Waldon, Cooper
2017-03-21 19:04:23 UTC
Hello All,
I'm trying to set up a transparent proxy for http and https using Cisco Routers and Squid. I have followed the configuration examples that are listed under the wccp2 overview section (http://wiki.squid-cache.org/Features/Wccp2) of the squid wiki but I'm still having some issues.
I have a little lab set up with a Cisco 7200 Router and a VM with CentOS running the proxy.
The "WAN" IP of the Router is 192.168.0.23. The IP of the Squid Proxy is 192.168.0.24 and both have the default gateway of 192.168.0.1 which is the "ISP"
The Client is sitting on a LAN behind the Router in the 10.10.10.0/24 subnet and is also sitting behind nat.
I believe that the router and proxy are communicating properly based on the information in the show ip wccp command on the router as it shows clients and routers as well as showing that packets are being forwarded:
R3#show ip wccp
Global WCCP information:
Router information:
Router Identifier: 192.168.0.23
Configured source-interface: GigabitEthernet5/0
Service Identifier: web-cache
Protocol Version: 2.00
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets Redirected: 1079
Process: 0
CEF: 1079
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: 100
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: 10
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Process: 0
CEF: 0
GRE tunnel interface: Tunnel1
Service Identifier: 70
Protocol Version: 2.00
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets Redirected: 500
Process: 0
CEF: 500
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: 100
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: 10
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Process: 0
CEF: 0
GRE tunnel interface: Tunnel0
Here is the relevant squid wccp configuration:
----Output removed----
# Squid normally listens to port 3128
http_port 3128
http_port 0.0.0.0:3129
# WCCPv2 Parameters
wccp2_router 192.168.0.23
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method hash
wccp2_service standard 0
wccp2_service dynamic 70
wccp2_service_info 70 protocol=tcp flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=231 ports=443
---Output remove----
I think that the issue lies with the iptables configuration as I do not see any packets been processed in the nat table. I have tried a few different methods such as:
iptables -t nat -A PREROUTING -i wccp0 -p tcp -dport 80 -j REDIRECT -to-port 3129
iptables -t nat -A PREROUTING -i wccp0 -p tcp -dport 443 -j REDIRECT -to-port 3129
iptables -t nat -A POSTROUTING -j MASQUERADE
or
iptables -t nat -A PREROUTING -p tcp -dport 80 -j DNAT -to-destination 192.168.0.24:3129
iptables -t nat -A PREROUTING -p tcp -dport 443 -j DNAT -to-destination 192.168.0.24:3129
iptables -t nat -A POSTROUTING -j MASQUERADE
I have also tried adding ACCEPT commands to the PREROUTING zone just in case the proxy is dropping the packets right away but that also doesn't work.
The proxy functions perfectly when the client is configured to use a proxy so there doesn't appear to be any issues with routing or anything like that, it's just the transparent proxying that isn't working.
If anyone has any suggestions of what I could try that would be greatly appreciated. Let me know if anything is unclear or if you need further clarification.
Thank you,
Cooper Waldon
Cooper Waldon l Network Engineer l OTN l 416-446-4110 x 4473 l www.otn.ca<http://www.otn.ca/> | Service Desk 1-855-654-0888 x2
I'm trying to set up a transparent proxy for http and https using Cisco Routers and Squid. I have followed the configuration examples that are listed under the wccp2 overview section (http://wiki.squid-cache.org/Features/Wccp2) of the squid wiki but I'm still having some issues.
I have a little lab set up with a Cisco 7200 Router and a VM with CentOS running the proxy.
The "WAN" IP of the Router is 192.168.0.23. The IP of the Squid Proxy is 192.168.0.24 and both have the default gateway of 192.168.0.1 which is the "ISP"
The Client is sitting on a LAN behind the Router in the 10.10.10.0/24 subnet and is also sitting behind nat.
I believe that the router and proxy are communicating properly based on the information in the show ip wccp command on the router as it shows clients and routers as well as showing that packets are being forwarded:
R3#show ip wccp
Global WCCP information:
Router information:
Router Identifier: 192.168.0.23
Configured source-interface: GigabitEthernet5/0
Service Identifier: web-cache
Protocol Version: 2.00
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets Redirected: 1079
Process: 0
CEF: 1079
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: 100
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: 10
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Process: 0
CEF: 0
GRE tunnel interface: Tunnel1
Service Identifier: 70
Protocol Version: 2.00
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets Redirected: 500
Process: 0
CEF: 500
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: 100
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: 10
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Process: 0
CEF: 0
GRE tunnel interface: Tunnel0
Here is the relevant squid wccp configuration:
----Output removed----
# Squid normally listens to port 3128
http_port 3128
http_port 0.0.0.0:3129
# WCCPv2 Parameters
wccp2_router 192.168.0.23
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method hash
wccp2_service standard 0
wccp2_service dynamic 70
wccp2_service_info 70 protocol=tcp flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=231 ports=443
---Output remove----
I think that the issue lies with the iptables configuration as I do not see any packets been processed in the nat table. I have tried a few different methods such as:
iptables -t nat -A PREROUTING -i wccp0 -p tcp -dport 80 -j REDIRECT -to-port 3129
iptables -t nat -A PREROUTING -i wccp0 -p tcp -dport 443 -j REDIRECT -to-port 3129
iptables -t nat -A POSTROUTING -j MASQUERADE
or
iptables -t nat -A PREROUTING -p tcp -dport 80 -j DNAT -to-destination 192.168.0.24:3129
iptables -t nat -A PREROUTING -p tcp -dport 443 -j DNAT -to-destination 192.168.0.24:3129
iptables -t nat -A POSTROUTING -j MASQUERADE
I have also tried adding ACCEPT commands to the PREROUTING zone just in case the proxy is dropping the packets right away but that also doesn't work.
The proxy functions perfectly when the client is configured to use a proxy so there doesn't appear to be any issues with routing or anything like that, it's just the transparent proxying that isn't working.
If anyone has any suggestions of what I could try that would be greatly appreciated. Let me know if anything is unclear or if you need further clarification.
Thank you,
Cooper Waldon
Cooper Waldon l Network Engineer l OTN l 416-446-4110 x 4473 l www.otn.ca<http://www.otn.ca/> | Service Desk 1-855-654-0888 x2