RE: [squid-users] Squid + Cisco 4500 + WCCP2
Very sorry for bothering you again although i get the redirection from the router to squid, using tcpdump (10.72.192.61 test internal address) 11:38:37.956330 IP 199.47.218.151.80 10.72.192.61.50690: Flags [S.], seq 1048613649, ack 1347334415, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:38.399796 IP 10.72.192.61.50697 199.47.218.151.80: Flags [S], seq 3043000771, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 11:38:38.399880 IP 199.47.218.151.80 10.72.192.61.50697: Flags [S.], seq 3389808826, ack 3043000772, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:39.756353 IP 199.47.218.151.80 10.72.192.61.50697: Flags [S.], seq 3389808826, ack 3043000772, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:41.356350 IP 176.9.44.80.80 10.72.192.61.50693: Flags [S.], seq 326259738, ack 1299448389, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:41.409101 IP 10.72.192.61.50697 199.47.218.151.80: Flags [S], seq 3043000771, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 11:38:41.409164 IP 199.47.218.151.80 10.72.192.61.50697: Flags [S.], seq 3389808826, ack 3043000772, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:41.556343 IP 176.9.44.80.80 10.72.192.61.50694: Flags [S.], seq 2634200113, ack 3423797704, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:41.756336 IP 199.47.218.151.80 10.72.192.61.50697: Flags [S.], seq 3389808826, ack 3043000772, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:41.756362 IP 209.85.148.139.80 10.72.192.61.50695: Flags [S.], seq 2040290141, ack 953271924, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:42.356340 IP 209.85.148.139.80 10.72.192.61.50696: Flags [S.], seq 69242255, ack 3941278742, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 i still can't get linux to redirect to squid (port 8080), access.log is empty i use the following iptables - # Generated by iptables-save v1.4.12.1 on Wed Jul 25 11:36:37 2012 *filter :INPUT ACCEPT [105007:140596865] :FORWARD ACCEPT [3:120] :OUTPUT ACCEPT [212743:136992211] -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT COMMIT # Completed on Wed Jul 25 11:36:37 2012 # Generated by iptables-save v1.4.12.1 on Wed Jul 25 11:36:37 2012 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [1254:65132] :OUTPUT ACCEPT [118:7345] :POSTROUTING ACCEPT [0:0] -A PREROUTING -d $SQUID_IP -i eth0 -p tcp -j ACCEPT -A PREROUTING -s $NETWORK_SPACE -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A POSTROUTING -j MASQUERADE COMMIT # Completed on Wed Jul 25 11:36:37 2012 --- Catch is that i use l2 redirection, so source and destination is eth0, no gre tunnel. Can it be done or should a create a virtual device and redirect input from there? Thank you in advance John
Re: [squid-users] Squid + Cisco 4500 + WCCP2
On Wed, Jul 25, 2012 at 3:04 PM, Indunil Jayasooriya induni...@gmail.com wrote: Can your squid box to go to internet ? ( Pls check /etc/resolv.conf file ) How many interfaces does your squid box have? 1 or 2 ? in /etc/sysctl.conf file , pls check net.ipv4.ip_forward parameter? try to make it to one in following manner. net.ipv4.ip_forward = 1 On Wed, Jul 25, 2012 at 2:13 PM, Ioannis Pliatsikas gpli...@ee.duth.gr wrote: Very sorry for bothering you again although i get the redirection from the router to squid, using tcpdump (10.72.192.61 test internal address) 11:38:37.956330 IP 199.47.218.151.80 10.72.192.61.50690: Flags [S.], seq 1048613649, ack 1347334415, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:38.399796 IP 10.72.192.61.50697 199.47.218.151.80: Flags [S], seq 3043000771, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 11:38:38.399880 IP 199.47.218.151.80 10.72.192.61.50697: Flags [S.], seq 3389808826, ack 3043000772, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:39.756353 IP 199.47.218.151.80 10.72.192.61.50697: Flags [S.], seq 3389808826, ack 3043000772, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:41.356350 IP 176.9.44.80.80 10.72.192.61.50693: Flags [S.], seq 326259738, ack 1299448389, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:41.409101 IP 