Tuesday, September 23, 2014

transparent proxy, squid-cache, using wccp protocol

1- information
- cisco router:
  - interface f0/0: internet
  - interface f0/1: proxy -- 192.168.203.1/24
  - interface f1/0: cleint -- 192.168.110.1/24
- proxy linux:
  - eth0: 192.168.203.5/24

2- router configuration

hostname wccp

! enable wccp and redirection
ip wccp vertion 2
ip wccp web-cache redirect-list 110 group-list 10
ip cef
!        
!        
!        
interface FastEthernet0/0
 ip address 192.168.109.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!        
interface FastEthernet0/1
 ip address 192.168.203.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!        
interface FastEthernet1/0
 ip address 192.168.110.1 255.255.255.0

! enable redirection on interface connect to clients
 ip wccp web-cache redirect in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!        
!        
ip route 0.0.0.0 0.0.0.0 192.168.109.1
!        
!        
ip http server
no ip http secure-server
ip nat inside source list 2 interface FastEthernet0/0 overload
!        
access-list 2 permit 192.168.203.0 0.0.0.255
access-list 2 permit 192.168.209.0 0.0.0.255
access-list 2 permit 192.168.110.0 0.0.0.255
access-list 10 permit 192.168.203.5
access-list 110 deny   ip host 192.168.203.5 any
access-list 110 permit tcp 192.168.110.0 0.0.0.255 any eq www
access-list 110 permit tcp any 192.168.110.0 0.0.0.255 eq www


3- linux configuration

ip tunnel add grew0 mode gre remote 192.168.3.1 local 192.168.203.5 dev eth0
ifconfig grew0 192.168.203.5/32 up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/grew0/rp_filter
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.203.5:3127


4- squid configuration


wccp2_rhttp_port 3127 transparent
http_port 3128
dns_nameservers 8.8.4.4
outer 192.168.203.1
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method hash
wccp2_service standard 0



5- show ip wccp on cisco router

wccp#show ip wccp
Global WCCP information:
    Router information:
        Router Identifier:                   192.168.203.1
        Protocol Version:                    2.0

    Service Identifier: web-cache
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets s/w Redirected:        2596
          Process:                           0
          Fast:                              0
          CEF:                               2596
        Redirect access-list:                110
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            611
        Group access-list:                   10
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0



wccp#show ip wccp web-cache detail
WCCP Client information:
        WCCP Client ID:          192.168.203.5
        Protocol Version:        2.0
        State:                   Usable
        Initial Hash Info:       00000000000000000000000000000000
                                 00000000000000000000000000000000
        Assigned Hash Info:      FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                                 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
        Hash Allotment:          256 (100.00%)
        Packets s/w Redirected:  1682
        Connect Time:            01:07:45
        Bypassed Packets
          Process:               0
          Fast:                  0
          CEF:                   0
          Errors:                0


------- Note ----
1- squid must built with --enable-linux-netfilter --enable-wccpv2
2- Router Identifier for ip wccp will be assigned with the highest ip address automatically (ios 12.4), so it must be the ip address of the interface that connect to proxy server in order to make wccp work, for newer version, the ios include the command ip wccp source-interface, so just specific the interface that connect to proxy.

No comments:

Post a Comment