Wednesday, 12 March 2014

Squid Proxy and WCCP

The last few days I've been struggling to get a transparent proxy setup for our network using WCCP from our Cisco ASA firewall to a Squid proxy.



I had a hard time getting my Squid proxy handling transparent caching from our Cisco ASA with WCCP(2), mostly with getting the GRE working. I was working mostly with this page:


The biggest confusion for me was that the GRE was not a point-to-point tunnel. In the end it was working as a sort of pseudo interface to handle the GRE encapsulation and the NAT redirection pushed packets through that interface as the glue.

“modprobe ip_gre”

This creates a generic GRE tunnel gre0; which you can see with “ip tunnel”. Load this module on boot. With CentOS and other RedHats

echo modprobe ip_gre >> /etc/rc.modules
chmod +x /etc/rc.modules

An IP interface needs to be brought up for gre0, but doesn’t have to connect to anything. Many examples I saw used a localnet address like 127.0.0.2. I used the following (no 172.16.x.x in my network, it’s a dummy address):

/etc/sysconfig/network-scripts/ifcfg-gre0
DEVICE=gre0
BOOTPROTO=static
IPADDR=172.16.1.6
NETMASK=255.255.255.252
LOCAL_DEVICE=eth0
ONBOOT=yes
IPV6INIT=no

Lastly iptables glues the GRE to Squid (we use 10.x.x.x addresses for our network):

cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Tue Mar 11 15:45:13 2014
*nat
:PREROUTING ACCEPT [26:6791]
:POSTROUTING ACCEPT [86:5532]
:OUTPUT ACCEPT [86:5532]
-A PREROUTING -s 10.0.0.0/255.0.0.0 -d ! 10.0.0.0/255.0.0.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination $HOST-IP:$SQUID-PORT
COMMIT

Rp_filter disabled and ipforwarding enabled as indicated in the document.

And Bob’s your uncle!

No comments:

Post a Comment

Popular Posts