT:D80: Here_I_Am packet from
>>>>> 192.168.0.183:
>>>>> service not active
>>>>>
>>>>> what service is that?!
>>>>>
>>>>>
>>>>>
>>>>> --------------------------------------------------
>>>>> From: "Regardt van de Vyver" <squid_at_vdvyver.net>
>>>>> Sent: Sunday, January 04, 2009 9:33 PM
>>>>> Cc: <squid-users_at_squid-cache.org>
>>>>> Subject: Re: [squid-users] transparent proxy not working!! any advice?
>>>>>
>>>>>> Roland Roland wrote:
>>>>>>> i've just created a new box with the following options:
>>>>>>> but wccp with router is still not working!
>>>>>>> any advice?
>>>>>>>
>>>>>>>
>>>>>>> using centos 5.2
>>>>>>> and squid 2.6
>>>>>>> firewall enabled
>>>>>>> SElinux permissive
>>>>>>> -------------------------------------------------------
>>>>>>> done the following:
>>>>>>>
>>>>>>> yum update yum
>>>>>>>
>>>>>>> yum install squid
>>>>>>>
>>>>>>> squid -z
>>>>>>> -------------------------------------------------------
>>>>>>> gedit /etc/rc.d/init.d/rc.local
>>>>>>>
>>>>>>> #added:
>>>>>>> modprobe ip_gre
>>>>>>> ifconfig gre0 192.168.0.183 netmask 255.255.255.0 up
>>>>>>> #this is the same ip as my eth0
>>>>>>>
>>>>>>> ----------------------------------------------------
>>>>>>> gedit /etc/sysconfig/iptables
>>>>>>>
>>>>>>> #added:
>>>>>>> -A INPUT -i gre0 -j ACCEPT
>>>>>>> -A INPUT -i gre0 -j ACCEPT
>>>>>>> -A INPUT -p gre -j ACCEPT
>>>>>>> #my routers lan interface 192.168.0.1
>>>>>>> -A RH-Firewall-1-INPUT -s 192.168.0.1/24 -p udp -m udp --dport
>>>>>>> 2048 -j
>>>>>>> ACCEPT
>>>>>>> -------------------------------------------------------
>>>>>>> service iptables condrestart
>>>>>>> --------------------------------------------------------
>>>>>>> gedit /etc/squid/squid.conf
>>>>>>>
>>>>>>> #edited/added the follwoing:
>>>>>>> http_port 80 transparent
>>>>>>> http_access allow all
>>>>>>> wccp2_router 192.168.0.1
>>>>>>> wccp_version 4
>>>>>>> wccp2_rebuild_wait on
>>>>>>> wccp2_forwarding_method 1
>>>>>>> wccp2_return_method 1
>>>>>>> wccp2_assignment_method 1
>>>>>>> wccp2_service dynamic 80
>>>>>>> wccp2_service dynamic 90
>>>>>>> wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240
>>>>>>> ports=80
>>>>>>> wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
>>>>>>> priority=240 ports=80
>>>>>>> ----------------------------------------------------------
>>>>>>> Cisco router 2811 side:
>>>>>>>
>>>>>>> conf t
>>>>>>> ip wccp version 2
>>>>>>> ip wccp web-cache
>>>>>>>
>>>>>>> int f0/1 (Lan interface)
>>>>>>> ip wccp 80 redirect in
>>>>>>> ip wccp 90 redirect out
>>>>>>> ----------------------------------------------------------
>>>>>>> service squid restart
>>>>>>>
>>>>>>> then sh ip wccp on router gave me all hits as 0 no hits from squid
>>>>>>> to
>>>>>>> router!!
