Hi squid-users,
I'm currently trying to replace an old netapp proxy with a squid+linux box.
I've some users behind a Cisco 7200 running IOS 12.4(12) using the proxy in
transparent mode. The current proxy uses WCCP2+GRE to get the traffic from
the router. The aim is to reproduce this behaviour with the squid box.
I've set up a box running Linux Debian, with kernel 2.6.18-3-k7 from debian
and squid-2.6.STABLE8 compiled with the following options :
$ ./configure --prefix=/opt/package/squid-2.6.STABLE8
--enable-storeio=aufs,coss,diskd,null,ufs --enable-removal-policies=heap,lru
--enable-useragent-log --enable-referer-log --enable-wccp --enable-wccpv2
--enable-snmp --enable-linux-netfilter --enable-large-cache-files
--disable-ident-lookups --with-pthreads
my squid.conf file include these lines :
http_port 3128 transparent
wccp2_router <ip_of_the_cisco_router>
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service standard 0
I have set up an unnumbered GRE tunnel between the box and the router :
# iptunnel del gre0
# iptunnel add gre0 mode gre remote <ip_of_the_cisco_router> local
<ip_of_the_linux_box> dev eth0
# ifconfig gre0 up
I've added these commands to enable routing and disable spoof protection.
# echo 1 > /proc/sys/net/ipv4/ip_forward
# for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $file
done
To do the redirection, i'm using iptables, with all default policies set to
ACCEPT, plus this rule :
# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j
DNAT --to-destination <ip_of_the_linux_box>:3128
The Cisco router has been doing the job for years, so I doubt the problem
comes from it. The squid proxy is running, with no error messages. I've
tested it by explicitely declaring it in my browser, and it works perfectly.
The router can see the proxy (it is in his WCCP list) and it sends the packets
to the linux box. I can see the encapsulated packets coming to the linux box,
i can see the packets coming out of the GRE tunnel (tcpdump -i gre0), they
hit the iptable redirection rule (iptables -t nat -L -v (the couter is
increasing)), but afterwards, they seem to disappear. No trace in the squid
log. The tcp session is not established. I see no related traffic coming out
of the box either.
Does someone has an idea of what could be happening ?
I'm also very interrested in knowing how (in therory) the answer is supposed
to return to the client.
Thanks
--
Nicolas L.
