Re: [squid-users] tproxy configuration

< SNIP >
>
> squid config:
> ##start wccp2.sh
> #!/usr/bin/bash
>
> echo "Loading modules.."
> modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre gre
>
> LOCALIP="10.80.2.2"
> CISCODIRIP="10.80.2.1"
> #you must connect the gre tunnel to the cisco router IP identifier.
> CISCOIPID="192.168.10.127"
>
> echo "changing routing and reverse path stuff.."
> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> echo "creating tunnel..."
> iptunnel add wccp0 mode gre remote $CISCOIPID local $LOCALIP dev eth1
> ifconfig wccp0 127.0.1.1/32 up
>
> echo "creating routing table for tproxy..."
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> echo "creating iptables tproxy rules..."
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> iptables -A FORWARD -i lo -j ACCEPT
> iptables -A INPUT -s $CISCODIRIP -p udp -m udp --dport 2048 -j ACCEPT
> iptables -A INPUT -i wccp0 -j ACCEPT
> iptables -A INPUT -p gre -j ACCEPT
>
> iptables -t mangle -F
> iptables -t mangle -A PREROUTING -d $LOCALIP -j ACCEPT
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
> 0x1/0x1 --on-port 3129
> ##end
>
> ##start add to squid.conf
> wccp2_router 10.80.2.1
> wccp_version 2
> wccp2_rebuild_wait on
> wccp2_forwarding_method gre
> wccp2_return_method gre
> wccp2_service standard 0
> wccp2_service dynamic 80
> wccp2_service dynamic 90
> wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80
> wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
> priority=240 ports=80
> ##end
>
> ##cisco config
> conf t
> ip access-list extended wccp
> permit ip 10.80.3.0 0.0.0.255 any
> ip access-list extended wccp_to_inside
> permit ip any 10.80.3.0 0.0.0.255
> exit
> ip wccp 80 redirect-list wccp
> ip wccp 90 redirect-list wccp_to_inside
> !gw interface
> interface FastEthernet0/0.1
> encapsulation dot1Q 1 native
> ip address 192.168.10.127 255.255.255.0
> ip wccp 80 redirect out
> ip wccp 90 redirect in
> exit
> !proxy interface
> interface FastEthernet0/0.100
> encapsulation dot1Q 100
> ip address 10.80.2.1 255.255.255.0
> ip wccp redirect exclude in
> exit
> !clients interface
> interface FastEthernet0/0.200
> encapsulation dot1Q 200
> ip address 10.80.3.1 255.255.255.0
> exit
> !rotue to internet gw
> ip route 0.0.0.0 0.0.0.0 192.168.10.201
> end
> ##cisco config end

Many thanks Eliezer.

I still have the same issue in that once the packets arrive on the
squid box they are not actually diverted into the squid daemon and
thus fail.

I have managed to find a working solution and that is to not use wccp
and just built a proper gre tunnel between the squid and cisco router,
the DNAT/Redirect methods then work as expected.

Thanks again

Wayne
Received on Tue Jul 17 2012 - 15:01:35 MDT