Re: [squid-users] CentOS/Squid/Tproxy but no transfer

From: Tom Penndorf <tpenndorf_at_seibert-media.net>
Date: Fri, 10 Jul 2009 07:57:55 +0200

Hello,

Am 10.07.2009 um 07:29 schrieb Behnam B.Marandi:

> I did setup a full transparent caching machine based on Nicholas
> Ritter's guide:
> http://www.mail-archive.com/squid-users@squid-cache.org/msg65056.html
> Cache machine is a Cent OS 5.3
> Router is;
> IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(11)T8, RELEASE
> SOFTWARE (fc1)
>
> Squid config is;
> http_port 194.225.241.40:5119 tproxy disable-pmtu-discovery=always
> wccp2_router xx.xx.241.39
> wccp_version 4
> wccp2_rebuild_wait off
> wccp2_forwarding_method 1
> wccp2_return_method 1
> wccp2_assignment_method 1
> wccp2_service dynamic 80
> wccp2_service dynamic 90
> wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240
> ports=80
> wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
> priority=240 ports=80
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src xx.xx.240.0/20
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access deny all
> cache_dir ufs /var/spool/squid 4000 16 256
> hierarchy_stoplist cgi-bin ?
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> coredump_dir /usr/local/squid/var/cache
> visible_hostname tco53
>
> I'm not sure IOS version is critical or not, and in case of
> "wccp2_rebuild_wait" I had to set it "off" so the router can see the
> cache machine;
>
> 6#sh ip wccp
> Global WCCP information:
> Router information:
> Router Identifier: xx.xx.241.39
> Protocol Version: 2.0
>
> Service Identifier: web-cache
> Number of Cache Engines: 0
> Number of routers: 0
> Total Packets Redirected: 0
> Redirect access-list: -none-
> Total Packets Denied Redirect: 0
> Total Packets Unassigned: 0
> Group access-list: -none-
> Total Messages Denied to Group: 0
> Total Authentication failures: 0
>
> Service Identifier: 80
> Number of Cache Engines: 1
> Number of routers: 1
> Total Packets Redirected: 0
> Redirect access-list: -none-
> Total Packets Denied Redirect: 0
> Total Packets Unassigned: 0
> Group access-list: -none-
> Total Messages Denied to Group: 0
> Total Authentication failures: 0
>
> Service Identifier: 90
> Number of Cache Engines: 1
> Number of routers: 1
> Total Packets Redirected: 0
> Redirect access-list: -none-
> Total Packets Denied Redirect: 0
> Total Packets Unassigned: 0
> Group access-list: -none-
> Total Messages Denied to Group: 0
> Total Authentication failures: 0

As you can see, the router isn't redirecting the traffic to the
proxy. Please send the output of "show ip wccp detail". Also you
don't have defined any access-list for redirecting, so the router
don't knows, which traffic to redirect.

>
> Clients can browse web but there is no transfer between router and
> cache machine:
> [root_at_tco53 ~]# ifconfig
> eth0 Link encap:Ethernet HWaddr 00:10:22:FE:6E:EC
> inet addr:xx.xx.241.40 Bcast:194.225.241.63 Mask:255.255.255.192
> inet6 addr: fe80::210:22ff:fefe:6eec/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:83610 errors:0 dropped:0 overruns:1 frame:0
> TX packets:24135 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:7179021 (6.8 MiB) TX bytes:3493119 (3.3 MiB)
> Interrupt:5
>
> gre0 Link encap:UNSPEC HWaddr 00-00-00-00-AC-BF-
> F4-6F-00-00-00-00-00-00-00-00 inet addr:xx.xx.241.40 Mask:
> 255.255.255.192
> UP RUNNING NOARP MTU:1476 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> lo Link encap:Local Loopback inet addr:127.0.0.1
> Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:10097 errors:0 dropped:0 overruns:0 frame:0
> TX packets:10097 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:424456 (414.5 KiB) TX bytes:424456 (414.5 KiB)
>
> [root_at_tco53 ~]# cat /etc/rc.local
> ifconfig gre0 194.225.241.40 netmask 255.255.255.192 up
> touch /var/lock/subsys/local
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
> echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
> /usr/local/squid/sbin/squid
>
> I compiled gre in the kernel so there is no need to modprobe it;
> CONFIG_NET_IPGRE=y
> CONFIG_NET_IPGRE_BROADCAST=y
>
> [root_at_tco53 ~]# ip ru sh
> 0: from all lookup 255
> 32765: from all fwmark 0x1 lookup 100
> 32766: from all lookup main
> 32767: from all lookup default
>
> [root_at_tco53 ~]# ip ro sh ta 100
> local default dev lo scope host
>
> [root_at_tco53 ~]# cat /etc/sysconfig/iptables
> # Generated by iptables-save v1.4.3.2 on Sun Jul 5 17:04:57 2009
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [26:3416]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -i gre0 -j ACCEPT
> -A INPUT -p gre -j ACCEPT
> -A INPUT -i eth0 -p gre -j ACCEPT
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -
> j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport
> 55936 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> -A RH-Firewall-1-INPUT -s xx.xx.241.39/32 -p udp -m udp --dport 2048
> -j ACCEPT
> COMMIT
> # Completed on Sun Jul 5 17:04:57 2009
> # Generated by iptables-save v1.4.3.2 on Sun Jul 5 17:04:57 2009
> *mangle
> :PREROUTING ACCEPT [10:1680]
> :INPUT ACCEPT [38:3760]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [26:3416]
> :POSTROUTING ACCEPT [26:3416]
> :DIVERT - [0:0]
> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> -A DIVERT -j ACCEPT
> -A PREROUTING -p tcp -m socket -j DIVERT
> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 5119 --on-
> ip xx.xx.241.40 --tproxy-mark 0x1/0x1 COMMIT
> # Completed on Sun Jul 5 17:04:57 2009
>
> I don't know where this line came from; "-A RH-Firewall-1-INPUT -d
> 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT"
>
> I guess despite identification of cache machine by router, it does
> not qualified by the router to route web traffic trough it.
> Don't know how to debug this, any idea to help this out would be
> greatly appreciated.
> Behnam.

Tom
Received on Fri Jul 10 2009 - 05:57:58 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 10 2009 - 12:00:02 MDT