[squid-users] Problem with transparent proxy using WCCP2 + GRE on Linux

From: Nicolas Limage <[email protected]>
Date: Fri, 23 Feb 2007 10:09:25 +0100

Hi squid-users,

I'm currently trying to replace an old netapp proxy with a squid+linux box.

I've some users behind a Cisco 7200 running IOS 12.4(12) using the proxy in
transparent mode. The current proxy uses WCCP2+GRE to get the traffic from
the router. The aim is to reproduce this behaviour with the squid box.

I've set up a box running Linux Debian, with kernel 2.6.18-3-k7 from debian
and squid-2.6.STABLE8 compiled with the following options :

$ ./configure --prefix=/opt/package/squid-2.6.STABLE8
--enable-storeio=aufs,coss,diskd,null,ufs --enable-removal-policies=heap,lru
--enable-useragent-log --enable-referer-log --enable-wccp --enable-wccpv2
--enable-snmp --enable-linux-netfilter --enable-large-cache-files
--disable-ident-lookups --with-pthreads

my squid.conf file include these lines :

http_port 3128 transparent
wccp2_router <ip_of_the_cisco_router>
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service standard 0

I have set up an unnumbered GRE tunnel between the box and the router :

# iptunnel del gre0
# iptunnel add gre0 mode gre remote <ip_of_the_cisco_router> local
<ip_of_the_linux_box> dev eth0
# ifconfig gre0 up

I've added these commands to enable routing and disable spoof protection.

# echo 1 > /proc/sys/net/ipv4/ip_forward
# for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 0 > $file
done

To do the redirection, i'm using iptables, with all default policies set to
ACCEPT, plus this rule :

# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j
DNAT --to-destination <ip_of_the_linux_box>:3128

The Cisco router has been doing the job for years, so I doubt the problem
comes from it. The squid proxy is running, with no error messages. I've
tested it by explicitely declaring it in my browser, and it works perfectly.

The router can see the proxy (it is in his WCCP list) and it sends the packets
to the linux box. I can see the encapsulated packets coming to the linux box,
i can see the packets coming out of the GRE tunnel (tcpdump -i gre0), they
hit the iptable redirection rule (iptables -t nat -L -v (the couter is
increasing)), but afterwards, they seem to disappear. No trace in the squid
log. The tcp session is not established. I see no related traffic coming out
of the box either.

Does someone has an idea of what could be happening ?

I'm also very interrested in knowing how (in therory) the answer is supposed
to return to the client.

Thanks

-- 
Nicolas L.
Received on Fri Feb 23 2007 - 02:09:39 MST

This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST