Wednesday 12 March 2014

Squid Proxy and WCCP

The last few days I've been struggling to get a transparent proxy setup for our network using WCCP from our Cisco ASA firewall to a Squid proxy.

I had a hard time getting my Squid proxy handling transparent caching from our Cisco ASA with WCCP(2), mostly with getting the GRE working. I was working mostly with this page:

The biggest confusion for me was that the GRE was not a point-to-point tunnel. In the end it was working as a sort of pseudo interface to handle the GRE encapsulation and the NAT redirection pushed packets through that interface as the glue.

“modprobe ip_gre”

This creates a generic GRE tunnel gre0; which you can see with “ip tunnel”. Load this module on boot. With CentOS and other RedHats

echo modprobe ip_gre >> /etc/rc.modules
chmod +x /etc/rc.modules

An IP interface needs to be brought up for gre0, but doesn’t have to connect to anything. Many examples I saw used a localnet address like I used the following (no 172.16.x.x in my network, it’s a dummy address):


Lastly iptables glues the GRE to Squid (we use 10.x.x.x addresses for our network):

cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Tue Mar 11 15:45:13 2014
:OUTPUT ACCEPT [86:5532]
-A PREROUTING -s -d ! -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination $HOST-IP:$SQUID-PORT

Rp_filter disabled and ipforwarding enabled as indicated in the document.

And Bob’s your uncle!

No comments:

Post a Comment

Popular Posts