Re: [squid-users] Problem with transparent proxy using WCCP2 + GRE on Linux

From: Nicolas Limage <squid@dont-contact.us>
Date: Fri, 23 Feb 2007 19:03:39 +0100

Bryan,

First, thanks a lot for your answer, as it permitted me to solve my problem,
at least partially.

The problem came from the tunnel, which had no ip address.
Putting the primary ip address of the box on it was the solution.

(I also simplified my iptable rule, as both are somehow equivalent, but yours
is less error-prone)

Something remains strange : on my current (now working) configuration, if i
try to replace "gre0" by "gre1", it stops working. Another interresting point
is that i cannot delete gre0 :

# iptunnel del gre0
ioctl: Operation not permitted

The problem is that i need to enable this proxy on another router also, so
another gre tunnel is required. This may belong more to a kernel list but
maybe someone here experienced the same thing.

I can see icmp error packets from the squid box to the router :

18:58:12.635157 IP <squidbox ip> > <router ip>: ICMP <squidbox ip> protocol 47
port 34878 unreachable, length 88

I'll post again if i can find anything interresting on this.

Thanks,
Nicolas

Le vendredi 23 février 2007 13:50, Bryan Shoebottom a écrit :
> Nicolas,
>
> Maybe, the packets are getting dropped when they are trying to get back
> into your system on port 3128, try redirecting to the port only using
> --to-ports instead of --to-destination. I also use the REDIRECT
> function as opposed to DNAT. Here is my rule:
>
> iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j
> REDIRECT --to-ports 3128
>
> Finally, i use the IP of my cache server with a /32 mask for the gre0
> interface. Hope this helps.
>
> Thanks,
> Bryan
>
> On Fri, 2007-02-23 at 04:09 -0500, Nicolas Limage wrote:
> > Hi squid-users,
> >
> > I'm currently trying to replace an old netapp proxy with a squid+linux
> > box.
> >
> > I've some users behind a Cisco 7200 running IOS 12.4(12) using the
> > proxy in
> > transparent mode. The current proxy uses WCCP2+GRE to get the traffic
> > from
> > the router. The aim is to reproduce this behaviour with the squid box.
> >
> > I've set up a box running Linux Debian, with kernel 2.6.18-3-k7 from
> > debian
> > and squid-2.6.STABLE8 compiled with the following options :
> >
> > $ ./configure --prefix=/opt/package/squid-2.6.STABLE8
> > --enable-storeio=aufs,coss,diskd,null,ufs
> > --enable-removal-policies=heap,lru
> > --enable-useragent-log --enable-referer-log --enable-wccp
> > --enable-wccpv2
> > --enable-snmp --enable-linux-netfilter --enable-large-cache-files
> > --disable-ident-lookups --with-pthreads
> >
> > my squid.conf file include these lines :
> >
> > http_port 3128 transparent
> > wccp2_router <ip_of_the_cisco_router>
> > wccp2_rebuild_wait on
> > wccp2_forwarding_method 1
> > wccp2_return_method 1
> > wccp2_assignment_method 1
> > wccp2_service standard 0
> >
> > I have set up an unnumbered GRE tunnel between the box and the
> > router :
> >
> > # iptunnel del gre0
> > # iptunnel add gre0 mode gre remote <ip_of_the_cisco_router> local
> > <ip_of_the_linux_box> dev eth0
> > # ifconfig gre0 up
> >
> > I've added these commands to enable routing and disable spoof
> > protection.
> >
> > # echo 1 > /proc/sys/net/ipv4/ip_forward
> > # for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
> > echo 0 > $file
> > done
> >
> > To do the redirection, i'm using iptables, with all default policies
> > set to
> > ACCEPT, plus this rule :
> >
> > # iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j
> > DNAT --to-destination <ip_of_the_linux_box>:3128
> >
> > The Cisco router has been doing the job for years, so I doubt the
> > problem
> > comes from it. The squid proxy is running, with no error messages.
> > I've
> > tested it by explicitely declaring it in my browser, and it works
> > perfectly.
> >
> > The router can see the proxy (it is in his WCCP list) and it sends the
> > packets
> > to the linux box. I can see the encapsulated packets coming to the
> > linux box,
> > i can see the packets coming out of the GRE tunnel (tcpdump -i gre0),
> > they
> > hit the iptable redirection rule (iptables -t nat -L -v (the couter is
> > increasing)), but afterwards, they seem to disappear. No trace in the
> > squid
> > log. The tcp session is not established. I see no related traffic
> > coming out
> > of the box either.
> >
> > Does someone has an idea of what could be happening ?
> >
> > I'm also very interrested in knowing how (in therory) the answer is
> > supposed
> > to return to the client.
> >
> > Thanks
> > --
> > Nicolas L.

-- 
Nicolas L.
Received on Fri Feb 23 2007 - 11:03:53 MST

This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST