RE: [squid-users] WCCP transparent proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 06 Oct 2011 11:24:34 +1300

 On Wed, 5 Oct 2011 09:29:01 -0500, Ritter, Nicholas wrote:
> With current versions of TPROXY you should not do REDIRECTs. You
> should
> do something like this:
>
> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> -A DIVERT -j ACCEPT
> -A PREROUTING -p tcp -m socket -j DIVERT
> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129
> --on-ip
> <proxy server IP> --tproxy-mark 0x1/0x1
>
> Redirects will work in some cases, but should not be used with WCCP
> and
> recent versions of TPROXY.
>
> My experience has been that doing a redirect alone will not always
> work
> depending on the version of TPROXY/IPTABLES, and Cisco IOS.
>
> YMMV,
>
> Nick

 Right. Redirect is NAT. Which may not even be built into the kernel and
 can cause strange packet handling in TPROXY.

 TPROXY operates before NAT, so in the best case it will have no effect.
 Possibly it just erased the client IP address. That would cause traffic
 to return to Squid, but erase all benefits of TPROXY. There is no point
 in Squid spoofing itself as the source. Worst-case it just erased the
 destination address and Squid output packets silently drop down a black
 hole.

 Step (7) access-lists relies on the REDIRECT happening, as mentioned
 repeatedly in the TPROXY troubleshooting section, you MUST NOT rely on
 the Squid IP address value in WCCP and routing ACL rules. It wont exist
 on any TPROXY traffic.

 Amos

> -----Original Message-----
> From: Horacio H.

 <snip>
> 4) Add a redirect rule in iptables:
>
> iptables -t nat -A PREROUTING -i gre1 -j REDIRECT --redirect-to
> <squid-listening-port>
>
> 5) Make sure Squid was compiled with WCCP-v2 support.
>
> 6) WCCP-v2 squid's configuration:
>
> wccp2_router <router-ip-address>
>
> 7) WCCP-v2 router's configuration:
>
> access-list 160 deny ip host <squid-ip-address> any
> access-list 160 permit tcp <net> <wildcard> any eq 80
>
> ip wccp version 2
> ip wccp web-cache redirect-list 160
>
> interface FastEthernet0/0
> ip wccp web-cache redirect in
>
> Regards,
> Horacio.
Received on Wed Oct 05 2011 - 22:24:38 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 12 2011 - 12:00:02 MDT