Re: [squid-users] transparent proxy not working!! any advice?

2009-01-05 Thread R_O_L_A_N_D 

Hello,
actually I have both of set on the lan interface ( am I mistaken to set the 
"redirect out" on the lan interface? should I be setting it on the interface 
facing the internet?)


ip wccp 80 redirect in
ip wccp 90 redirect out

as for the wiki provided, I fail to see what's missing!
obviously there is something, but I'm not detecting it!



--
From: "Regardt van de Vyver" 
Sent: Monday, January 05, 2009 12:46 AM
Cc: 
Subject: Re: [squid-users] transparent proxy not working!! any advice?


Roland Roland wrote:

Hello,
the output of the debugging is as such:



*Jan  4 23:16:43.205: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183: 
service not active
*Jan  4 23:16:43.205: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183: 
service not active


what service is that?!



--
From: "Regardt van de Vyver" 
Sent: Sunday, January 04, 2009 9:33 PM
Cc: 
Subject: Re: [squid-users] transparent proxy not working!! any advice?


Roland Roland wrote:

i've just created a new box with the following options:
but wccp with router is still not working!
any advice?


using centos 5.2
and squid 2.6
firewall enabled
SElinux permissive
---
done the following:

yum update yum

yum install squid

squid -z
---
gedit /etc/rc.d/init.d/rc.local

#added:
modprobe ip_gre
ifconfig gre0 192.168.0.183 netmask 255.255.255.0 up
#this is the same ip as my eth0


gedit /etc/sysconfig/iptables

#added:
-A INPUT -i gre0 -j ACCEPT
-A INPUT -i gre0 -j ACCEPT
-A INPUT -p gre -j ACCEPT
#my routers lan interface 192.168.0.1
-A RH-Firewall-1-INPUT -s 192.168.0.1/24 -p udp -m udp --dport 2048 -j
ACCEPT
---
service iptables condrestart

gedit /etc/squid/squid.conf

#edited/added the follwoing:
http_port 80 transparent
http_access allow all
wccp2_router 192.168.0.1
wccp_version 4
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service dynamic 80
wccp2_service dynamic 90
wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 
ports=80

wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80
--
Cisco router 2811 side:

conf t
ip wccp version 2
ip wccp web-cache

int f0/1 (Lan interface)
ip wccp 80 redirect in
ip wccp 90 redirect out
--
service squid restart

then sh ip wccp on router gave me all hits as 0 no hits from squid to
router!!
--

service iptables status

[r...@localhost ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target prot opt source   destination
1RH-Firewall-1-INPUT  all  --  0.0.0.0/00.0.0.0/0
2ACCEPT all  --  0.0.0.0/00.0.0.0/0
3ACCEPT all  --  0.0.0.0/00.0.0.0/0
4ACCEPT 47   --  0.0.0.0/00.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target prot opt source   destination
1RH-Firewall-1-INPUT  all  --  0.0.0.0/00.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target prot opt source   destination

Chain RH-Firewall-1-INPUT (2 references)
num  target prot opt source   destination
1ACCEPT all  --  0.0.0.0/00.0.0.0/0
2ACCEPT icmp --  0.0.0.0/00.0.0.0/0   icmp 
type

255
3ACCEPT esp  --  0.0.0.0/00.0.0.0/0
4ACCEPT ah   --  0.0.0.0/00.0.0.0/0
5ACCEPT udp  --  0.0.0.0/0224.0.0.251 udp
dpt:5353
6ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp
dpt:631
7ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp
dpt:631
8ACCEPT all  --  0.0.0.0/00.0.0.0/0   state
RELATED,ESTABLISHED
9ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state 
NEW

tcp dpt:22
10   ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state 
NEW

tcp dpt:80
11   ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state 
NEW

tcp dpt:5900
12   ACCEPT udp  --  192.168.0.0/24   0.0.0.0/0   udp
dpt:2048
13   REJECT all  --  0.0.0.0/00.0.0.0/0
reject-with icmp-host-prohibited


---



lsmod:

Module  Size  Used by
ip_conntrack_netbios_ns 6977  0
xt_state6209  4
ip_conntrack   53025  2 ip_conntrack_netbios_ns,xt_state
nfnetlink  10713  1 ip_conntrack
iptable_filter  7105  1
ip_tables  17029  1 iptabl

Re: [squid-users] transparent proxy not working!! any advice?

2009-01-08 Thread R_O_L_A_N_D 

Nicholas

ports are open now, however I'm still not seeing traffic on the tunnel 
(tcpdump -i gre0). Also I'm not certain if the ip_gre module is enough. I'm 
seeing many configurations using  ip_wccp, but I do not have that one on my 
centos
What is the proper way to verify that tunnel is working properly? I tried to 
create 2 VMs, and setup a GRE tunnel between them, and it worked.



