I had a hard time getting my Squid proxy handling transparent caching from our Cisco ASA with WCCP(2), mostly with getting the GRE working. I was working mostly with this page:
The biggest confusion for me was that the GRE was not a point-to-point tunnel. In the end it was working as a sort of pseudo interface to handle the GRE encapsulation and the NAT redirection pushed packets through that interface as the glue.
This creates a generic GRE tunnel gre0; which you can see with “ip tunnel”. Load this module on boot. With CentOS and other RedHats
echo modprobe ip_gre >> /etc/rc.modules
chmod +x /etc/rc.modules
An IP interface needs to be brought up for gre0, but doesn’t have to connect to anything. Many examples I saw used a localnet address like 127.0.0.2. I used the following (no 172.16.x.x in my network, it’s a dummy address):
Lastly iptables glues the GRE to Squid (we use 10.x.x.x addresses for our network):
# Generated by iptables-save v1.3.5 on Tue Mar 11 15:45:13 2014
:PREROUTING ACCEPT [26:6791]
:POSTROUTING ACCEPT [86:5532]
:OUTPUT ACCEPT [86:5532]
-A PREROUTING -s 10.0.0.0/255.0.0.0 -d ! 10.0.0.0/255.0.0.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination $HOST-IP:$SQUID-PORT
Rp_filter disabled and ipforwarding enabled as indicated in the document.
And Bob’s your uncle!
Post a Comment