Re: [squid-users] Help, wccp on ubuntu

Hello Ketua,

You can't use REDIRECT target of iptables.

You need use DNAT --to-destination: IP_OF_ETHERNET:3128

If you redirect to localhost, the packets are silent droped.

Regards

> On Mon, Jun 8, 2009 at 12:43 AM, ketua kampung <ketua_at_kampung.web.id> wrote:
>>
>> Hi,
>>
>> I have problem to running up wccp on my squid.
>> I follow the guide from
>> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy and
>> http://www.digitalnerds.net/linux/transparent-squid-with-wccp/
>>
>> This is my system.
>>
>> i use ubuntu 8.04 64bit.
>> squid 2.7stable6 (compile by myselft).
>>
>> root_at_box:~# squid -v
>> Squid Cache: Version 2.7.STABLE6
>> configure options:  '--sysconfdir=/etc/squid' '--prefix=/usr' '--enable-async-io' '--enable-removal-policies=lru,heap' '--disable-delay-pools' '--enable-kill-parent-hack' '--enable-snmp'
>>  '--enable-default-err-language=English' '--enable-err-languages=English' '--enable-cache-digests'
>>  '--enable-linux-netfilter' '--enable-gnuregex' '--enable-wccp' '--disable-auth'
>>
>>
>> in squid.conf, i configure http_port 3128 transparent and enable the wccp.
>>
>>
>> ifconfig wccp0
>> wccp0     Link encap:UNSPEC  HWaddr 77-5C-40-03-00-00-F9-A1-00-00-00-00-00-00-00-00
>>          inet addr:1.2.3.4  P-t-P:1.2.3.4  Mask:255.255.255.255
>>          UP POINTOPOINT RUNNING NOARP  MTU:1476  Metric:1
>>          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>          collisions:0 txqueuelen:0
>>          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>>
>> root_at_box:~# iptunnel
>> gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc
>> wccp0: gre/ip  remote 110.92.64.255  local 119.92.64.3  dev eth0  ttl inherit
>>
>> root_at_box:~# cat /proc/sys/net/ipv4/ip_forward
>> 1
>>
>>
>> root_at_box:~# sysctl -a | grep rp_filter
>> error: permission denied on key 'net.ipv4.route.flush'
>> net.ipv4.conf.lo.rp_filter = 0
>> net.ipv4.conf.lo.arp_filter = 0
>> net.ipv4.conf.all.rp_filter = 0
>> net.ipv4.conf.all.arp_filter = 0
>> net.ipv4.conf.default.rp_filter = 0
>> net.ipv4.conf.default.arp_filter = 0
>> net.ipv4.conf.eth0.rp_filter = 0
>> net.ipv4.conf.eth0.arp_filter = 0
>> net.ipv4.conf.eth1.rp_filter = 0
>> net.ipv4.conf.eth1.arp_filter = 0
>> net.ipv4.conf.gre0.rp_filter = 0
>> net.ipv4.conf.gre0.arp_filter = 0
>> net.ipv4.conf.wccp0.rp_filter = 0
>> net.ipv4.conf.wccp0.arp_filter = 0
>> error: permission denied on key 'net.ipv6.route.flush'
>>
>> From my cisco, i can see my squid can comunicate wccp with cisco.
>> RTR-INT-2811#sh ip wccp
>> Global WCCP information:
>>    Router information:
>>        Router Identifier:                   110.92.64.255
>>        Protocol Version:                    1.0
>>
>>    Service Identifier: web-cache
>>        Number of Service Group Clients:     1
>>        Number of Service Group Routers:     1
>>        Total Packets s/w Redirected:        89
>>          Process:                           0
>>          Fast:                              0
>>          CEF:                               89
>>        Redirect access-list:                -none-
>>        Total Packets Denied Redirect:       0
>>        Total Packets Unassigned:            0
>>        Group access-list:                   -none-
>>        Total Messages Denied to Group:      0
>>        Total Authentication failures:       0
>>
>> terminal monitor
>> debug ip wccp even
>> *Jun  8 03:30:51.423: WCCP-PKT: Sending I_See_You packet to 110.92.64.3 w/ rcvd_id 00000296
>> *Jun  8 03:31:01.427: WCCP-EVNT: Built I_See_You msg body w/1 usable web caches, change # 0000000B
>> *Jun  8 03:31:01.427: %WCCP-5-CACHEFOUND: Web Cache 110.92.64.3 acquired
>> *Jun  8 03:31:01.427: WCCP-PKT: Received valid Here_I_Am packet from 110.92.64.3 w/rcvd_id 00000296
>> *Jun  8 03:31:01.427: WCCP-PKT: Sending I_See_You packet to 110.92.64.3 w/ rcvd_id 00000297
>> *Jun  8 03:31:01.427: WCCP-EVNT: Built I_See_You msg body w/1 usable web caches, change # 0000000C
>> *Jun  8 03:31:01.427: WCCP-PKT: Received valid Assign_Buckets packet from 110.92.64.3 w/rcvd_id 00000297
>> *Jun  8 03:31:11.431: WCCP-PKT: Received valid Here_I_Am packet from 110.92.64.3 w/rcvd_id 00000297
>> *Jun  8 03:31:11.431: WCCP-PKT: Sending I_See_You packet to 110.92.64.3 w/ rcvd_id 00000298
>>
>>
>> When i tcpdump on interface wccp0, i can see the paket flow from cisco to server.
>> root_at_box:~# tcpdump -i wccp0 -n
>> listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
>> 10:34:42.461441 IP 110.92.65.5.41038 > 202.158.66.92.80: S 842039074:842039074(0) win 5840 <mss 1380,sackOK,timestamp 240146036 0,nop,wscale 7>
>> 10:34:45.453372 IP 110.92.65.5.41038 > 202.158.66.92.80: S 842039074:842039074(0) win 5840 <mss 1380,sackOK,timestamp 240146336 0,nop,wscale 7>
>> 10:34:51.453431 IP 110.92.65.5.41038 > 202.158.66.92.80: S 842039074:842039074(0) win 5840 <mss 1380,sackOK,timestamp 240146936 0,nop,wscale 7>
>> 10:35:03.453562 IP 110.92.65.5.41038 > 202.158.66.92.80: S 842039074:842039074(0) win 5840 <mss 1380,sackOK,timestamp 240148136 0,nop,wscale 7>
>> 10:35:27.453852 IP 110.92.65.5.41038 > 202.158.66.92.80: S 3717798278:3717798278(0) win 5840 <mss 1380,sackOK,timestamp 240150536 0,nop,wscale 7>
>>
>>
>>
>> and i can see the counter incrase in iptables.
>> root_at_box:~# iptables -t nat -vnL
>> Chain PREROUTING (policy ACCEPT 34 packets, 2784 bytes)
>>  pkts bytes target     prot opt in     out     source destination
>>    5   300 REDIRECT   tcp  --  wccp0  *       0.0.0.0/0 0.0.0.0/0           tcp dpt:80 redir ports 3128
>>
>>
>> the problem is, the squid doesn't work.
>> looks like the paket from redirect is disapper and never touch the squid port (3128)
>>
>> please help, what i should do.
>>
>> regards
>>
>> ketua_at_kampung
>
Received on Mon Jun 08 2009 - 12:55:50 MDT