----- "Tom Eastep" <[email protected]> wrote:
> I have a Cisco Cat 6500 MSFC which redirects all port 80 traffic from a
> subnet (10.3.5.0/24) to the squid box using WCCP2. Here is a tcpdump of
> the traffic:
Sorry -- don't know what WCCPv2 is and really don't have the time or
interest to read the Cisco docs and/or RFCs. What does it do (at the IP
and link layers)?
In my case, it does this:
WCCP L2 redirect rewrites packet MAC address to that of the local Engine
(squid/shorewall box)
Also, I see that http://wiki.squid-cache.org/Features/Wccp2 seems to
have quite a bit of information about configuring Squid to support this
feature.
I am fairly certain squid is configured correctly, as it passes the test of
using the proxy directly, which means traffic directed at the FW on port 80 is
redirected to port 3128. The problem is catching traffic meant for other hosts
on port 80 (regular www traffic) which arrives at the shorewall box by means of
the L2 redirect of WCCP2.
>
> 17:06:01.519659 IP 10.3.5.23.4011 > 74.125.155.104.80: S
> 3903948433:3903948433(0) win 65535 <mss 1460,nop,nop,sackOK>
> 17:06:01.519905 IP 74.125.155.104.80 > 10.3.5.23.4011: R 0:0(0) ack
> 3903948434 win 0
> 17:06:04.536350 IP 10.3.5.23.4011 > 74.125.155.104.80: S
> 3903948433:3903948433(0) win 65535 <mss 1460,nop,nop,sackOK>
> 17:06:04.536408 IP 74.125.155.104.80 > 10.3.5.23.4011: R 0:0(0) ack 1 win 0
Sigh -- tcpdump output and no clue about which system the output was
captured on. Client? Shorewall box? ??? Note that the connection
requests are being rejected, wherever this was captured...
Sorry, this was done on the squid/shorewall box.
>
> I have tried using the rules shown in the Shorewall docs for squid trans
> proxy, but it does not work - squid does not see the traffic. Squid does
> work fine when used as manual proxy from same test client.
>
> I have tried:
>
> ACCEPT $FW net tcp www
> REDIRECT net 3128 tcp 80 -
The dump that you supplied shows that traffic is matching this rule.
It is possible this traffic is not from the test client, as their are other
clients on the subnet that may generate regular proxy requests. I will move to
an isolated subnet for a better test.
>
> The squid/shorewall box has a single NIC only; it is NOT the gateway.
> The gateway to the net is on the same subnet as the squid/shorewall box.
>
> The client box is 10.3.5.23, and the squid/shorewall box is 72.2.0.4.
> Attached is a shorewall dump.
Also, I see this in the conntrack table:
tcp 6 56 SYN_RECV src=10.3.5.23 dst=74.125.155.105 sport=4039
dport=80 packets=1 bytes=48 src=72.2.0.4 dst=10.3.5.23 sport=3128
dport=4039 packets=5 bytes=240 mark=0 secmark=0 use=1
So the SYN from the client seems to be redirected to port 3128 as you
expect.
That's odd. I see no evidence of requests in the squid log, so this needs more
investigation.
Thanks for the reply.
------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users
worldwide. Take advantage of special opportunities to increase revenue and
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