10.72.192.61.50697 199.47.218.151.80: Flags [S], seq 3043000771, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 11:38:41.409164 IP 199.47.218.151.80 10.72.192.61.50697: Flags [S.], seq 3389808826, ack 3043000772, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:41.556343 IP 176.9.44.80.80 10.72.192.61.50694: Flags [S.], seq 2634200113, ack 3423797704, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:41.756336 IP 199.47.218.151.80 10.72.192.61.50697: Flags [S.], seq 3389808826, ack 3043000772, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:41.756362 IP 209.85.148.139.80 10.72.192.61.50695: Flags [S.], seq 2040290141, ack 953271924, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:42.356340 IP 209.85.148.139.80 10.72.192.61.50696: Flags [S.], seq 69242255, ack 3941278742, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 i still can't get linux to redirect to squid (port 8080), access.log is empty i use the following iptables - # Generated by iptables-save v1.4.12.1 on Wed Jul 25 11:36:37 2012 *filter :INPUT ACCEPT [105007:140596865] :FORWARD ACCEPT [3:120] :OUTPUT ACCEPT [212743:136992211] -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT COMMIT # Completed on Wed Jul 25 11:36:37 2012 # Generated by iptables-save v1.4.12.1 on Wed Jul 25 11:36:37 2012 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [1254:65132] :OUTPUT ACCEPT [118:7345] :POSTROUTING ACCEPT [0:0] -A PREROUTING -d $SQUID_IP -i eth0 -p tcp -j ACCEPT -A PREROUTING -s $NETWORK_SPACE -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A POSTROUTING -j MASQUERADE COMMIT # Completed on Wed Jul 25 11:36:37 2012 --- Catch is that i use l2 redirection, so source and destination is eth0, no gre tunnel. Can it be done or should a create a virtual device and redirect input from there? Thank you in advance John -- Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid + Cisco 4500 + WCCP2
Only 1 interface is available Sorry. forgot to add that i have also configured that echo 0 /proc/sys/net/ipv4/conf/default/rp_filter echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter echo 1 /proc/sys/net/ipv4/ip_forward Thank you John On Wed, 25 Jul 2012 15:05:33 +0530, Indunil Jayasooriya wrote: On Wed, Jul 25, 2012 at 3:04 PM, Indunil Jayasooriya induni...@gmail.com wrote: Can your squid box to go to internet ? ( Pls check /etc/resolv.conf file ) How many interfaces does your squid box have? 1 or 2 ? in /etc/sysctl.conf file , pls check net.ipv4.ip_forward parameter? try to make it to one in following manner. net.ipv4.ip_forward = 1 On Wed, Jul 25, 2012 at 2:13 PM, Ioannis Pliatsikas gpli...@ee.duth.gr wrote: Very sorry for bothering you again although i get the redirection from the router to squid, using tcpdump (10.72.192.61 test internal address) 11:38:37.956330 IP 199.47.218.151.80 10.72.192.61.50690: Flags [S.], seq 1048613649, ack 1347334415, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:38.399796 IP 10.72.192.61.50697 199.47.218.151.80: Flags [S], seq 3043000771, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 11:38:38.399880 IP 199.47.218.151.80 10.72.192.61.50697: Flags [S.], seq 3389808826, ack 3043000772, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:39.756353 IP 199.47.218.151.80 10.72.192.61.50697: Flags [S.], seq 3389808826, ack 3043000772, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:41.356350 IP 176.9.44.80.80 10.72.192.61.50693: Flags [S.], seq 326259738, ack 1299448389, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:41.409101 IP 10.72.192.61.50697 199.47.218.151.80: Flags [S], seq 3043000771, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 11:38:41.409164 IP 199.47.218.151.80 10.72.192.61.50697: Flags [S.], seq 3389808826, ack 3043000772, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:41.556343 IP 176.9.44.80.80 10.72.192.61.50694: Flags [S.], seq 2634200113, ack 3423797704, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:41.756336 IP 199.47.218.151.80 10.72.192.61.50697: Flags [S.], seq 3389808826, ack 3043000772, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:41.756362 IP 209.85.148.139.80 