I had a hard time getting my Squid proxy handling
transparent caching from our Cisco ASA with WCCP(2), mostly with getting the
GRE working. I was working mostly with this page:
The biggest confusion for me was that the GRE was not a
point-to-point tunnel. In the end it was working as a sort of pseudo interface
to handle the GRE encapsulation and the NAT redirection pushed packets through
that interface as the glue.
“modprobe ip_gre”
This creates a generic GRE tunnel gre0; which you can see
with “ip tunnel”. Load this module on boot. With CentOS and other RedHats
echo modprobe ip_gre >> /etc/rc.modules
chmod +x /etc/rc.modules
An IP interface needs to be brought up for gre0, but doesn’t
have to connect to anything. Many examples I saw used a localnet address like
127.0.0.2. I used the following (no 172.16.x.x in my network, it’s a dummy
address):
/etc/sysconfig/network-scripts/ifcfg-gre0
DEVICE=gre0
BOOTPROTO=static
IPADDR=172.16.1.6
NETMASK=255.255.255.252
LOCAL_DEVICE=eth0
ONBOOT=yes
IPV6INIT=no
Lastly iptables glues the GRE to Squid (we use 10.x.x.x
addresses for our network):
cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Tue Mar 11 15:45:13
2014
*nat
:PREROUTING ACCEPT [26:6791]
:POSTROUTING ACCEPT [86:5532]
:OUTPUT ACCEPT [86:5532]
-A PREROUTING -s 10.0.0.0/255.0.0.0 -d ! 10.0.0.0/255.0.0.0
-i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination $HOST-IP:$SQUID-PORT
COMMIT
Rp_filter disabled and ipforwarding enabled as indicated in
the document.
And Bob’s your uncle!
No comments:
Post a Comment