Re: [squid-users] Squid doesn't work in WCCP, works fine as transparent from Daniel Rose on 2009-12-09 (squid-users)

From: Daniel Rose <drose_at_nla.gov.au>
Date: Thu, 10 Dec 2009 09:58:09 +1100

I think that the router's okay and your squid needs adjustment.

My system only has one GRE device, not two.

iptables -t nat -nvL has

3499K 197M DNAT tcp -- wccp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:203.15.226.132:3128
95 4592 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128

ifconfig:

wccp0 Link encap:UNSPEC HWaddr CB-0F-E2-84-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:203.15.226.132 P-t-P:203.15.226.132 Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
          RX packets:90371077 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:18107130326 (16.8 GiB) TX bytes:0 (0.0 b)

Anyway, before squid starts this code gets run:

CISCO_IP=<IP ADDRESS>
HOST_IP=<IP ADDRESS>
SQUID_PORT=3128

# load the kernel module needed
/sbin/modprobe ip_gre || exit 0

# destroy any existing tunnel with our name
if /sbin/ifconfig| grep wccp0 > /dev/null; then
/sbin/iptunnel del wccp0 >> /dev/null
fi;

# make a new tunnel

/sbin/iptunnel add wccp0 mode gre remote $CISCO_IP local $HOST_IP dev eth0
/sbin/ifconfig wccp0 $HOST_IP netmask 255.255.255.255 up

# Remove all iptables rules (disabled ATM) -- Don't clobber a production FW!
#/sbin/iptables -F
#/sbin/iptables -t nat -F

# Add redirection rules from port 80 to $SQUID_PORT
/sbin/iptables -I PREROUTING -i eth0 -t nat -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
/sbin/iptables -I PREROUTING -i wccp0 -t nat -p tcp --dport 80 -j DNAT --to-destination $HOST_IP:$SQUID_PORT

# Add UDP packets for wccp stats communication with Cisco gear
/sbin/iptables -I INPUT -i any -p udp --dport 2048 -j ACCEPT

# Accept all port 80 packets
/sbin/iptables -I INPUT -i any -p tcp --dport 80 -j ACCEPT

and gets killed when it stops:

/sbin/iptunnel del wccp0 >> /dev/null

# Remove all iptables changes
/sbin/iptables -D PREROUTING -i eth0 -t nat -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
/sbin/iptables -D PREROUTING -i wccp0 -t nat -p tcp --dport 80 -j DNAT --to-destination $HOST_IP:$SQUID_PORT

/sbin/iptables -D INPUT -i any -p udp --dport 2048 -j ACCEPT

/sbin/iptables -D INPUT -i any -p tcp --dport 80 -j ACCEPT

I'm not an expert, so don't assume that this is all perfect, but I hope it helps.
Received on Wed Dec 09 2009 - 22:58:33 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 10 2009 - 12:00:01 MST