[c-nsp] Cisco WCCP and Squid on Linux

Dave Weis djweis at internetsolver.com
Mon Jun 27 07:36:04 EDT 2005


On Mon, 27 Jun 2005, Reuben Farrelly wrote:
>>>>      ip wccp web-cache redirect out
>
> Also try redirecting inbound on the Ethernet interface...see if that helps.

We had tried that at one point but with the other changes suggested we'll 
move it back and try again.

>>> Looks basically ok.  yes, I have the same as you have working just fine.
>>> What version of code are you running?  In my experience WCCP has gotten 
>>> progressively broken with the 12.3T series from 12.3(7)T onwards.  The 
>>> 12.3 mainline releases are OK I think.
>> 
>> Version 12.3(13)
> 12.3(13) is deferred, go to 12.3(15) (although, I don't think it will make 
> any difference to WCCP)

Will do.

>>> Is your cache on the same interface as the client browsers are on?
>> 
>> Yes, it's a very simple network, 1 Cisco router, 1 Squid server, and 1 3Com 
>> total control chassis.
>
> Blame the 3Com ;-)   But seriously....
>
>>> Are you using the WCCP kernel module or the ip_gre interface under Linux?
>> It looks like ip_gre
> You need to explicitly set this up and assign an (any) IP address to it, eg
> gre0      Link encap:UNSPEC  HWaddr 
> 00-00-00-00-12-44-00-10-00-00-00-00-00-00-00-00
>          inet addr:172.16.1.6  Mask:255.255.255.252
>          UP RUNNING NOARP  MTU:1476  Metric:1
>          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:0
>          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

This was setup and configured with an IP.

> tcpdump/tethereal can be your friend - if things like this aren't set up, 
> then your kernel will complain about unsupported protocol etc etc
> Despite the counts showing zero above, you do need this interface.
>
>>> Can you manually configure a browser to use the proxy?
>> Yes
>>> Can you surf from the proxy itself?
>> Yes
> Looks like either:
>
> * ip forwarding is not turned on
> * your interception transport (ip_wccp or ip_gre is not set up or loaded)
> * your iptables rules are not right
>
> iptables rules should look something like this:
>
> iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.0.0 -d ! 
> 192.168.0.0/255.255.0.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to 
> 192.168.0.3:3128

That is probably it, We had a
iptables -t nat -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT 
--to-ports 3128

I'll get that straightened out and try again.

>>> Are you using NAT?
>> 
>> No. We have two sites that we are trying to make this work on, one has just 
>> the setup above, the other has a web server also. When we first tried to 
>> set it up we broke all inbound access, so we are starting with the simple 
>> config.
>
> As a previous poster put, in this case you might want to create an access 
> list to deny traffic from any hosts that you don't want to force going 
> through the proxy.  However this will not impact any inbound connections to 
> your web server, it's only a filter of what hosts internally are redirected.

When I get it working on the easy one I'll get the ACL to ignore inbound 
traffic next.

Thanks for all of the help

dave


-- 
Dave Weis
djweis at internetsolver.com
http://www.internetsolver.com/



More information about the cisco-nsp mailing list