ons 2010-09-15 klockan 17:09 -0400 skrev Chris Abel:
> I only have those 2 iptables rules set on my squid bos so I'm not sure how
> my iptables could be the problem. This is all of my active iptables
> printed out:
iptables-save is recommended for inspecting iptables rules.
but nothing obviously wrong in your iptables rules that I could see from
the -L outputs.
> wccp0 Link encap:UNSPEC HWaddr
> C0-A8-00-15-00-00-65-74-00-00-00-00-00-00-00-00
> inet addr:192.168.0.21 P-t-P:192.168.0.21 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
> RX packets:285 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:22823 (22.2 KiB) TX bytes:0 (0.0 B)
What does the following say about the wccp interface?
ip tunnel show wccp0
ip addr show dev wccp0
One thing about WCCP/GRE. Make sure that the router sends it's GRE
packets with the source & destination address you think it's using. The
gre tunnel definition must match this. Depending on router model and
version it's not always entirely obvious which address the router will
be using for the WCCP GRE traffic.
The GRE tunnel addresses used by the router is easily visible with
tcpdump -n -p -i eth0 proto gre
If you also see TCP packets on the wccp0 interface then the GRE tunnel
is defined correctly.
tcpdump -n -p -i wccp0
If you see GRE packets on eth0 but no TCP packets on wccp0 then the GRE
tunnel is not correctly defined.
Basic requirements for WCCP/GRE intercept mode operation (proxy mode
assumed to work already)
- WCCP configuration needs to be correct so that router & proxy agrees
on using WCCP, resulting in router sending any port 80 traffic to the
cache server using WCCP redirection (GRE or layer2 depending on config &
router capabilities)
- When using GRE redirection method the GRE tunnel defined to match the
GRE tunnel profile used by the router
- rp_filter must be disabled on the wccp0 GRE interface.
- A valid IP address needs to be assigned on the wccp0 GRE interface
- iptables nat table need to have a rule to redirect incoming port80
traffic on the wcccp0 interface to the Squid proxy port.
- Squid must be listening to the address of the wccp0 interface, or the
default wildcard address.
For TPROXY operation the requirements is similar, plus some more..
- iptables rule different.
- policy routing table requires (ip rule & ip route)
- wccp configuration more complex
all three detailed in the wiki pages relating to TPROXY.
in addition
- proxy preferably on a separate leg from the router (physical or vlan)
I recommend verifying intercept mode operation before trying tproxy.
Most of the concept is the same, just a bit more complex when doing
tproxy.
Regards
Henrik
Received on Wed Sep 15 2010 - 22:45:26 MDT
This archive was generated by hypermail 2.2.0 : Thu Sep 16 2010 - 12:00:03 MDT