Ok. My iptable rule was not intercepting the packet as I had created the
rule for eth0 not gre1. I created the rule for gre1 as shown below. Now
the packets don't get forwarded to the router and loop as they were
before, but still Squid does not reply via eth0 with a SYN ACK. A
tcpdump on gre1 sees the incoming SYN packets while a tcpdump on eth0
only sees the GRE encrypted traffic. I have listed my squid.conf below
also.
iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 139 packets, 7087 bytes)
pkts bytes target prot opt in out source
destination
187 8976 REDIRECT tcp -- gre1 any anywhere
anywhere tcp dpt:http redir ports 3128
Chain POSTROUTING (policy ACCEPT 728 packets, 44476 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 608 packets, 38716 bytes)
pkts bytes target prot opt in out source
destination
iptables-save -t nat
# Generated by iptables-save v1.3.5 on Thu Jun 14 14:58:08 2007
*nat
:PREROUTING ACCEPT [139:7087]
:POSTROUTING ACCEPT [742:45345]
:OUTPUT ACCEPT [622:39585]
-A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
3128
COMMIT
# Completed on Thu Jun 14 14:58:08 2007
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 128 MB
cache_dir ufs /usr/local/squid/var/cache 1024 16 256
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl internal src MY_INTERNAL_IPS/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow internal
http_access allow all
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
visible_hostname HOSTNAME.DOMAIN.COM
always_direct allow all
wccp2_router ROUTER_IP_ADDRESS
wccp2_assignment_method 1
wccp2_address MY_IP_ADDRESS
coredump_dir /usr/local/squid/var/cache
-----Original Message-----
From: Henrik Nordstrom [mailto:henrik@henriknordstrom.net]
Sent: Tuesday, June 12, 2007 3:49 PM
To: Van Der Hart, Kevin
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] Red Hat 5 - Squid 2.6 Stable 13 WCCP V2 and
GRE
tis 2007-06-12 klockan 10:16 -0500 skrev Van Der Hart, Kevin:
> I have determined what is happening but am not sure what to do to fix
> the problem. I ran tcpdump on my client and it sent 3 SYN requests. I
> saw 378 SYN requests come in my GRE interface and saw 375 SYN requests
> go out my ETH interface with a source IP of the client address. Since
> the source address is not the Squid machine, WCCP is sending them back
> to me again. Is Linux forwarding these packets acting as a router or
> does Squid use the client IP address in its request to contact the
> real web server?
Then your iptables rule is not intercepting the packet.
Triple check your nat rules again
iptables-save -t nat
remember that these SYNs is coming on on the gre interface, not eth.
Regards
Henrik
Received on Thu Jun 14 2007 - 13:59:08 MDT
This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT