WCCP, GRE redirect target failed: SOLUTION
This is a discussion on WCCP, GRE redirect target failed: SOLUTION within the Squid Users forums, part of the Web Server and Related Forums category; Dear All, I have finally succeded in getting SQUID working as a transparent proxy on a Debian Linux box (version ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-17-2006
|
|||
|
|||
WCCP, GRE redirect target failed: SOLUTION
Dear All,
I have finally succeded in getting SQUID working as a transparent proxy on a Debian Linux box (version 2.6.18) using WCCP from a CISCO router. The solution will follow shortly after I rant just a little bit. RANT: I'd like to say it was a carefully reasoned solution as a result of an improved understading of linux networking. It wasn't. I'd even be happy to say that it was something stupid I missed early on and that I am now flailing myself every evening in recompense. It wasn't that either. In the end - I just tried everything I could possibly think of in as many combinations as possible until something stuck. This is the worst kind of brute-force approach and I feel it important to document my solution somewhere so that other people don't have to go through this as well. SOLUTION: So I upgraded to linux 2.6.18 as it has support for the non-standard GRE packets that CISCO uses for WCCP built in (I don't have to use ip_wccp). I set my SQUID up as per all the helpful FAQs. I made sure my "ip spoofing protection" was switched off and "ip forwarding" was switched on by editing /etc/sysctl.conf to say : net.ipv4.ip_forward =1 net.ipv4.conf.all.rp_filter = 0 I made a GRE tunnel like so modprobe ip_gre iptunnel add gre1 mode gre remote $routerPublicIP local \ $webCacheIP dev eth0 ifconfig gre1 $greAdapterIP up # greAdapterIP = 127.0.0.2 I checked my rp_filter settings for the gre interface and eth0: cat /proc/sys/net/ipv4/conf/all/rp_filter cat /proc/sys/net/ipv4/conf/eth0/rp_filter cat /proc/sys/net/ipv4/conf/gre1/rp_filter (they should all print out "0") Then I set up my ipTables as follows: iptables -A INPUT -i gre1 -j ACCEPT #allow everything in from gre tunnel iptables -t nat -A PREROUTING -i gre1 -d 0/0 -p tcp --dport 80 -j DNAT --to-destination $webCacheIP:$webCachePort # Redirect anything coming in the gre interface to the webcache proxy on it's proxy port. Note I used DNAT in stead of REDIRECT. This is because REDIRECT just didn't work with anything coming out of the GRE tunnel. Honestly. I can log stuff just before it gets redirected without a problem, but then the packets just disappear. Vanish. But DNAT does work. That's the real key. Don't ask me why, but it does. It is the failure of the REDIRECT target that really caused the problem and no end of headaches. Two weeks worth of headaches to be exact. Please refer to my previous post : http://groups.google.com/group/maili...8c2bc2b7c05cca for background. I hope this has helped someone. If anyone has an explanation as to why this works and REDIRECT doesn't, I'd be happy to hear it. Regards, Ben. 
|
Linear Mode
