Set Up Squid Siblings On CentOS 6.3 With WCCP - Page 2

This tutorial is part 2 of the configuration. Be sure to start with part 1.

5. Network

The basic configuration for your local IP communication should already be complete. If it wasn’t then your yum update process and installs from above would not have worked. This is going to cover setting up the GRE tunnel for your squid to communicate to the gateway properly.

For the tunnel to get added properly we need to start off by making a modification to one of the ifconfig initialization scripts.

On both servers

nano /etc/sysconfig/network-scripts/ifup-tunnel
# Create the tunnel
# The outer addresses are those of the underlying (public) network.
/sbin/ip tunnel add “$DEVICE” mode “$MODE” \
	${MY_OUTER_IPADDR:+local “$MY_OUTER_IPADDR”} \
	${PEER_OUTER_IPADDR:+remote “$PEER_OUTER_IPADDR”} \
	${LOCAL_DEVICE:+dev “$LOCAL_DEVICE”} \
	${KEY:+key “$KEY} ${TTL:+ttl “$TTL”}

WIth that modification we can now create the GRE interface script

On proxy1.example.com

nano /etc/sysconfig/network-scripts/ifcfg-gre1
DEVICE=”gre1”
TYPE=”GRE”
DEVICETYPE=”tunnel”
ONBOOT=”yes”
MY_INNER_IPADDR=”192.168.254.2/24”
MY_OUTER_IPADDR=”192.168.88.2”
PEER_OUTER_IPADDR=”192.168.254.1”
MTU=”1476”
LOCAL_DEVICE=”eth0”

The configuration on proxy2.exmaple.com is nearly identical

On proxy2.example.com

scp proxy1.example.com:/etc/sysconfig/network-scripts/ifcfg-gre1 /etc/sysconfig/network-scripts/ifcfg-gre1
nano /etc/sysconfig/network-scripts/ifcfg-gre1
MY_INNER_IPADDR=”192.168.254.3/24”
MY_OUTER_IPADDR=”192.168.88.3”
PEER_OUTER_IPADDR=”192.168.254.1”

The PEER_OUT_IPADDR is the router identifier. On the Cisco gateway this is the first IP programmed in the config. You can easily discover this router ID by running

show ip wccp

Now we have to modify a system filter to ensure that the GRE packets coming to eth0 are not discarded by the system. Add the following lines to the system control file.

On both servers

nano /etc/sysctrl.conf
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.gre1.ip_filter = 0

 

6. IPTables

Now we need to make sure that not only will our Squid system be able to communicate with each other and the network, but that the http traffic is reaching the right port.

On both servers

nano /etc/sysconfig/iptables

Under the filter tables add the following

-A INPUT -m udp -p udp --dport 2048 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 3128 -j ACCEPT
-A INPUT -m udp -p udp --dport 3130 -j ACCEPT

Now add a nat table to the configuration to direct the web traffic to the Squid port.

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT

 

7. Server wrap up

The last thing to do on the server is ensure that everything will startup again on its own in the case of a system reboot.

On both servers

chkconfig --levels 235 squid on

At this point restart the server and ensure that everything has started up properly

First we’ll check Squid is running

/etc/init.d/squid status

squid is running (pid xxxxxx)

Next ensure the IP tunnel was created successfully

ip tunnel

On proxy1.example.com

gre0:  gre/ip  remote any  local any  ttl  inherit  nopmtudisc
gre1: gre/ip  remote 192.168.254.1  local 192.168.88.2  dev eth0 ttl inherit

On proxy2.example.com

gre0:  gre/ip  remote any  local any  ttl  inherit  nopmtudisc
gre1: gre/ip  remote 192.168.254.1  local 192.168.88.2  dev eth0 ttl inherit
ifconfig gre1 | grep inet

On proxy1.example.com

inet addr:192.168.254.2  P-t-P:192.168.254.2  Mask:255.255.255.0

On proxy2.example.com

inet addr:192.168.254.3  P-t-P:192.168.254.3  Mask:255.255.255.0

Tunnels are up and squid is running. Time to get some traffic directed at the new proxies.

 

8. Cisco setup

The configuration on the Cisco gateway is very simple. Configuration is minimal thanks to the nature of WCCP. First off create access-list for the squid peers and attach them to the web-cache group. Enter configure mode on the Cisco

access-list 10 permit 192.168.88.2 access-list 10 permit 192.168.88.3 ip wccp web-cache group-ist 10

Next create the redirect rule. This configuration will direct the entire subnet through the Squid systems, but we have to exclude the Squid servers themselves to avoid creating a loop.

access-list 120 remark ACL for WCCP proxy
access-list 120 remark Squid proxies bypass WCCP
access-list 120 deny ip host 192.168.88.2
access-list 120 deny ip host 192.168.88.3
access-list 120 remark Proxy LAN clients port 80 only
access-list 120 permit tcp 192.168.88.0 0.0.0.255 any eq 80
access-list 120 remark all others bypass WCCP
access-list 120 deny ip any any
ip wccp web-cache redirect-list 120

Before we turn the redirect on on an interface make sure that the Squid proxies are advertising their presence to the gateway. Exit from configure mode on the Cisco and run the following

show ip wccp web-cache detail

You should see both servers listed and available

Enter back into configure mode and turn on the web-cache for the subnet. The LAN interface in this case is GigabitEthernet 0/0 on VLAN 5.

interface GE0/0.5
ip wccp web-cache redirect in

That’s it. You’re done.

For a quick test: open up a web page from a system that goes through the gateway handling WCCP. You should see the traffic registered in the SQuid access log.

tail /var/log/squid/access.log
Share this page:

0 Comment(s)