>>>>>>> ----------------------------------------------------------
>>>>>>>
>>>>>>> service iptables status
>>>>>>>
>>>>>>> [root_at_localhost ~]# service iptables status
>>>>>>> Table: filter
>>>>>>> Chain INPUT (policy ACCEPT)
>>>>>>> num target prot opt source destination
>>>>>>> 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>>>>>>> 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>>>>>>> 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>>>>>>> 4 ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0
>>>>>>>
>>>>>>> Chain FORWARD (policy ACCEPT)
>>>>>>> num target prot opt source destination
>>>>>>> 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>>>>>>>
>>>>>>> Chain OUTPUT (policy ACCEPT)
>>>>>>> num target prot opt source destination
>>>>>>>
>>>>>>> Chain RH-Firewall-1-INPUT (2 references)
>>>>>>> num target prot opt source destination
>>>>>>> 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>>>>>>> 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
>>>>>>> icmp
>>>>>>> type
>>>>>>> 255
>>>>>>> 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
>>>>>>> 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
>>>>>>> 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251
>>>>>>> udp
>>>>>>> dpt:5353
>>>>>>> 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0
>>>>>>> udp
>>>>>>> dpt:631
>>>>>>> 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
>>>>>>> tcp
>>>>>>> dpt:631
>>>>>>> 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
>>>>>>> RELATED,ESTABLISHED
>>>>>>> 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
>>>>>>> NEW
>>>>>>> tcp dpt:22
>>>>>>> 10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
>>>>>>> NEW
>>>>>>> tcp dpt:80
>>>>>>> 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
>>>>>>> NEW
>>>>>>> tcp dpt:5900
>>>>>>> 12 ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0
>>>>>>> udp
>>>>>>> dpt:2048
>>>>>>> 13 REJECT all -- 0.0.0.0/0 0.0.0.0/0
>>>>>>> reject-with icmp-host-prohibited
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> lsmod:
>>>>>>>
>>>>>>> Module Size Used by
>>>>>>> ip_conntrack_netbios_ns 6977 0
>>>>>>> xt_state 6209 4
>>>>>>> ip_conntrack 53025 2 ip_conntrack_netbios_ns,xt_state
>>>>>>> nfnetlink 10713 1 ip_conntrack
>>>>>>> iptable_filter 7105 1
>>>>>>> ip_tables 17029 1 iptable_filter
>>>>>>> ip6table_filter 6849 1
>>>>>>> ip6_tables 18053 1 ip6table_filter
>>>>>>> nls_utf8 6208 1
>>>>>>> ip_gre 16737 0
>>>>>>> autofs4 24517 2
>>>>>>> hidp 23105 2
>>>>>>> rfcomm 42457 0
>>>>>>> l2cap 29505 10 hidp,rfcomm
>>>>>>> bluetooth 53797 5 hidp,rfcomm,l2cap
>>>>>>> sunrpc 144893 1
>>>>>>> ipt_REJECT 9537 1
>>>>>>> ip6t_REJECT 9409 1
>>>>>>> xt_tcpudp 7105 15
>>>>>>> x_tables 17349 6
>>>>>>> xt_state,ip_tables,ip6_tables,ipt_REJECT,ip6t_REJECT,xt_tcpudp
>>>>>>> dm_multipath 22089 0
>>>>>>> video 21193 0
>>>>>>> sbs 18533 0
>>>>>>> backlight 10049 1 video
>>>>>>> i2c_ec 9025 1 sbs
>>>>>>> button 10705 0
>>>>>>> battery 13637 0
>>>>>>> asus_acpi 19289 0
>>>>>>> ac 9157 0
>>>>>>> ipv6 258273 17 ip6t_REJECT
>>>>>>> xfrm_nalgo 13765 1 ipv6
