RE: [squid-users] Tproxy iptables rules issue

From: Ritter, Nicholas <Nicholas.Ritter_at_americantv.com>
Date: Wed, 24 Sep 2008 08:42:43 -0500

As Amos said, we are close to a solution, I am in the middle of load
testing it to make sure things are ok.

Loading testing it has been delayed a little more than planned because I
am having that same annoying GRE tunnel problem I noted back in May. It
appears that the GRE tunnel setup on the Linux server running Squid is
not the same when the WCCP router identifier is not on the same logical
IP subnet...either that or there is a screwy problem between IOS version
numbers.

I soon as I finish the load testing, I will update the wiki article,
because it is way off now.

Nick

> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Tuesday, September 23, 2008 11:42 PM
> To: Dan Letkeman
> Cc: Ritter, Nicholas; squid-users
> Subject: Re: [squid-users] Tproxy iptables rules issue
>
> > Did you ever get this going? I have successfully setup a
> > squid2.6/tproxy/iptables server, and I have successfully setup a
> > squid2.6/wccp server and now I'm trying to combine both of
> them, but I
> > think the iptables commands i'm trying are wrong. Do you have any
> > suggestions?
>
> Squid 2.6 does not have Tproxy v4.1+ support. Nick was
> testing a 3-HEAD Squid server.
>
> We just got it going yesterday :-) the patch to Squid-3 is in
> HEAD now.
> Though a few alterations to the kernel side of TPROXY were
> also needed, which may not have been added to the Balabit
> side quite yet.
>
> The How-to about kernel patching is still awaiting a few
> adjustments due in shortly.
>
>
> Amos
>
> >
> > Thanks,
> > Dan.
> >
> > On Fri, May 30, 2008 at 3:58 PM, Ritter, Nicholas
> > <Nicholas.Ritter_at_americantv.com> wrote:
> >> What exactly are the redirection rules for wccp/iptables 1.4/squid
> >> 2.6/tproxy look like? I have browsed the Internet plus
> messed with it
> >> for a while now and found that the README rules don't
> fully work, and
> >> the examples on the Internet don't fully work.
> >>
> >> Symptomatically, I see the router redirecting via the GRE
> tunnel, the
> >> squid box sees the gre packets (2.6 kernel), but ifconfig does not
> >> show the GRE interface counters incrementing, and the
> squid service
> >> run in debug mode shows no transactions. Something is wrong with
> >> either my iptables rules or my GRE tunnel setup. I don't
> think it is
> >> the GRE tunnel because I set it up the same exact was as I did the
> >> non-tproxy squid boxes that I have in the same setup which
> are working.
> >>
> >> Any help would be a appreciated. I can provide my rule
> setup, etc. if
> >> needed. My knowledge and direct interaction is limited
> with iptables,
> >> which is one more reason why I think the problem is there.
> BTW - my
> >> system log does show the tproxy module loading.
> >>
> >> Nick
> >>
> >
>
>
>
>
Received on Wed Sep 24 2008 - 13:42:54 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 24 2008 - 12:00:03 MDT