RE: [squid-users] FW: Re[2]: squid with tproxy

From: Ritter, Nicholas <Nicholas.Ritter_at_americantv.com>
Date: Mon, 8 Jun 2009 12:06:22 -0500

No troubles....getting it working the first time is tricky...

Lets break it down and see if we can figure out where they problem is happening.

1) The acl for the wccp on the router should really be empty unless there are specific hosts (either destination web sites, or source clients) that should not go through the squid server. I do find it useful to have it there though because it will show a counter.

2) do a "show ip wccp" on the router to see if there squid box has registered with the router as a usable server. In this output, you should see three main sections, referred to as service-identifiers: web-cache, 80, and 90.

- The "Number of Service Group Clients:" should say 0 for web-cache
- The "Number of Service Group Clients:" should say 1 for Service Identifier: 80
- The "Number of Service Group Clients:" should say 1 for Service Identifier: 90
- The "Number of Service Group Routers:" should say 0 for web-cache
- The "Number of Service Group Routers:" should say 1 for Service Identifier: 80
- The "Number of Service Group Routers:" should say 1 for Service Identifier: 90

3) Look at the "Total Packets s/w redirected" for service identifier 80 and 90, look to see what the packet counts are.

4) Look at the "Total Packets Denied Redirect:" and "Total Packets Unassigned:".

5) Do you have CEF enabled (or are you using flow based switching? ( sh run | include ip cef )

6) Another thing that is useful is to enable ip wccp events debugging in the router, this will show here_i_am and I_see_you events to be seen. I have run into situations where the squid cache does not stay registered long enough to do anything usefull.

7) If you are using a gre tunnel interface on the squid, do an ifconfig to see if "RX packets" for the gre interface is incrementing.

8) tail -f the squid access.log to see if the squid server is seeing access attempts, and just can't get the data back to the client, or can't fetch the content.

-----Original Message-----
From: 7441122 [mailto:7441122_at_gmail.com]
Sent: Monday, June 08, 2009 11:03 AM
To: Ritter, Nicholas
Subject: Re: [squid-users] FW: Re[2]: squid with tproxy

sorry, i found out the problem, i had not put redirect on this
command.. ip wccp 80 ( thats why all traffic was routed via the box )

but my problem is still same, squid does not reroute traffic to tproxy port.

i am sorry for all this trouble, but do you have working example on,
squid / iptables and kernel which works ? as tproxy, as the latest
version do not, on 4.1, i want to try on old working versions. i tried
to follow http://wiki.squid-cache.org/ConfigExamples/TPROXYPatchingCentOS
but as the versions have changed did not reach anywhere !

i am not sure if the iptables are doing the correct job here, or
something which i do not understand completely, as i tried on ubuntu
jaunty, centos 5.3, but all are giving hard time !

thanks for your time.

