RE: [squid-users] squid + wccp from Amos Jeffries on 2009-02-08 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 9 Feb 2009 09:53:57 +1300 (NZDT)

> Thanks david still no luck
>
> From: David Rodríguez Fernández [mailto:davidrf_at_gmail.com]
> Sent: Sunday, February 08, 2009 3:17 PM
> To: Amos Jeffries
> Cc: rabdallah_at_pobox.com; squid-users_at_squid-cache.org
> Subject: Re: [squid-users] squid + wccp
>
> Try this:
> iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j DNAT
> --to-destination 127.0.0.1:3128

Using 127.0.0.1 is not such a good idea here.
It uses NAT to break the kernel security layer around localhost preventing
public packets on localhost IP. Configuration assumptions that public
packets don't flow through localhost can cause a security breach.

Amos

>
> On Sun, Feb 8, 2009 at 1:39 PM, Amos Jeffries <squid3_at_treenet.co.nz>
> wrote:
> Ramzi Abdallah wrote:
> I am trying with no luck to setup squid Version 3.0.STABLE10 (Fedora core
> 9)
> with wccp2. The configuration seems to be ok at least this is what the
> debug
> logs are showing however squid does not receive any traffic. I tested
> squid
> by pointing the browser to its IP and it works fine.
>
> GRE tunnel and iptables configuration:
> --------------------------------------
> ip tunnel add wccp0 mode gre remote 192.168.114.250 local 192.168.114.15
> dev
> eth0
> ip addr add 192.168.114.15/32 dev wccp0
> ip link set wccp0 up
>
> iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j
> REDIRECT
> --to-port 3128
>
>
> for some reason iptables -L is not showing anything
>
> iptables by default shows "-t filter"
>
> try: iptables -t nat -L
>
>
>
> squid configuration:
> -------------------
> http_port 192.168.114.15:3128 transparent
> wccp2_router 192.168.114.250
> wccp2_forwarding_method 1
> wccp2_return_method 1
> wccp2_service standard 0
>
>
> GRE tunnel on the squid server
> -------------------------------
> wccp0 Link encap:UNSPEC HWaddr
> C0-A8-72-0F-62-00-F4-3F-00-00-00-00-00-00-00-00
> inet addr:192.168.114.15 P-t-P:192.168.114.15
> Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
> RX packets:898 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:36632 (35.7 KiB) TX bytes:0 (0.0 b)
>
> tcpdump output
> --------------
> [root_at_mail ~]# tcpdump -i wccp0
> tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to
> cooked socket
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 96
> bytes
> 12:55:08.548572 IP 192.168.114.24.58324 > 216.239.59.99.http: S
> 1289957374:1289957374(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
> 12:55:11.528111 IP 192.168.114.24.58324 > 216.239.59.99.http: S
> 1289957374:1289957374(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
> 12:55:17.530878 IP 192.168.114.24.58324 > 216.239.59.99.http: S
> 1289957374:1289957374(0) win 8192 <mss 1460,nop,nop,sackOK>
> 12:55:29.537282 IP 192.168.114.24.58325 > 216.239.59.103.http: S
> 3738044508:3738044508(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
> 12:55:32.530428 IP 192.168.114.24.58325 > 216.239.59.103.http: S
> 3738044508:3738044508(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
> 12:55:38.535350 IP 192.168.114.24.58325 > 216.239.59.103.http: S
> 3738044508:3738044508(0) win 8192 <mss 1460,nop,nop,sackOK>
> 12:55:50.547796 IP 192.168.114.24.58326 > 216.239.59.104.http: S
> 1946578578:1946578578(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
> 12:55:53.558196 IP 192.168.114.24.58326 > 216.239.59.104.http: S
> 1946578578:1946578578(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
> 12:55:59.580059 IP 192.168.114.24.58326 > 216.239.59.104.http: S
> 1946578578:1946578578(0) win 8192 <mss 1460,nop,nop,sackOK>
> 12:56:11.576625 IP 192.168.114.24.58334 > gv-in-f147.google.com.http: S
> 2444367043:2444367043(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
> 12:56:14.587049 IP 192.168.114.24.58334 > gv-in-f147.google.com.http: S
> 2444367043:2444367043(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
>
> Cisco Router configuration
> --------------------------
> gatekeeper#sh ver
> Cisco Internetwork Operating System Software
> IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(18), RELEASE
> SOFTWARE (fc3)
> Technical Support: http://www.cisco.com/techsupport
> Copyright (c) 1986-2006 by cisco Systems, Inc.
> Compiled Wed 15-Mar-06 14:16 by dchih
> Image text-base: 0x80008098, data-base: 0x81A0888C
>
> ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)
> ROM: C2600 Software (C2600-IK9O3S3-M), Version 12.3(18), RELEASE SOFTWARE
> (fc3)
>
> gatekeeper uptime is 10 hours, 43 minutes
> System returned to ROM by reload at 02:43:47 GMT Sun Feb 8 2009
> System restarted at 02:46:30 GMT Sun Feb 8 2009
> System image file is "flash:c2600-ik9o3s3-mz.123-18.bin"
>
>
> interface FastEthernet0/0
> description Office LAN
> ip address 192.168.114.250 255.255.255.0
> ip wccp web-cache redirect in
> ip nat inside
> ip nbar protocol-discovery
> ip route-cache flow
> duplex auto
> speed auto
>
>
> gatekeeper#sh ip wccp
> Global WCCP information:
> Router information:
> Router Identifier: 192.168.114.250
> Protocol Version: 2.0
>
> Service Identifier: web-cache
> Number of Cache Engines: 1
> Number of routers: 1
> Total Packets Redirected: 30
> Redirect access-list: -none-
> Total Packets Denied Redirect: 0
> Total Packets Unassigned: 0
> Group access-list: -none-
> Total Messages Denied to Group: 0
> Total Authentication failures: 0
>
> ----
> gatekeeper#sh ip wccp web-cache detail
> WCCP Cache-Engine information:
> Web Cache ID: 192.168.114.15
> Protocol Version: 2.0
> State: Usable
> Initial Hash Info: 00000000000000000000000000000000
> 00000000000000000000000000000000
> Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> Hash Allotment: 256 (100.00%)
> Packets Redirected: 30
> Connect Time: 04:21:48
>
>
> Router wccp debug
>
> .Feb 7 21:11:09.541: WCCP-PKT:S00: Sending I_See_You packet to
> 192.168.114.15 w/ rcv_id 00000377
> .Feb 7 21:11:19.550: WCCP-PKT:S00: Received valid Here_I_Am packet from
> 192.168.114.15 w/rcv_id 00000377
> .Feb 7 21:11:19.550: WCCP-PKT:S00: Sending I_See_You packet to
> 192.168.114.15 w/ rcv_id 00000378
> .Feb 7 21:11:29.558: WCCP-PKT:S00: Received valid Here_I_Am packet from
> 192.168.114.15 w/rcv_id 00000378
> .Feb 7 21:11:29.558: WCCP-PKT:S00: Sending I_See_You packet to
> 192.168.114.15 w/ rcv_id 00000379
> .Feb 7 21:11:39.567: WCCP-PKT:S00: Received valid Here_I_Am packet from
> 192.168.114.15 w/rcv_id 00000379
>
> Does the squid cache.log show anything similar?
>
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
> Current Beta Squid 3.1.0.5
>
>
>
Received on Sun Feb 08 2009 - 20:54:02 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 09 2009 - 12:00:02 MST