RE: [squid-users] Updated CentOS/Squid/Tproxy Transparency steps.

From: Alexandre DeAraujo <alexd_at_cal.net>
Date: Wed, 1 Jul 2009 16:59:03 -0700

I am giving this one more try, but have been unsuccessful. Any help is always greatly appreciated.

Here is the setup:
Router:
Cisco 7200 IOS 12.4(25)
ip wccp web-cache redirect-list 11
access-list 11 permits only selective ip addresses to use wccp

Wan interface (Serial)
ip wccp web-cache redirect out

Global WCCP information:
Router information:
Router Identifier: 192.168.20.1
Protocol Version: 2.0

Service Identifier: web-cache
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 8797
Process: 4723
Fast: 0
CEF: 4074
Redirect access-list: 11
Total Packets Denied Redirect: 124925546
Total Packets Unassigned: 924514
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0

WCCP Client information:
WCCP Client ID: 192.168.20.2
Protocol Version: 2.0
State: Usable
Initial Hash Info: 00000000000000000000000000000000
                        00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                        FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets s/w Redirected: 306
Connect Time: 00:21:33
Bypassed Packets
Process: 0
Fast: 0
CEF: 0
Errors: 0

Clients are on FEthernet0/1
Squid server is the only device on FEthernet0/3
--------------------------------------------------------------------
Squid Server:
eth0 Link encap:Ethernet HWaddr 00:14:22:21:A1:7D
          inet addr:192.168.20.2 Bcast:192.168.20.7 Mask:255.255.255.248
          inet6 addr: fe80::214:22ff:fe21:a17d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:3325 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2606 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:335149 (327.2 KiB) TX bytes:394943 (385.6 KiB)

gre0 Link encap:UNSPEC HWaddr 00-00-00-00-CB-BF-F4-FF-00-00-00-00-00-00-00-00
          inet addr:192.168.20.2 Mask:255.255.255.248
          UP RUNNING NOARP MTU:1476 Metric:1
          RX packets:400 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:31760 (31.0 KiB) TX bytes:0 (0.0 b)
--------------------------------------------------------------------
/etc/rc.d/rc.local file:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
modprobe ip_gre
ifconfig gre0 192.168.20.2 netmask 255.255.255.248 up
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
--------------------------------------------------------------------
/etc/sysconfig/iptables file:
# Generated by iptables-save v1.4.4 on Wed Jul 1 03:32:55 2009
*mangle
:PREROUTING ACCEPT [166:11172]
:INPUT ACCEPT [164:8718]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [130:12272]
:POSTROUTING ACCEPT [130:12272]
:DIVERT - [0:0]
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 --on-ip 192.168.20.2 --tproxy-mark 0x1/0x1
COMMIT
# Completed on Wed Jul 1 03:32:55 2009
# Generated by iptables-save v1.4.4 on Wed Jul 1 03:32:55 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [160:15168]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i gre0 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -s 192.168.20.1/32 -p udp -m udp --dport 2048 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jul 1 03:32:55 2009

---------------------squid.conf------------------------------------
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl testing src 10.10.10.0/24
acl SSL_ports port 443
acl SSL_ports port 8443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8443 # Plesk
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow testing
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
http_port 192.168.20.2:3128 tproxy disable-pmtu-discovery=always
hierarchy_stoplist cgi-bin ?
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
coredump_dir /var/spool/squid

logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
access_log /var/log/squid/access.log squid
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
debug_options ALL,3

cache allow testing
cache deny all
cache_dir ufs /var/spool/squid 200000 256 256
cache_effective_user squid
cache_swap_high 100%
cache_swap_low 80%
cache_mem 2 GB
maximum_object_size 8192 KB
half_closed_clients on
client_db off

wccp2_router 192.168.20.1
wccp_version 2
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service standard 0

visible_hostname Server

forwarded_for off
---------------------------------end of squid.conf-------------------------------------
This is the timeout error when trying to go to www.google.com

ERROR
The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: http://www.google.com/

        Connection to 74.125.45.100 failed.

The system returned: (110) Connection timed out

The remote host or network may be down. Please try the request again.

Generated Wed, 01 Jul 2009 21:41:07 GMT by Server (squid/3.1.0.9)

Thanks for your help,

Alex
Received on Wed Jul 01 2009 - 23:59:14 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 02 2009 - 12:00:01 MDT