Re: [squid-users] Transparent proxy (Tproxy4) from Jose-Marcio Martins on 2014-02-19 (squid-users)

From: Jose-Marcio Martins <Jose-Marcio.Martins_at_mines-paristech.fr>
Date: Wed, 19 Feb 2014 16:42:10 +0100

Hey Eliezer,

Thanks for the pointer...

selinux is disabled. no problem in this side.

Cisco sees it :

cata6#sh ip wccp web-cache view
WCCP Routers Informed of:
192.168.201.165

     WCCP Cache Engines Visible:
     194.214.158.207
     194.214.158.189 <-----------

WCCP Cache Engines NOT Visible:
-none-

My doubt, at this moment, is about the gre interface. You explicitly defined it and created a tunnel
for it :

iptunnel add wccp0 mode gre remote $CISCOIPID local $LOCALIP dev eth1
ifconfig wccp0 127.0.1.1/32 up

Is this necessary ? This doesn't appear in the doc by Amos Jeffries.

Regards

On 02/19/2014 03:47 PM, Eliezer Croitoru wrote:
> Hey,
>
> I did not read the whole setup so sorry but I have written this article:
> http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
> in the past which is very likely to help you to understand.
> first disable SELINUX then make sure with tcpdump in what level is the issue.
>
> Hope it Helps,
> Eliezer
>
> On 02/19/2014 02:31 PM, Jose-Marcio Martins wrote:
>>
>> Hello,
>>
>> I've configured a transparent proxy as TProxy4
>> (http://wiki.squid-cache.org/Features/Tproxy4).
>>
>> But I don't see anything in squid access log.
>>
>> * OS = Linux Fedora 20.
>>
>> * Cache log says at start-up :
>>
>> ....
>> 2014/02/19 12:23:53 kid1| Accepting WCCPv2 messages on port 2048, FD 11.
>> 2014/02/19 12:23:53 kid1| Initialising all WCCPv2 lists
>> 2014/02/19 12:23:53 kid1| HTCP Disabled.
>> 2014/02/19 12:23:53 kid1| Squid plugin modules loaded: 0
>> 2014/02/19 12:23:53 kid1| Adaptation support is off.
>> 2014/02/19 12:23:53 kid1| Accepting HTTP Socket connections at
>> local=0.0.0.0:8080 remote=[::] FD 12 flags=9
>> 2014/02/19 12:23:53 kid1| Accepting HTTP Socket connections at
>> local=0.0.0.0:3128 remote=[::] FD 13 flags=9
>> 2014/02/19 12:23:53 kid1| Accepting TPROXY spoofing HTTP Socket
>> connections at local=0.0.0.0:3129 remote=[::] FD 14 flags=25
>> ...
>>
>> ********************************
>>
>> * The router is connected to the wccp port :
>>
>> udp 0 0 194.214.158.189:2048 194.214.158.165:2048
>> ESTABLISHED
>>
>> ********************************
>>
>> * iptables seems OK
>>
>> # iptables -t mangle -S
>> -P PREROUTING ACCEPT
>> -P INPUT ACCEPT
>> -P FORWARD ACCEPT
>> -P OUTPUT ACCEPT
>> -P POSTROUTING ACCEPT
>> -N DIVERT
>> -A PREROUTING -p tcp -m socket -j DIVERT
>> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip
>> 0.0.0.0 --tproxy-mark 0x1/0x1
>> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>> -A DIVERT -j ACCEPT
>> #
>>
>> ********************************
>> * kernel routing seems OK :
>>
>> # ip -s -f inet rule
>> 0: from all lookup local
>> 32764: from all fwmark 0x1 lookup 100
>> 32765: from all fwmark 0x1 lookup 100
>> 32766: from all lookup main
>> 32767: from all lookup default
>>
>> # ip -s -f inet route
>> default via 194.214.158.165 dev eth0
>> 169.254.0.0/16 dev eth0 scope link metric 1002
>> 194.214.158.0/24 dev eth0 proto kernel scope link src 194.214.158.189
>> #
>>
>> ********************************
>> * squid.conf :
>>
>> wccp2_router 194.214.158.165
>> wccp2_forwarding_method gre
>> wccp2_return_method gre
>> wccp2_assignment_method hash
>> wccp2_service standard 0
>>
>> I shall change wccp2_service to dynamic after, but for start-up, it
>> should work, I guess.
>>
>> ********************************
>> * On the router (switch/router) we have this :
>>
>> ip wccp web-cache redirect-list 120
>>
>> interface Vlan16
>> description Vlan Users
>> ip address a.b.c.d v.w.x.y
>> no ip redirects
>> ip wccp web-cache redirect in
>>
>>
>> access-list 120 remark le proxy SQUID bypasse la redirection
>> access-list 120 deny ip host 194.214.158.207 any
>> access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq www
>> access-list 120 deny ip any any
>>
>> *********************************
>>
>>
>>
>> What more shall I look ? There's something wrong ? Any hint ?
>>
>> Thanks for your help.
>>
>

-- 
  Envoyé de ma machine à écrire.
  ---------------------------------------------------------------
   Spam : Classement statistique de messages électroniques -
          Une approche pragmatique
   Chez Amazon.fr : http://amzn.to/LEscRu ou http://bit.ly/SpamJM
  ---------------------------------------------------------------
  Jose Marcio MARTINS DA CRUZ            http://www.j-chkmail.org
  Ecole des Mines de Paris                   http://bit.ly/SpamJM
  60, bd Saint Michel                      75272 - PARIS CEDEX 06
  mailto:Jose-Marcio.Martins_at_mines-paristech.fr

Received on Wed Feb 19 2014 - 15:42:32 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 19 2014 - 12:00:06 MST