[squid-users] Transparent proxy (Tproxy4)
Hello, I've configured a transparent proxy as TProxy4 (http://wiki.squid-cache.org/Features/Tproxy4). But I don't see anything in squid access log. * OS = Linux Fedora 20. * Cache log says at start-up : 2014/02/19 12:23:53 kid1| Accepting WCCPv2 messages on port 2048, FD 11. 2014/02/19 12:23:53 kid1| Initialising all WCCPv2 lists 2014/02/19 12:23:53 kid1| HTCP Disabled. 2014/02/19 12:23:53 kid1| Squid plugin modules loaded: 0 2014/02/19 12:23:53 kid1| Adaptation support is off. 2014/02/19 12:23:53 kid1| Accepting HTTP Socket connections at local=0.0.0.0:8080 remote=[::] FD 12 flags=9 2014/02/19 12:23:53 kid1| Accepting HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 13 flags=9 2014/02/19 12:23:53 kid1| Accepting TPROXY spoofing HTTP Socket connections at local=0.0.0.0:3129 remote=[::] FD 14 flags=25 ... * The router is connected to the wccp port : udp0 0 194.214.158.189:2048194.214.158.165:2048 ESTABLISHED * iptables seems OK # iptables -t mangle -S -P PREROUTING ACCEPT -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -N DIVERT -A PREROUTING -p tcp -m socket -j DIVERT -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 -A DIVERT -j MARK --set-xmark 0x1/0x -A DIVERT -j ACCEPT # * kernel routing seems OK : # ip -s -f inet rule 0: from all lookup local 32764: from all fwmark 0x1 lookup 100 32765: from all fwmark 0x1 lookup 100 32766: from all lookup main 32767: from all lookup default # ip -s -f inet route default via 194.214.158.165 dev eth0 169.254.0.0/16 dev eth0 scope link metric 1002 194.214.158.0/24 dev eth0 proto kernel scope link src 194.214.158.189 # * squid.conf : wccp2_router194.214.158.165 wccp2_forwarding_method gre wccp2_return_method gre wccp2_assignment_method hash wccp2_service standard 0 I shall change wccp2_service to dynamic after, but for start-up, it should work, I guess. * On the router (switch/router) we have this : ip wccp web-cache redirect-list 120 interface Vlan16 description Vlan Users ip address a.b.c.d v.w.x.y no ip redirects ip wccp web-cache redirect in access-list 120 remark le proxy SQUID bypasse la redirection access-list 120 deny ip host 194.214.158.207 any access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq www access-list 120 deny ip any any * What more shall I look ? There's something wrong ? Any hint ? Thanks for your help. --
Re: [squid-users] Transparent proxy (Tproxy4)
Hey, I did not read the whole setup so sorry but I have written this article: http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2 in the past which is very likely to help you to understand. first disable SELINUX then make sure with tcpdump in what level is the issue. Hope it Helps, Eliezer On 02/19/2014 02:31 PM, Jose-Marcio Martins wrote: Hello, I've configured a transparent proxy as TProxy4 (http://wiki.squid-cache.org/Features/Tproxy4). But I don't see anything in squid access log. * OS = Linux Fedora 20. * Cache log says at start-up : 2014/02/19 12:23:53 kid1| Accepting WCCPv2 messages on port 2048, FD 11. 2014/02/19 12:23:53 kid1| Initialising all WCCPv2 lists 2014/02/19 12:23:53 kid1| HTCP Disabled. 2014/02/19 12:23:53 kid1| Squid plugin modules loaded: 0 2014/02/19 12:23:53 kid1| Adaptation support is off. 2014/02/19 12:23:53 kid1| Accepting HTTP Socket connections at local=0.0.0.0:8080 remote=[::] FD 12 flags=9 2014/02/19 12:23:53 kid1| Accepting HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 13 flags=9 2014/02/19 12:23:53 kid1| Accepting TPROXY spoofing HTTP Socket connections at local=0.0.0.0:3129 remote=[::] FD 14 flags=25 ... * The router is connected to the wccp port : udp0 0 194.214.158.189:2048194.214.158.165:2048 ESTABLISHED * iptables seems OK # iptables -t mangle -S -P PREROUTING ACCEPT -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -N DIVERT -A PREROUTING -p tcp -m socket -j DIVERT -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 -A DIVERT -j MARK --set-xmark 0x1/0x -A DIVERT -j ACCEPT # * kernel routing seems OK : # ip -s -f inet rule 0:from all lookup local 32764:from all fwmark 0x1 lookup 100 32765:from all fwmark 0x1 lookup 100 32766:from all lookup main 32767:from all lookup default # ip -s -f inet route default via 194.214.158.165 dev eth0 169.254.0.0/16 dev eth0 scope link metric 1002 194.214.158.0/24 dev eth0 proto kernel scope link src 194.214.158.189 # * squid.conf : wccp2_router194.214.158.165 wccp2_forwarding_method gre wccp2_return_method gre wccp2_assignment_method hash wccp2_service standard 0 I shall change wccp2_service to dynamic after, but for start-up, it should work, I guess. * On the router (switch/router) we have this : ip wccp web-cache redirect-list 120 interface Vlan16 description Vlan Users ip address a.b.c.d v.w.x.y no ip redirects ip wccp web-cache redirect in access-list 120 remark le proxy SQUID bypasse la redirection access-list 120 deny ip host 194.214.158.207 any access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq www access-list 120 deny ip any any * What more shall I look ? There's something wrong ? Any hint ? Thanks for your help.