>>>>>>> crypto_api 11969 1 xfrm_nalgo
>>>>>>> lp 15849 0
>>>>>>> floppy 57125 0
>>>>>>> i2c_piix4 12237 0
>>>>>>> pcnet32 35141 0
>>>>>>> pcspkr 7105 0
>>>>>>> i2c_core 23745 2 i2c_ec,i2c_piix4
>>>>>>> mii 9409 1 pcnet32
>>>>>>> ide_cd 40033 1
>>>>>>> cdrom 36705 1 ide_cd
>>>>>>> parport_pc 29157 1
>>>>>>> serio_raw 10693 0
>>>>>>> parport 37513 2 lp,parport_pc
>>>>>>> dm_snapshot 21477 0
>>>>>>> dm_zero 6209 0
>>>>>>> dm_mirror 29125 0
>>>>>>> dm_mod 61405 9
>>>>>>> dm_multipath,dm_snapshot,dm_zero,dm_mirror
>>>>>>> ata_piix 22341 0
>>>>>>> libata 143997 1 ata_piix
>>>>>>> sd_mod 24897 0
>>>>>>> scsi_mod 134605 2 libata,sd_mod
>>>>>>> ext3 123593 2
>>>>>>> jbd 56553 1 ext3
>>>>>>> uhci_hcd 25421 0
>>>>>>> ohci_hcd 23261 0
>>>>>>> ehci_hcd 33357 0
>>>>>>>
>>>>>>> ------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> ifconfig:
>>>>>>>
>>>>>>> [root_at_localhost ~]# ifconfig
>>>>>>> eth0 Link encap:Ethernet HWaddr 00:0C:29:F8:D0:AF
>>>>>>> inet addr:192.168.0.183 Bcast:192.168.0.255
>>>>>>> Mask:255.255.255.0
>>>>>>> inet6 addr: fe80::20c:29ff:fef8:d0af/64 Scope:Link
>>>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>>>>>> RX packets:29956 errors:0 dropped:0 overruns:0 frame:0
>>>>>>> TX packets:11948 errors:0 dropped:0 overruns:0 carrier:0
>>>>>>> collisions:0 txqueuelen:1000
>>>>>>> RX bytes:3673892 (3.5 MiB) TX bytes:7234153 (6.8 MiB)
>>>>>>> Interrupt:169 Base address:0x2000
>>>>>>>
>>>>>>> gre0 Link encap:UNSPEC HWaddr
>>>>>>> 00-00-00-00-B2-BF-68-33-00-00-00-00-00-00-00-00
>>>>>>> inet addr:192.168.0.183 Mask:255.255.255.0
>>>>>>> UP RUNNING NOARP MTU:1476 Metric:1
>>>>>>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>>>>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>>>>> collisions:0 txqueuelen:0
>>>>>>> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>>>>>>>
>>>>>>> lo Link encap:Local Loopback
>>>>>>> inet addr:127.0.0.1 Mask:255.0.0.0
>>>>>>> inet6 addr: ::1/128 Scope:Host
>>>>>>> UP LOOPBACK RUNNING MTU:16436 Metric:1
>>>>>>> RX packets:2926 errors:0 dropped:0 overruns:0 frame:0
>>>>>>> TX packets:2926 errors:0 dropped:0 overruns:0 carrier:0
>>>>>>> collisions:0 txqueuelen:0
>>>>>>> RX bytes:3257748 (3.1 MiB) TX bytes:3257748 (3.1 MiB)
>>>>>>>
>>>>>>> -------------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Hi Roland,
>>>>>>
>>>>>> Have you had a look at the WCCP debugging messages on the Cisco?
>>>>>> eg. on the cisco
>>>>>> debug ip wccp events
>>>>>> debug ip wccp packets
>>>>>> terminal monitor
>>>>>>
>>>>>> That should give you some indication of wccp activity, also what does
>>>>>> "sh ip wccp web-cache detail" show?
>>>>>>
>>>>>> Regardt
>>>>>>
>>>>>>
>>>>>
>>>> Hi Roland,
>>>>
>>>> Off the bat I'd guess its a missing
>>>> "ip wccp 80" and a "ip wccp 90" on the Cisco.
>>>>
>>>> Also, just rechecking your config I'm wondering about missing /proc
>>>> bits
>>>> as per:
>>>> http://wiki.squid-cache.org/ConfigExamples/MultiplePortsWithWccp2
>>>>
>>>> Regardt
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>
>
>
>
Received on Thu Jan 08 2009 - 15:53:26 MST