--
From: "Ritter, Nicholas" 
Sent: Tuesday, January 06, 2009 11:25 PM
To: "Roland Roland" 
Cc: 
Subject: RE: [squid-users] transparent proxy not working!! any advice?

Ok...so the squid server and the router are seeing eachother 
initiallythen it fails. On the squid box you need to make sure the 
firewall is allowing UDP port 2048 from the the router and that the GRE 
tunnel is functioning properly, and is setup in iptables properly.


The other issue is that may be needed is that access-list (access-list 
180, from my last email) should have the ip of the squid box in it as a 
deny entry. The reason for this is that you want to avoid traffic being 
'looped' from the router to the squid box.


You can setup WCCP where you are using no service groups and just the 
web-cache and web-cache redirect, etc. The two things that can break doing 
that are: multiple squid servers in a WCCP setup, and support for 
apps/ports other than port 80.


Nick



From: Roland Roland [mailto:r_o_l_a_...@hotmail.com]
Sent: Tue 1/6/2009 1:48 PM
To: Ritter, Nicholas; sq...@vdvyver.net
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] transparent proxy not working!! any advice?



Hello,

after adding the ACL below.
I've got the following result.
if im not mistaken, it has something to due with the "dynamic" issue? 
should

I set it as standard 0
or ?!

*Jan  6 20:21:39.294: WCCP-PKT:D90: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 0019
*Jan  6 20:21:39.298: WCCP-PKT:D80: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 0019
*Jan  6 20:21:57.290: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183
w/bad rcv_id 
*Jan  6 20:21:57.290: WCCP-PKT:D90: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 001A
*Jan  6 20:21:57.290: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183
w/bad rcv_id 
*Jan  6 20:21:57.290: WCCP-PKT:D80: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 001A
*Jan  6 20:22:04.294: WCCP-PKT:D90: Sending Removal_Query packet to
192.168.0.183w/ rcv_id 001B
*Jan  6 20:22:04.298: WCCP-PKT:D80: Sending Removal_Query packet to
192.168.0.183w/ rcv_id 001B
*Jan  6 20:22:09.294: %WCCP-1-SERVICELOST: Service 90 lost on WCCP client
192.168.0.183
*Jan  6 20:22:09.298: %WCCP-1-SERVICELOST: Service 80 lost on WCCP client
192.168.0.183
*Jan  6 20:22:15.298: WCCP-PKT:D90: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 001C
*Jan  6 20:22:15.298: WCCP-PKT:D80: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 001C

--
From: "Roland Roland" 
Sent: Monday, January 05, 2009 9:50 PM
To: "Ritter, Nicholas" ; 


Cc: 
Subject: Re: [squid-users] transparent proxy not working!! any advice?



Hello,
thanks for the advice ill proceed and add the new ACL.
in the meantime, to answer your question
yes Squid is on the same interface as all the other clients. what sort of
entries should I add to tht access list?

PS: my IOS is Version 12.4(17b), RELEASE SOFTWARE (fc2) Cisco 2811
(revision 53.51)


--
From: "Ritter, Nicholas" 
Sent: Monday, January 05, 2009 9:23 PM
To: ; 
Cc: 
Subject: RE: [squid-users] transparent proxy not working!! any advice?


The error on the Cisco router is stating that the squid box is trying to
tell the router that it is able to service the wccp group 80 and 90, but
for some reason the router does not see those groups as ones it is
servicing.

This is odd. Try doing the following in the router:

ip access-list 180 permit any any
ip wccp web-cache redirect-list 180
ip wccp 80 redirect-list 180
ip wccp 90 redirect-list 180

Is the squid box on the same router interface as the rest of the 
clients?

If it is, you may need to add lines to the access-list 180, or put the
squid box on the secondary interface of the router and do a "ip wccp
redirect exclude in" statement on that interface.

Which IOS feature set and version is this?

WCCP is buggy in some IOS releases.





From: r_o_l_a_...@hotmail.com [mailto:r_o_l_a_...@hotmail.com]
Sent: Mon 1/5/2009 8:43 AM
To: sq...@vdvyver.net
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] transparent proxy not working!! any advice?



Hello,
actually I have both of set on the lan interface ( am I mistaken to set
the
"redirect out" on the lan interface? should I be setting it on the
interface
facing the internet?)

ip wccp 80 redirect in
ip wccp 90 redirect out

as for the wiki provided, I fail to see what's mi