On Wed, 5 Oct 2011 09:29:01 -0500, Ritter, Nicholas wrote:
With current versions of TPROXY you should not do REDIRECTs. You
should
do something like this:
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129
--on-ip
<proxy server IP> --tproxy-mark 0x1/0x1
Redirects will work in some cases, but should not be used with WCCP
and
recent versions of TPROXY.
My experience has been that doing a redirect alone will not always
work
depending on the version of TPROXY/IPTABLES, and Cisco IOS.
YMMV,
Nick
Right. Redirect is NAT. Which may not even be built into the kernel and
can cause strange packet handling in TPROXY.
TPROXY operates before NAT, so in the best case it will have no effect.
Possibly it just erased the client IP address. That would cause traffic
to return to Squid, but erase all benefits of TPROXY. There is no point
in Squid spoofing itself as the source. Worst-case it just erased the
destination address and Squid output packets silently drop down a black
hole.
Step (7) access-lists relies on the REDIRECT happening, as mentioned
repeatedly in the TPROXY troubleshooting section, you MUST NOT rely on
the Squid IP address value in WCCP and routing ACL rules. It wont exist
on any TPROXY traffic.
Amos
-----Original Message-----
From: Horacio H.
<snip>
4) Add a redirect rule in iptables:
iptables -t nat -A PREROUTING -i gre1 -j REDIRECT --redirect-to
<squid-listening-port>
5) Make sure Squid was compiled with WCCP-v2 support.
6) WCCP-v2 squid's configuration:
wccp2_router <router-ip-address>
7) WCCP-v2 router's configuration:
access-list 160 deny ip host <squid-ip-address> any
access-list 160 permit tcp <net> <wildcard> any eq 80
ip wccp version 2
ip wccp web-cache redirect-list 160
interface FastEthernet0/0
ip wccp web-cache redirect in
Regards,
Horacio.