On Mon, Jun 8, 2009 at 6:47 PM, Ritter, Nicholas
<Nicholas.Ritter_at_americantv.com> wrote:
> Don't reverse the ip wccp 80 and 90 statements. What is the output of the two commands: "sh ip wccp" and "sh access-list 150" ?
>
> Nick
>
> -----Original Message-----
> From: 7441122 [mailto:7441122_at_gmail.com]
> Sent: Saturday, June 06, 2009 1:23 AM
> To: Ritter, Nicholas
> Subject: Re: [squid-users] FW: Re[2]: squid with tproxy
>
> some progress, seems the initial wccp config i was doing was doing nothing,
>
> ip wccp web-cache redirect-list 150
> with the list of ip i need to redirect
>
> and then on interface fast0/0
> ip wccp web-cache redirect in
>
> i was getting time out from squid. and no counters going.
>
> with this one, looks something is happening, but the rules are not
> right for my setup, its directing the traffic i do not want to be
> directed, the 196 ips are getting via squid box.
>
> can i reverse them ?
>
> ip wccp 80 redirect out
> ip wccp 90 redirect in
>
> ?
>
> many thanks.
>
>
>
>
> On Fri, Jun 5, 2009 at 10:23 PM, Ritter, Nicholas
> <Nicholas.Ritter_at_americantv.com> wrote:
>> If traffic to/from 192.41.62.0 and 196.41.45.0 are traffic you don't want to be redirected/cached, the acl should look like this:
>>
>> access-list 150 deny ip 196.41.62.0 0.0.0.255 any
>> access-list 150 deny ip 196.41.45.0 0.0.0.255 any
>> access-list 150 permit ip any any
>>
>>
>>
>>
>> -----Original Message-----
>> From: 7441122 [mailto:7441122_at_gmail.com]
>> Sent: Friday, June 05, 2009 12:37 PM
>> To: Ritter, Nicholas
>> Subject: Re: [squid-users] FW: Re[2]: squid with tproxy
>>
>> Thank you for all teh details.
>>
>>
>> My router has the following interfaces
>>
>> fa0/0 - local interface
>> fa0/1 - incoming traffic ( internet ) satellite
>> fa/0/1/0 - squid box
>> serial 0/0 - outgoing traffic ( internet ) to modem satellite
>>
>> these addresses i want to bypass:-
>> access-list 150 permit ip 196.41.62.0 0.0.0.255 any
>> access-list 150 permit ip 196.41.45.0 0.0.0.255 any
>> access-list 150 permit ip any any
>>
>> appied the below rules to fa0/0
>>> ip wccp 80 redirect in
>>> ip wccp 90 redirect out
>>
>>
>> hope thats ok ?
>> rgds,
>>
>> manish.
>>
>> On Fri, Jun 5, 2009 at 6:28 PM, Ritter, Nicholas
>> <Nicholas.Ritter_at_americantv.com> wrote:
>>> In squid.conf:
>>>
>>> wccp2_router <router ip of cisco router>
>>> wccp_version 4
>>> wccp2_rebuild_wait on
>>> wccp2_forwarding_method 1
>>> wccp2_return_method 1
>>> wccp2_assignment_method 1
>>> wccp2_service dynamic 80
>>> wccp2_service dynamic 90
>>> wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80
>>> wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80
>>>
>>> In Cisco router:
>>>
>>> Global commands:
>>> ip wccp web-cache redirect-list 122
>>> ip wccp 80 redirect-list 122
>>> ip wccp 90 redirect-list 122
>>>
>>> Access-list 122 should be a list of denies for selective things you do not want redirected to the squid cache, with a permit any any at the end of the ACL to permit all other HTTP traffic to be redirected. The ACL number does not need to be 122, and it can be a standard ACL, or an extended ACL.
>>>
>>>
>>> On interfaces where you want WCCP redirection to the squid cache server:
>>> ip wccp 80 redirect in
>>> ip wccp 90 redirect out
>>>
>>> On Interfaces where you want no redirection:
>>> ip wccp redirect exclude in
>>>
>>>
>>> SOME IMPORTANT NOTES:
>>>
>>> 1) If the squid box itself is connected via the same interface as the client devices being served by the squid box, you will need to create subinterfaces so that the squif box it self is treated separately.
>>>
>>> 2) This setup does not touch any protocol other than HTTP. This means that only HTTP, and not even HTTPS, will be redirected. To support HTTPS redirection, you would need to change the service group settings.
>>>
>>> Nick
>>>
>>>
>>> -----Original Message-----
>>> From: 7441122 [mailto:7441122_at_gmail.com]
>>> Sent: Friday, June 05, 2009 1:00 AM
>>> To: Ritter, Nicholas
>>> Subject: Re: [squid-users] FW: Re[2]: squid with tproxy
>>>
>>> hello Nick,
>>>
>>> Still no joy here, can you share your wccp configs ? on router and on
