Hi,
At 02:14 p.m. 25/02/2005, Jesse Guardiani wrote:
>Henrik Nordstrom wrote:
>
> > On Thu, 24 Feb 2005, Jesse Guardiani wrote:
> >
> >> I don't think it is anymore. It seems like the packets are just
> >> dissappearing after they hit my iptables rule. I tried placing OUTPUT and
> >> POSTROUTING LOG rules around the NAT table, and their hit counters
> >> increment if I hit the cache directly from a web browser, but if I hit it
> >> transparently the packet just dissappears after the REDIRECT to port
> >> 3128.
> >
> > Try using DNAT instead of REDIRECT.
>
>I thought you might say that, so I tried it with DNAT earlier in the day.
>I tried destination addresses 192.168.10.2 (my ip alias on eth0:22) and
>192.168.1.2 (my "real" eth0 ip). Neither worked. Here's an example of the
>latter:
>
># iptables -t nat -L -v
>Chain PREROUTING (policy ACCEPT 425 packets, 61769 bytes)
> pkts bytes target prot opt
> in out source destination
> 43 2580
> DNAT tcp -- gre1 any anywhere anywhere
> tcp dpt:www to:192.168.1.2:3128
>
>Do you see anything wrong with the above?
>
>I'm starting to think that something is wrong with linux's gre WCCP
>decapsulation. That's why I keep asking if anyone actually has
>this working on my kernel and my squid. But I guess, judging from
>the silence, that nobody has it working yet.
>
>Is there a better alternative to WCCP? I'm particularly interested
>in the fail-over feature. I'd hate for my user's internet access
>to go down just because my squid server rebooted.
No need. I can confirm it does work, but it does need to be set up in a
specific way.
I have been using 2.6 series right the way through, now running 2.6.11-rc5,
and switched to using the gre tunnel method when it became supported by the
Linux kernel. ip_wccp is good, but it is not in the kernel and it's a lot
easier to just use a GRE tunnel built into the kernel instead.
If you wish to use ip_wccp, I suggest you start by getting this config
below to work properly first, and then change to ip_wccp and then take down
the GRE interface, start from a position of it working before you start
experimenting ;) The router config and squid config would be the same, the
iptables config is slightly different though.
Router config:
--------------
* My router is running 12.3(11)T3. BE CAREFUL, some versions of IOS do NOT
work without also turning off CEF and/or fast switching, although most
recent ones do work OK. Stick to a stable (non T or branch) release if you
can, such as latest 12.2 or 12.3.
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip wccp web-cache redirect in
interface Loopback0
ip address 172.16.1.5 255.255.255.252
end
(Note the loopback IP range matches that on the GRE tunnel on my linux box)
Linux box core config:
-----------------
/etc/sysconfig/network-scripts/ifcfg-gre0
DEVICE=gre0
BOOTPROTO=static
IPADDR=172.16.1.6
NETMASK=255.255.255.252
ONBOOT=yes
IPV6INIT=no
iptables config:
----------------
iptables -A PREROUTING -s 192.168.0.0/255.255.0.0 -d !
192.168.0.0/255.255.0.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to
192.168.0.3:3128
This makes sure that traffic from 192.168.0.0/255.255.0.0 destined for
192.168.0.0/255.255.0.0 is not redirected to the cache.
Squid config:
-------------
wccp_router 192.168.0.1
wccp_version 4
wccp_outgoing_address 192.168.0.3 <<---- I have two IP addresses on this box
I'm not sure if it is optimal or not, but it works with every squid version
I have ever tried. If I remember correctly, some of these instructions
came from a page by Joe Cooper @ Swelltech, but I can't put my hands on it
right now.
Hope this helps.
reuben
Received on Thu Feb 24 2005 - 22:47:25 MST
This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST