RE: [squid-users] WCCP transparent proxy

With current versions of TPROXY you should not do REDIRECTs. You should
do something like this:

-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip
<proxy server IP> --tproxy-mark 0x1/0x1

Redirects will work in some cases, but should not be used with WCCP and
recent versions of TPROXY.

My experience has been that doing a redirect alone will not always work
depending on the version of TPROXY/IPTABLES, and Cisco IOS.

YMMV,

Nick

-----Original Message-----
From: Horacio H. [mailto:pokehorace_at_gmail.com]
Sent: Wednesday, October 05, 2011 9:12 AM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] WCCP transparent proxy

Hi,

You're missing a few things. Please review the FAQ again, here are some
hints:

1) Make sure there are no firewalls between your Squid and router
(WCCP).

2) Make sure the GRE module is loaded:

   modprobe ip_gre
   echo ip_gre >> /etc/modules

3) Create a GRE interface:

   ip tunnel add gre1 mode gre local <squid-ip-address>
   ip addr add <squid-ip-address>/32 dev gre1
   ip link set gre1 up

4) Add a redirect rule in iptables:

   iptables -t nat -A PREROUTING -i gre1 -j REDIRECT --redirect-to
<squid-listening-port>

5) Make sure Squid was compiled with WCCP-v2 support.

6) WCCP-v2 squid's configuration:

   wccp2_router <router-ip-address>

7) WCCP-v2 router's configuration:

   access-list 160 deny ip host <squid-ip-address> any
   access-list 160 permit tcp <net> <wildcard> any eq 80

   ip wccp version 2
   ip wccp web-cache redirect-list 160

   interface FastEthernet0/0
   ip wccp web-cache redirect in

Regards,
Horacio.
Received on Wed Oct 05 2011 - 14:28:46 MDT