LINUX.ORG.RU

Сообщения Aleksander_swmdx

 

WCCP Cisco Squid и IPtables

Форум — General

Помогите разобраться в таком вопросе господа Админы.

Задача следующая. Весть трафик из сети 10.10.6.0 пропускать через прозрачный прокси на squid 10.10.6.10. В качестве шлюза cisco c ip 10.10.6.1. При обращении из локальной сети 10.10.6.0 шлюз отрабатывает по wccp и передает запросы по порту 80 и 443 на gre интерфейс в squid. Но логов Squid я не вижу. В tcpdump вижу приходят пакеты. Думаю надо смотреть iptables, но видимо у меня слишком мало опыта в этом. Помогите понять как

Конфиг cisco

ip wccp source-interface Vlan1
ip wccp web-cache redirect-list WCCP_ACCESS
ip wccp 70 redirect-list WCCP_ACCESS


interface Vlan1
 description Lan 10.10.6.0
 ip address 10.10.6.1 255.255.254.0
 ip wccp web-cache redirect in
 ip wccp 70 redirect in
 ip nat inside
 ip virtual-reassembly in  

ip access-list extended WCCP_ACCESS
 remark ACL for HTTP/HTTPS
 remark Squid proxies bypass WCCP
 deny   ip host 10.10.6.10 any
 permit tcp 10.10.6.0 0.0.1.255 any eq www 443
 remark all others bypass WCCP
 deny   ip any any

Соединение между Cisco и Squid есть и редирект пакетов работает.

sh ip wccp
Global WCCP information:
    Router information:
        Router Identifier:                   10.10.6.1
        Configured source-interface:         Vlan1

    Service Identifier: web-cache
        Protocol Version:                    2.00
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets Redirected:            1510
          Process:                           0
          CEF:                               1510
        Service mode:                        Open
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        0
        Redirect access-list:                WCCP_ACCESS
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       8
        Total GRE Bypassed Packets Received: 0
          Process:                           0
          CEF:                               0
        GRE tunnel interface:                Tunnel1

Service Identifier: 70
        Protocol Version:                    2.00
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets Redirected:            4043
          Process:                           0
          CEF:                               4043
        Service mode:                        Open
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        0
        Redirect access-list:                WCCP_ACCESS
        Total Packets Denied Redirect:       30230
        Total Packets Unassigned:            39
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       32
        Total GRE Bypassed Packets Received: 0
          Process:                           0
          CEF:                               0
        GRE tunnel interface:                Tunnel0

Конфиг Squid

acl localnet src 10.10.6.0/23   # RFC 1122 "this" network (LAN)

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

include /etc/squid/conf.d/*

http_access allow localhost
http_access allow all
#http_access deny all

http_port 3128
http_port 3129 

wccp2_router 10.10.6.1
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
wccp2_service dynamic 70

coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

Правила iptables

# Generated by iptables-save v1.6.1 on Wed Jan 22 13:38:06 2020
*mangle
:PREROUTING ACCEPT [43:3189]
:INPUT ACCEPT [41:3029]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [30:2756]
:POSTROUTING ACCEPT [30:2756]
COMMIT
# Completed on Wed Jan 22 13:38:06 2020
# Generated by iptables-save v1.6.1 on Wed Jan 22 13:38:06 2020
*filter
:INPUT ACCEPT [403:34388]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [342:39028]
:LOGGING - [0:0]
COMMIT
# Completed on Wed Jan 22 13:38:06 2020
# Generated by iptables-save v1.6.1 on Wed Jan 22 13:38:06 2020
*nat
:PREROUTING ACCEPT [29:2408]
:INPUT ACCEPT [2:99]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A PREROUTING -i wccp0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Wed Jan 22 13:38:06 2020

 , ,

Aleksander_swmdx
()
10 комментариев

RSS подписка на новые темы