10.72.192.61.50695: Flags [S.], seq 2040290141, ack 953271924, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:38:42.356340 IP 209.85.148.139.80 10.72.192.61.50696: Flags [S.], seq 69242255, ack 3941278742, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 i still can't get linux to redirect to squid (port 8080), access.log is empty i use the following iptables - # Generated by iptables-save v1.4.12.1 on Wed Jul 25 11:36:37 2012 *filter :INPUT ACCEPT [105007:140596865] :FORWARD ACCEPT [3:120] :OUTPUT ACCEPT [212743:136992211] -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT COMMIT # Completed on Wed Jul 25 11:36:37 2012 # Generated by iptables-save v1.4.12.1 on Wed Jul 25 11:36:37 2012 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [1254:65132] :OUTPUT ACCEPT [118:7345] :POSTROUTING ACCEPT [0:0] -A PREROUTING -d $SQUID_IP -i eth0 -p tcp -j ACCEPT -A PREROUTING -s $NETWORK_SPACE -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A POSTROUTING -j MASQUERADE COMMIT # Completed on Wed Jul 25 11:36:37 2012 --- Catch is that i use l2 redirection, so source and destination is eth0, no gre tunnel. Can it be done or should a create a virtual device and redirect input from there? Thank you in advance John -- Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid + Cisco 4500 + WCCP2
On 25/07/2012 10:29 p.m., Ioannis Pliatsikas wrote: Only 1 interface is available Sorry. forgot to add that i have also configured that echo 0 /proc/sys/net/ipv4/conf/default/rp_filter echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter echo 1 /proc/sys/net/ipv4/ip_forward There is another rp_filter setting which can get in the way: echo 0 /proc/sys/net/ipv4/conf/all/rp_filter Amos
RE: [squid-users] Squid + Cisco 4500 + WCCP2
Thanks all managed to get it partially working Cisco redirecting traffic to squid but squid is not accepting it. Used iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 to redirect all incoming traffic to squid port but access.log shows no activity tcpdump 10:03:27.428145 IP (tos 0x0, ttl 127, id 31964, offset 0, flags [DF], proto TCP (6), length 52) 10.72.192.61.59817 209.85.148.138.80: Flags [S], cksum 0xd6dd (correct), seq 3440021710, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 10:03:27.428232 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 209.85.148.138.80 10.72.192.61.59817: Flags [S.], cksum 0x308c (incorrect - 0x96db), seq 3493353134, ack 3440021711, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 10:03:27.480245 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 176.9.44.80.80 10.72.192.61.59806: Flags [S.], cksum 0xa705 (incorrect - 0xa05d), seq 3110682159, ack 1547219199, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 10:03:27.655208 IP (tos 0x0, ttl 127, id 31966, offset 0, flags [DF], proto TCP (6), length 52) 10.72.192.61.59818 209.85.148.138.80: Flags [S], cksum 0x09ce (correct), seq 2337382294, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 10:03:27.655289 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 209.85.148.138.80 10.72.192.61.59818: Flags [S.], cksum 0x308c (incorrect - 0xd8b2), seq 3393736119, ack 2337382295, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 any ideas why chsum is incorrect and why is not redirecting to port 8080? Thank you in advance. John
Re: [squid-users] Squid + Cisco 4500 + WCCP2
On 24/07/2012 7:13 p.m., Ioannis Pliatsikas wrote: Thanks all managed to get it partially working Cisco redirecting traffic to squid but squid is not accepting it. Used iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 to redirect all incoming traffic to squid port but access.log shows no activity tcpdump 10:03:27.428145 IP (tos 0x0, ttl 127, id 31964, offset 0, flags [DF], proto TCP (6), length 52) 10.72.192.61.59817 209.85.148.138.80: Flags [S], cksum 0xd6dd (correct), seq 3440021710, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 10:03:27.428232 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 209.85.148.138.80 10.72.192.61.59817: Flags [S.], cksum 0x308c (incorrect - 0x96db), seq 3493353134, ack 3440021711, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 