<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Ah, forgot about this:</p>
<p><a class="moz-txt-link-freetext" href="http://wiki.squid-cache.org/ConfigExamples/Intercept">http://wiki.squid-cache.org/ConfigExamples/Intercept</a><br>
</p>
<br>
<div class="moz-cite-prefix">22.03.2017 1:04, Waldon, Cooper пишет:<br>
</div>
<blockquote
cite="mid:YTOPR01MB04766B2AE6D78BBE5022DD0CDF3D0@YTOPR01MB0476.CANPRD01.PROD.OUTLOOK.COM"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hello All,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m trying to set up a transparent proxy
for http and https using Cisco Routers and Squid. I have
followed the configuration examples that are listed under the
wccp2 overview section (<a moz-do-not-send="true"
href="http://wiki.squid-cache.org/Features/Wccp2">http://wiki.squid-cache.org/Features/Wccp2</a>)
of the squid wiki but I’m still having some issues.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have a little lab set up with a Cisco
7200 Router and a VM with CentOS running the proxy.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The “WAN” IP of the Router is
192.168.0.23. The IP of the Squid Proxy is 192.168.0.24 and
both have the default gateway of 192.168.0.1 which is the
“ISP”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The Client is sitting on a LAN behind the
Router in the 10.10.10.0/24 subnet and is also sitting behind
nat.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I believe that the router and proxy are
communicating properly based on the information in the show ip
wccp command on the router as it shows clients and routers as
well as showing that packets are being forwarded:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt">R3#show ip
wccp<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">Global WCCP
information:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Router
information:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Router Identifier: 192.168.0.23<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Configured source-interface: GigabitEthernet5/0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Service
Identifier: web-cache<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Protocol Version: 2.00<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Number of Service Group Clients: 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Number of Service Group Routers: 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total
Packets Redirected: 1079<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Process: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
CEF: 1079<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Service mode: Open<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Service Access-list: -none-<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total
Packets Dropped Closed: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Redirect access-list: 100<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total
Packets Denied Redirect: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total
Packets Unassigned: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Group
access-list: 10<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total
Messages Denied to Group: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total
Authentication failures: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total
GRE Bypassed Packets Received: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Process: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
CEF: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> GRE
tunnel interface: Tunnel1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Service
Identifier: 70<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Protocol Version: 2.00<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Number of Service Group Clients: 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Number of Service Group Routers: 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total
Packets Redirected: 500<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Process: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
CEF: 500<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Service mode: Open<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Service Access-list: -none-<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total
Packets Dropped Closed: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Redirect access-list: 100<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total
Packets Denied Redirect: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total
Packets Unassigned: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Group
access-list: 10<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total
Messages Denied to Group: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total
Authentication failures: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> Total
GRE Bypassed Packets Received: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
Process: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">
CEF: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> GRE
tunnel interface: Tunnel0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal">Here is the relevant squid wccp
configuration:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt">----Output
removed----<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"># Squid
normally listens to port 3128<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">http_port
3128<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">http_port
0.0.0.0:3129<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"># WCCPv2
Parameters<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">wccp2_router
192.168.0.23<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">wccp2_forwarding_method
1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">wccp2_return_method
1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">wccp2_assignment_method
hash<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">wccp2_service
standard 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">wccp2_service
dynamic 70<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">wccp2_service_info
70 protocol=tcp
flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash
priority=231 ports=443<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">---Output
remove----<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I think that the issue lies with the
iptables configuration as I do not see any packets been
processed in the nat table. I have tried a few different
methods such as:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt">iptables -t
nat -A PREROUTING -i wccp0 -p tcp –dport 80 -j REDIRECT
–to-port 3129<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">iptables -t
nat -A PREROUTING -i wccp0 -p tcp –dport 443 -j REDIRECT
–to-port 3129<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">iptables -t
nat -A POSTROUTING -j MASQUERADE<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">or<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">iptables -t
nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination
192.168.0.24:3129<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">iptables -t
nat -A PREROUTING -p tcp –dport 443 -j DNAT –to-destination
192.168.0.24:3129<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt">iptables -t
nat -A POSTROUTING -j MASQUERADE<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal">I have also tried adding ACCEPT commands to
the PREROUTING zone just in case the proxy is dropping the
packets right away but that also doesn’t work.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The proxy functions perfectly when the
client is configured to use a proxy so there doesn’t appear to
be any issues with routing or anything like that, it’s just
the transparent proxying that isn’t working.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If anyone has any suggestions of what I
could try that would be greatly appreciated. Let me know if
anything is unclear or if you need further clarification.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank you,<o:p></o:p></p>
<p class="MsoNormal">Cooper Waldon<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span
style="color:#333399;mso-fareast-language:EN-CA">Cooper
Waldon</span></b><b><span
style="color:lime;mso-fareast-language:EN-CA"> </span></b><b><span
style="color:#77B800;mso-fareast-language:EN-CA">l </span></b><b><span
style="color:#333399;mso-fareast-language:EN-CA">Network
Engineer</span></b><b><span
style="color:navy;mso-fareast-language:EN-CA"> </span></b><b><span
style="color:#77B800;mso-fareast-language:EN-CA">l</span></b><b><span
style="color:#99CC66;mso-fareast-language:EN-CA">
</span></b><b><span
style="color:#333399;mso-fareast-language:EN-CA">OTN</span></b><b><span
style="color:#00B050;mso-fareast-language:EN-CA">
</span></b><b><span
style="color:#77B800;mso-fareast-language:EN-CA">l</span></b><b><span
style="color:lime;mso-fareast-language:EN-CA">
</span></b><b><span
style="color:#333399;mso-fareast-language:EN-CA">416-446-4110
x 4473
</span></b><b><span
style="color:#77B800;mso-fareast-language:EN-CA">l</span></b><b><span
style="color:navy;mso-fareast-language:EN-CA"> </span></b><a
moz-do-not-send="true" href="http://www.otn.ca/"><b><span
style="color:#333399;mso-fareast-language:EN-CA">www.otn.ca</span></b></a><b><span
style="color:navy;mso-fareast-language:EN-CA">
</span></b><b><span
style="color:#77B800;mso-fareast-language:EN-CA">|</span></b><b><span
style="color:navy;mso-fareast-language:EN-CA">
</span></b><b><span
style="color:#333399;mso-fareast-language:EN-CA">Service
Desk 1-855-654-0888 x2</span></b><span
style="color:#1F497D;mso-fareast-language:EN-CA"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
Bugs to the Future</div>
</body>
</html>