[squid-users] CentOS/Squid/Tproxy but no transfer

I did setup a full transparent caching machine based on Nicholas
Ritter's guide:
http://www.mail-archive.com/squid-users@squid-cache.org/msg65056.html
Cache machine is a Cent OS 5.3
Router is;
IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(11)T8, RELEASE
SOFTWARE (fc1)

Squid config is;
http_port 194.225.241.40:5119 tproxy disable-pmtu-discovery=always
wccp2_router xx.xx.241.39
wccp_version 4
wccp2_rebuild_wait off
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service dynamic 80
wccp2_service dynamic 90
wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80
wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src xx.xx.240.0/20
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
cache_dir ufs /var/spool/squid 4000 16 256
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
coredump_dir /usr/local/squid/var/cache
visible_hostname tco53

I'm not sure IOS version is critical or not, and in case of
"wccp2_rebuild_wait" I had to set it "off" so the router can see the
cache machine;

6#sh ip wccp
Global WCCP information:
    Router information:
    Router Identifier: xx.xx.241.39
    Protocol Version: 2.0

    Service Identifier: web-cache
    Number of Cache Engines: 0
    Number of routers: 0
    Total Packets Redirected: 0
    Redirect access-list: -none-
    Total Packets Denied Redirect: 0
    Total Packets Unassigned: 0
    Group access-list: -none-
    Total Messages Denied to Group: 0
    Total Authentication failures: 0

    Service Identifier: 80
    Number of Cache Engines: 1
    Number of routers: 1
    Total Packets Redirected: 0
    Redirect access-list: -none-
    Total Packets Denied Redirect: 0
    Total Packets Unassigned: 0
        Group access-list: -none-
    Total Messages Denied to Group: 0
    Total Authentication failures: 0

    Service Identifier: 90
    Number of Cache Engines: 1
    Number of routers: 1
    Total Packets Redirected: 0
    Redirect access-list: -none-
    Total Packets Denied Redirect: 0
    Total Packets Unassigned: 0
    Group access-list: -none-
    Total Messages Denied to Group: 0
    Total Authentication failures: 0

Clients can browse web but there is no transfer between router and cache
machine:
[root_at_tco53 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:10:22:FE:6E:EC
          inet addr:xx.xx.241.40 Bcast:194.225.241.63 Mask:255.255.255.192
          inet6 addr: fe80::210:22ff:fefe:6eec/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:83610 errors:0 dropped:0 overruns:1 frame:0
          TX packets:24135 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:7179021 (6.8 MiB) TX bytes:3493119 (3.3 MiB)
          Interrupt:5

gre0 Link encap:UNSPEC HWaddr
00-00-00-00-AC-BF-F4-6F-00-00-00-00-00-00-00-00
          inet addr:xx.xx.241.40 Mask:255.255.255.192
          UP RUNNING NOARP MTU:1476 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:10097 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10097 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:424456 (414.5 KiB) TX bytes:424456 (414.5 KiB)

[root_at_tco53 ~]# cat /etc/rc.local
ifconfig gre0 194.225.241.40 netmask 255.255.255.192 up
touch /var/lock/subsys/local
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
/usr/local/squid/sbin/squid

I compiled gre in the kernel so there is no need to modprobe it;
CONFIG_NET_IPGRE=y
CONFIG_NET_IPGRE_BROADCAST=y

[root_at_tco53 ~]# ip ru sh
0: from all lookup 255
32765: from all fwmark 0x1 lookup 100
32766: from all lookup main
32767: from all lookup default

[root_at_tco53 ~]# ip ro sh ta 100
local default dev lo scope host

[root_at_tco53 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.3.2 on Sun Jul 5 17:04:57 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26:3416]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i gre0 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 55936
-j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -s xx.xx.241.39/32 -p udp -m udp --dport 2048 -j
ACCEPT
COMMIT
# Completed on Sun Jul 5 17:04:57 2009
# Generated by iptables-save v1.4.3.2 on Sun Jul 5 17:04:57 2009
*mangle
:PREROUTING ACCEPT [10:1680]
:INPUT ACCEPT [38:3760]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26:3416]
:POSTROUTING ACCEPT [26:3416]
:DIVERT - [0:0]
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 5119 --on-ip
xx.xx.241.40 --tproxy-mark 0x1/0x1
COMMIT
# Completed on Sun Jul 5 17:04:57 2009

I don't know where this line came from; "-A RH-Firewall-1-INPUT -d
224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT"

I guess despite identification of cache machine by router, it does not
qualified by the router to route web traffic trough it.
Don't know how to debug this, any idea to help this out would be greatly
appreciated.
Behnam.
Received on Fri Jul 10 2009 - 05:30:26 MDT