>>> squid. I think the problem might be cisco IOS or the wccp config.
>>>
>>>
>>> Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(20)T
>>> , RELEASE SOFTWARE (fc3)
>>> Technical Support: http://www.cisco.com/techsupport
>>> Copyright (c) 1986-2008 by Cisco Systems, Inc.
>>> Compiled Thu 10-Jul-08 22:00 by prod_rel_team
>>>
>>> ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
>>>
>>> Router uptime is 1 day, 15 hours, 30 minutes
>>> System returned to ROM by reload at 17:26:54 GMT Wed Jun 3 2009
>>> System restarted at 17:28:32 GMT Wed Jun 3 2009
>>> System image file is "flash:c2800nm-advipservicesk9-mz.124-20.T.bin"
>>>
>>>
>>> This product contains cryptographic features and is subject to United
>>> States and local country laws governing import, export, transfer and
>>> use. Delivery of Cisco cryptographic products does not imply
>>> third-party authority to import, export, distribute or use encryption.
>>> Importers, exporters, distributors and users are responsible for
>>> compliance with U.S. and local country laws. By using this product you
>>> agree to comply with applicable laws and regulations. If you are unable
>>> to comply with U.S. and local laws, return this product immediately.
>>>
>>> A summary of U.S. laws governing Cisco cryptographic products may be found at:
>>> http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
>>>
>>> If you require further assistance please contact us by sending email to
>>> export_at_cisco.com.
>>>
>>> Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.
>>> Processor board ID FCZ1127703D
>>> 3 FastEthernet interfaces
>>> 2 Serial(sync/async) interfaces
>>> 2 Virtual Private Network (VPN) Modules
>>> DRAM configuration is 64 bits wide with parity enabled.
>>> 239K bytes of non-volatile configuration memory.
>>> 62720K bytes of ATA CompactFlash (Read/Write)
>>>
>>> Configuration register is 0x2102
>>>
>>>
>>>
>>> On Wed, May 27, 2009 at 8:06 PM, Ritter, Nicholas
>>> <Nicholas.Ritter_at_americantv.com> wrote:
>>>>
>>>>
>>>> ________________________________________
>>>> From: Ritter, Nicholas
>>>> Sent: Wednesday, May 27, 2009 12:04 PM
>>>> To: 'Manish P. Govindji'
>>>> Subject: RE: Re[2]: squid with tproxy
>>>>
>>>> I remember something important....if you are using a more recent version of TPROXY then what is stated in the squid wiki article....I think the method by which TPROXY is configured in iptables changed a bit to make it more to the liking of the netfilter and kernel developers in an effort to get the TPROXY code included into the netfilter and kernel release code.
>>>>
>>>> My setup and the wiki article I wrote are from before these changes, and I have not worked with TPROXY since, so that could be the issue here. I have not downloaded the latest TPROXY code to be sure though. And I think I might have actually seen TPROXY as included in the most recent (ie: 2.6.29) kernel as experimental.
>>>>
>>>> I have been meaning to setup a new squid/tproxy system, and update the wiki article...just have not gotten to it yet. I suggest taking a look at the readme with the latest tproxy source code, or even looking at your kernel config to see which tproxy version is being used. If you do a dmesg command and look for the TProxy module loading, I think it tells you what version it is.
>>>>
>>>> Nick
>>>>
>>>> ________________________________________
>>>> From: Manish P. Govindji [mailto:manish_at_mcc.co.tz]
>>>> Sent: Wednesday, May 27, 2009 11:43 AM
>>>> To: Ritter, Nicholas
>>>> Cc: squid-users
>>>> Subject: Re[2]: squid with tproxy
>>>>
>>>>
>>>> Thanks a lot for reply, i am already tired pulling my hairs for this one.
>>>>
>>>> Sorry, typo its 3128.
>>>>
>>>> I do not have the file, /etc/sysconfig/iptables I use iptables in rc.local
>>>>
>>>> #####################
>>>>
>>>> #Increase Squid file Descriptors
>>>> ulimit -HSn 30720
>>>>
>>>> #Start caches
>>>> /usr/sbin/squid
>>>>
>>>> #Enable Forwarding
>>>> echo '1' > /proc/sys/net/ipv4/ip_forward
>>>>
>>>> #disable rp_filter
>>>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>>>>
