Re: [squid-users] CentOS/Squid/Tproxy but no transfer

From: Behnam B.Marandi <blixbox_at_gmail.com>
Date: Fri, 10 Jul 2009 10:49:07 +0430

Thanks for quick replay.

I did set "ip wccp web-cache" in the router config but;

#sh ip wccp web-cache detail
        No information is available for the service.

In case of access-list, what I got from step 35 is that access-list just
used for excluding specific web sites from redirecting to cache.
Otherwise I don't know how and where (in router config or squid config)
to put an access-list.

Behnam.

Tom Penndorf wrote:

> Hi,
>
>
> Am 10.07.2009 um 07:29 schrieb Behnam B.Marandi:
>
>> I did setup a full transparent caching machine based on Nicholas
>> Ritter's guide:
>> http://www.mail-archive.com/squid-users@squid-cache.org/msg65056.html
>> Cache machine is a Cent OS 5.3
>> Router is;
>> IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(11)T8, RELEASE
>> SOFTWARE (fc1)
>>
>> Squid config is;
>> http_port 194.225.241.40:5119 tproxy disable-pmtu-discovery=always
>> wccp2_router xx.xx.241.39
>> wccp_version 4
>> wccp2_rebuild_wait off
>> wccp2_forwarding_method 1
>> wccp2_return_method 1
>> wccp2_assignment_method 1
>> wccp2_service dynamic 80
>> wccp2_service dynamic 90
>> wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240
>> ports=80
>> wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
>> priority=240 ports=80
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8
>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>> acl localnet src xx.xx.240.0/20
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localnet
>> http_access deny all
>> cache_dir ufs /var/spool/squid 4000 16 256
>> hierarchy_stoplist cgi-bin ?
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>> coredump_dir /usr/local/squid/var/cache
>> visible_hostname tco53
>>
>> I'm not sure IOS version is critical or not, and in case of
>> "wccp2_rebuild_wait" I had to set it "off" so the router can see the
>> cache machine;
>>
>> 6#sh ip wccp
>> Global WCCP information:
>> Router information:
>> Router Identifier: xx.xx.241.39
>> Protocol Version: 2.0
>>
>> Service Identifier: web-cache
>> Number of Cache Engines: 0
>> Number of routers: 0
>> Total Packets Redirected: 0
>> Redirect access-list: -none-
>> Total Packets Denied Redirect: 0
>> Total Packets Unassigned: 0
>> Group access-list: -none-
>> Total Messages Denied to Group: 0
>> Total Authentication failures: 0
>>
>> Service Identifier: 80
>> Number of Cache Engines: 1
>> Number of routers: 1
>> Total Packets Redirected: 0
>> Redirect access-list: -none-
>> Total Packets Denied Redirect: 0
>> Total Packets Unassigned: 0
>> Group access-list: -none-
>> Total Messages Denied to Group: 0
>> Total Authentication failures: 0
>>
>> Service Identifier: 90
>> Number of Cache Engines: 1
>> Number of routers: 1
>> Total Packets Redirected: 0
>> Redirect access-list: -none-
>> Total Packets Denied Redirect: 0
>> Total Packets Unassigned: 0
>> Group access-list: -none-
>> Total Messages Denied to Group: 0
>> Total Authentication failures: 0
>
>
> As you can see, the router isn't redirecting the traffic to the
> proxy. Please send the output of "show ip wccp detail". Also you
> don't have defined any access-list for redirecting, so the router
> don't knows, which traffic to redirect.
>
>
>
>>
>> Clients can browse web but there is no transfer between router and
>> cache machine:
>> [root_at_tco53 ~]# ifconfig
>> eth0 Link encap:Ethernet HWaddr 00:10:22:FE:6E:EC inet
>> addr:xx.xx.241.40 Bcast:194.225.241.63 Mask:255.255.255.192
>> inet6 addr: fe80::210:22ff:fefe:6eec/64 Scope:Link
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:83610 errors:0 dropped:0 overruns:1 frame:0
>> TX packets:24135 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:7179021 (6.8 MiB) TX bytes:3493119 (3.3 MiB)
>> Interrupt:5
>>
>> gre0 Link encap:UNSPEC HWaddr
>> 00-00-00-00-AC-BF-F4-6F-00-00-00-00-00-00-00-00 inet
>> addr:xx.xx.241.40 Mask:255.255.255.192
>> UP RUNNING NOARP MTU:1476 Metric:1
>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0
>> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>>
>> lo Link encap:Local Loopback inet addr:127.0.0.1
>> Mask:255.0.0.0
>> inet6 addr: ::1/128 Scope:Host
>> UP LOOPBACK RUNNING MTU:16436 Metric:1
>> RX packets:10097 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:10097 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0
>> RX bytes:424456 (414.5 KiB) TX bytes:424456 (414.5 KiB)
>>
>> [root_at_tco53 ~]# cat /etc/rc.local
>> ifconfig gre0 194.225.241.40 netmask 255.255.255.192 up
>> touch /var/lock/subsys/local
>> ip rule add fwmark 1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>> echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
>> /usr/local/squid/sbin/squid
>>
>> I compiled gre in the kernel so there is no need to modprobe it;
>> CONFIG_NET_IPGRE=y
>> CONFIG_NET_IPGRE_BROADCAST=y
>>
>> [root_at_tco53 ~]# ip ru sh
>> 0: from all lookup 255
>> 32765: from all fwmark 0x1 lookup 100
>> 32766: from all lookup main
>> 32767: from all lookup default
>>
>> [root_at_tco53 ~]# ip ro sh ta 100
>> local default dev lo scope host
>>
>> [root_at_tco53 ~]# cat /etc/sysconfig/iptables
>> # Generated by iptables-save v1.4.3.2 on Sun Jul 5 17:04:57 2009
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [26:3416]
>> :RH-Firewall-1-INPUT - [0:0]
>> -A INPUT -i gre0 -j ACCEPT
>> -A INPUT -p gre -j ACCEPT
>> -A INPUT -i eth0 -p gre -j ACCEPT
>> -A INPUT -j RH-Firewall-1-INPUT
>> -A FORWARD -j RH-Firewall-1-INPUT
>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
>> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
>> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
>> -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport
>> 55936 -j ACCEPT
>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>> -A RH-Firewall-1-INPUT -s xx.xx.241.39/32 -p udp -m udp --dport 2048
>> -j ACCEPT
>> COMMIT
>> # Completed on Sun Jul 5 17:04:57 2009
>> # Generated by iptables-save v1.4.3.2 on Sun Jul 5 17:04:57 2009
>> *mangle
>> :PREROUTING ACCEPT [10:1680]
>> :INPUT ACCEPT [38:3760]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [26:3416]
>> :POSTROUTING ACCEPT [26:3416]
>> :DIVERT - [0:0]
>> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>> -A DIVERT -j ACCEPT
>> -A PREROUTING -p tcp -m socket -j DIVERT
>> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 5119
>> --on-ip xx.xx.241.40 --tproxy-mark 0x1/0x1 COMMIT
>> # Completed on Sun Jul 5 17:04:57 2009
>>
>> I don't know where this line came from; "-A RH-Firewall-1-INPUT -d
>> 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT"
>>
>> I guess despite identification of cache machine by router, it does
>> not qualified by the router to route web traffic trough it.
>> Don't know how to debug this, any idea to help this out would be
>> greatly appreciated.
>> Behnam.
>
> Tom
>
>
Received on Fri Jul 10 2009 - 06:19:37 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 10 2009 - 12:00:02 MDT