Re: [squid-users] Transparent proxy (Tproxy4)
Hey Eliezer, Thanks for the pointer... selinux is disabled. no problem in this side. Cisco sees it : cata6#sh ip wccp web-cache view WCCP Routers Informed of: 192.168.201.165 WCCP Cache Engines Visible: 194.214.158.207 194.214.158.189 --- WCCP Cache Engines NOT Visible: -none- My doubt, at this moment, is about the gre interface. You explicitly defined it and created a tunnel for it : iptunnel add wccp0 mode gre remote $CISCOIPID local $LOCALIP dev eth1 ifconfig wccp0 127.0.1.1/32 up Is this necessary ? This doesn't appear in the doc by Amos Jeffries. Regards On 02/19/2014 03:47 PM, Eliezer Croitoru wrote: Hey, I did not read the whole setup so sorry but I have written this article: http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2 in the past which is very likely to help you to understand. first disable SELINUX then make sure with tcpdump in what level is the issue. Hope it Helps, Eliezer On 02/19/2014 02:31 PM, Jose-Marcio Martins wrote: Hello, I've configured a transparent proxy as TProxy4 (http://wiki.squid-cache.org/Features/Tproxy4). But I don't see anything in squid access log. * OS = Linux Fedora 20. * Cache log says at start-up : 2014/02/19 12:23:53 kid1| Accepting WCCPv2 messages on port 2048, FD 11. 2014/02/19 12:23:53 kid1| Initialising all WCCPv2 lists 2014/02/19 12:23:53 kid1| HTCP Disabled. 2014/02/19 12:23:53 kid1| Squid plugin modules loaded: 0 2014/02/19 12:23:53 kid1| Adaptation support is off. 2014/02/19 12:23:53 kid1| Accepting HTTP Socket connections at local=0.0.0.0:8080 remote=[::] FD 12 flags=9 2014/02/19 12:23:53 kid1| Accepting HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 13 flags=9 2014/02/19 12:23:53 kid1| Accepting TPROXY spoofing HTTP Socket connections at local=0.0.0.0:3129 remote=[::] FD 14 flags=25 ... * The router is connected to the wccp port : udp0 0 194.214.158.189:2048194.214.158.165:2048 ESTABLISHED * iptables seems OK # iptables -t mangle -S -P PREROUTING ACCEPT -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -N DIVERT -A PREROUTING -p tcp -m socket -j DIVERT -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 -A DIVERT -j MARK --set-xmark 0x1/0x -A DIVERT -j ACCEPT # * kernel routing seems OK : # ip -s -f inet rule 0:from all lookup local 32764:from all fwmark 0x1 lookup 100 32765:from all fwmark 0x1 lookup 100 32766:from all lookup main 32767:from all lookup default # ip -s -f inet route default via 194.214.158.165 dev eth0 169.254.0.0/16 dev eth0 scope link metric 1002 194.214.158.0/24 dev eth0 proto kernel scope link src 194.214.158.189 # * squid.conf : wccp2_router194.214.158.165 wccp2_forwarding_method gre wccp2_return_method gre wccp2_assignment_method hash wccp2_service standard 0 I shall change wccp2_service to dynamic after, but for start-up, it should work, I guess. * On the router (switch/router) we have this : ip wccp web-cache redirect-list 120 interface Vlan16 description Vlan Users ip address a.b.c.d v.w.x.y no ip redirects ip wccp web-cache redirect in access-list 120 remark le proxy SQUID bypasse la redirection access-list 120 deny ip host 194.214.158.207 any access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq www access-list 120 deny ip any any * What more shall I look ? There's something wrong ? Any hint ? Thanks for your help. -- Envoyé de ma machine à écrire. --- Spam : Classement statistique de messages électroniques - Une approche pragmatique Chez Amazon.fr : http://amzn.to/LEscRu ou http://bit.ly/SpamJM --- Jose Marcio MARTINS DA CRUZhttp://www.j-chkmail.org Ecole des Mines de Paris http://bit.ly/SpamJM 60, bd Saint Michel 75272 - PARIS CEDEX 06 mailto:jose-marcio.mart...@mines-paristech.fr