>>>> iptables -t mangle -N DIVERT
>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>>
>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
>>>>
>>>> ip rule add fwmark 1 lookup 100
>>>> ip route add local 0.0.0.0/0 dev lo table 100
>>>>
>>>> # defe! nces
>>>> iptables -A FORWARD -p tcp --syn -m limit -j ACCEPT
>>>> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
>>>> iptables -A FORWARD -p icmp --icmp-type echo-request -m limit
>>>>
>>>> #Allow established sessions to continue
>>>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>>
>>>>
>>>> ########################
>>>>
>>>> I am using squid as gateway, all the pc are on public IP and Squid is also on public IP as Gateway PC. ( was working as transparent cache, but wanted to use the Tproxy )
>>>>
>>>> Rgds,
>>>>
>>>> ________________________________________
>>>> -----Original Message-----
>>>> From: "Ritter, Nicholas" <Nicholas.Ritter_at_americantv.com>
>>>> To: "Manish govindji" <manish_at_mcc.co.tz>
>>>> Cc: "squid-users" <squid-users_at_squid-cache.org>
>>>> Date: 27-05-2009 18:47
>>>> Subject: RE: squid with tproxy
>>>> Port 3128, or 1328? The default port is 3128, but is configurable.
>>>>
>>>>
>>>> Your rules are not right...you are marking, as you should, but not redirecting to the squid port. In addition to sending the output of the raw iptables command, send the contents of /etc/sysconfig/iptables.
>>>>
>>>> I think the problem is partly in the rules setup. Are you using wccp as well, and/or a gre interface?
>>>>
>>>> Also, make sure you have Full NAT enabled in the kernel. Looks like that is ok though.
>>>>
>>>>
>>>> ________________________________________
>>>> From:Manish govindji [mailto:manish_at_mcc.co.tz]
>>>> Sent: Wednesday, May 27, 2009 6:06 AM
>>>> To: Nicholas.Ritter_at_americantv.com
>>>> Subject: squid with tproxy
>>>>
>>>> Hello Nicholas,
>>>>
>>>> I have been trying to compile squid with tproxy but am failing, have searched all over google but nothing of help.
>>>>
>>>> I have centos 5.3, installed custom kernel 2.6.28, and iptables 1.4.3, squid 3.1
>>>>
>>>> In compiling the custom kernel, i copied the old config and added the below :-
>>>>
>>>> NF_CONNTRACK
>>>> NETFILTER_TPROXY
>>>> NETFILTER_XT_MATCH_SOCKET
>>>> NETFILTER_XT_TARGET_TPROXY
>>>>
>>>> When i do iptables stat :-
>>>>
>>>> [root_at_gateway ~]# iptables -t mangle -L -v -n
>>>> Chain PREROUTING (policy ACCEPT 5768K packets, 1538M bytes)
>>>>  pkts bytes target     prot opt in     out     source               destination
>>>>
>>>> Chain INPUT (policy ACCEPT 1494K packets, 892M bytes)
>>>>  pkts bytes target     prot opt in     out     source               destination
>>>>
>>>> Chain FORWARD (policy ACCEPT 4234K packets, 638M bytes)
>>>>  pkts bytes target     prot opt in     out     source               destination
>>>>
>>>> Chain OUTPUT (policy ACCEPT 2398K packets, 1027M bytes)
>>>>  pkts bytes target     prot opt in     out     source               destination
>>>>
>>>> Chain POSTROUTING (policy ACCEPT 6632K packets, 1665M bytes)
>>>>  pkts bytes target     prot opt in     out     source               destination
>>>>
>>>> Chain DIVERT (0 references)
>>>>  pkts bytes target     prot opt in     out     source               destination
>>>>     0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK xor 0x1
>>>>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
>>>>
>>>> The packets do not get to squid, on port 1328, even if i kill squid pc can still browse.
>>>>
>>>> Can you help ? if i am missing a step of something is not right, have followed the latest steps in wiki.
>>>>
>>>>
>>>> Rgds,
>>>>
>>>> Manish.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> $=========================$
>>>> Manish P. Govindji.
>>>> Modern Computer Centre Ltd.
>>>> P. O. Box 4225, Zanzibar, Tanzania.
>>>> tel: +255.24.2235928 / 9, fax: +255.24.2230343
>>>> manish_at_mcc.co.tz
>>>> ................................
>>>> "Every man dies. Not every man lives."
>>>>
>>>
>>>
>>
>>
>
>
Received on Mon Jun 08 2009 - 17:06:32 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 08 2009 - 12:00:02 MDT