10:03:27.480245 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 176.9.44.80.80 10.72.192.61.59806: Flags [S.], cksum 0xa705 (incorrect - 0xa05d), seq 3110682159, ack 1547219199, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 10:03:27.655208 IP (tos 0x0, ttl 127, id 31966, offset 0, flags [DF], proto TCP (6), length 52) 10.72.192.61.59818 209.85.148.138.80: Flags [S], cksum 0x09ce (correct), seq 2337382294, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 10:03:27.655289 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 209.85.148.138.80 10.72.192.61.59818: Flags [S.], cksum 0x308c (incorrect - 0xd8b2), seq 3393736119, ack 2337382295, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 any ideas why chsum is incorrect and why is not redirecting to port 8080? iptables NAT or NIC problem. Are you missing the MASQUERADE rule for the return traffic? Amos
Re: [squid-users] Squid + Cisco 4500 + WCCP2
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 to redirect all incoming traffic to squid port but access.log shows no activity have you added this below rule ( if squid listens on port 8080 ) iptables -A INPUT -p tcp --dport 8080 -j ACCEPT -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid + Cisco 4500 + WCCP2
On 20/07/2012 10:53 p.m., Ioannis Pliatsikas wrote: Unknown capability type in WCCPv2 Packet Your cisco is advertising two capability types (4 5) which are not defined in the WCCPv2 protocol document. It is not a major problem. Squid ignores them. You can silence them with this (when the Squid mirrors pick it up): http://www.squid-cache.org/Versions/v3/3.HEAD/changesets/squid-3-1.patch Amos
Re: [squid-users] Squid + Cisco 4500 + WCCP2
On 7/20/2012 1:53 PM, Ioannis Pliatsikas wrote: I'm trying to setup a transparent proxy with squid using wccpv2 and a 4507 (ios v15.1) Cisco switch. Tried using out of the box rpm package, 3.1.20 on Opensuse 12.1 with no luck. My cache.log kept filling with Unknown capability type in WCCPv2 Packet messages. Compiled from source the same version with --enable-wccpv2 option but i keep getting the same errors. Cisco can see the proxy because i get SNIP No tunnel defined anywhere cause i assume it's not necessary on l2 redirection Any ideas? Else then the error is it redirecting the traffic? i have tested wccp2 on a router and gre but not on a switch and L2 yet. on the cisco you also need to apply extended acls based on www port to match the specific traffic you want to redirect into squid. if you wont do that the web-cache wont redirect anything. Regards, Elizer Thank you in advance John -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer at ngtech.co.il
RE: [squid-users] Squid + Cisco 4500 + WCCP2
-Original Message- From: Eliezer Croitoru [mailto:elie...@ngtech.co.il] Sent: Saturday, July 21, 2012 5:58 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid + Cisco 4500 + WCCP2 On 7/20/2012 1:53 PM, Ioannis Pliatsikas wrote: I'm trying to setup a transparent proxy with squid using wccpv2 and a 4507 (ios v15.1) Cisco switch. Tried using out of the box rpm package, 3.1.20 on Opensuse 12.1 with no luck. My cache.log kept filling with Unknown capability type in WCCPv2 Packet messages. Compiled from source the same version with --enable-wccpv2 option but i keep getting the same errors. Cisco can see the proxy because i get SNIP No tunnel defined anywhere cause i assume it's not necessary on l2 redirection Any ideas? Else then the error is it redirecting the traffic? i have tested wccp2 on a router and gre but not on a switch and L2 yet. on the cisco you also need to apply extended acls based on www port to match the specific traffic you want to redirect into squid. if you wont do that the web-cache wont redirect anything. Regards, Elizer Thank you in advance John -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer at ngtech.co.il - Switch is not redirecting anything. access.log is empty. Have to look the extended acls cause Cisco is not saying anything about them. Assumed that the line ip wccp web-cache redirect in on vlan1 will redirect all http traffic. Thank you John