Transparent proxy with Cisco WCCP and Squid proxy server

by Ras 15. December 2011 22:18

With the below steps you are able to configure a transparent proxy with a Cisco router or L3 switch and a Squid proxy server on a Linux machine

 

1- Build Squid with –enable-wccp(on debian “aptitude  install squid”)

2- Configure the Squid proxy configuration file:
On squid 2:

wccp2_router <IP_OF_ROUTER>
wccp_version 4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
http_port 3128 transparent
acl local_net src <localnet addresses>
http_access allow local_net

On squid 3:

wccp2_router <IP_OF_ROUTER>
wccp_version 4
wccp2_forwarding_method gre
wccp2_return_method gre
http_port 3128 transparent
acl local_net src <localnet addresses>
http_access allow local_net

3- Redirect the traffic on the Linux server:
create a iptables rule file on /etc/iptables as below and load it with “iptables-restore < /etc/iptables”:

# /etc/iptables
# Allow in everything, from everywhere
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*nat
: PREROUTING ACCEPT [0:0]
: POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Reroute HTTP requests to the proxy server
-A PREROUTING -i gre1 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128

COMMIT

4- Create a GRE tunnel between Cisco router and Linux box
echo ip_gre >> /etc/modules
modprobe ip_gre
iptunnel add gre1 mode gre remote IP-ADDRESS-OF-ROUTER local IP-ADDRESS-OF-SQUID-CACHE dev eth0
ifconfig gre1 172.16.0.2 up
ip link set gre1 mtu 1476
ip link set gre1 up
echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

5- I suggest to create a shell script and put it on /etc/rc3.d
Mine is /etc/rc3.d/S72wccp as below:
——————————————————————-
#!/bin/bash

case “$1″ in
start)
modprobe ip_gre
iptunnel add gre1 mode gre remote IP-ADDRESS-OF-ROUTER local IP-ADDRESS-OF-SQUID-CACHE dev eth0
ifconfig gre1 172.16.0.2 up
ip link set gre1 mtu 1476
ip link set gre1 up
echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
iptables-restore < /etc/iptables
;;
stop)
;;
*)
;;
esac
——————————————————————–

6- Configure Cisco router
Cisco> enable
Cisco# config t
Cisco(config)# ip wccp version 2
Cisco(config)# ip wccp web-cache redirect-list 150
Cisco(config)# access-list 150 permit tcp 192.168.1.0 0.0.0.255 any
Cisco(config)# access-list 150 deny tcp any any
Cisco(config)# int your-outgoing-interface
Cisco(config-if)# ip wccp web-cache redirect out
Cisco(config-if)# end
Cisco# write mem

Note: Remember this will be http cache proxy and you need to pass the other traffics through the router NAT

Tags:

Cisco | Routing/Switching | Linux

E-Mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (2)

Comments (2) -

Muhammad Faisal
Muhammad Faisal Islamic Republic of Pakistan
2/20/2012 12:35:15 AM #

Hi,

Why you have used outgoing interface for redirection in your config example?
Cisco(config)# int your-outgoing-interface
Cisco(config-if)# ip wccp web-cache redirect out

In official Squid guide the redirection is recommended for inbound interface:
Cisco(config-if)# ip wccp web-cache redirect in

What is the difference between the two?

Thanks,
Faisal.

Reply

rasoolg
rasoolg United States
2/20/2012 10:04:44 PM #

It is definitely better to do it on inbound as there will be less traffic on the router.
However; what I have found on my experience when you are doing this in a large environment with dynamic routing within the network and multiple connections to the core switches, outbound can be implemented easier. As there can be a lot of inbound channels and types, specifically on the trunk ports you can enable wccp!
If it can be done inbound on your scenario I would definitely suggest that too.  

Reply

Add comment

  Country flag

biuquote
  • Comment
  • Preview
Loading

About the author

Ras is a network/Security professional working on multiple areas with multiple certificates like CCNP, CCIP, CCSP, CCSA, CCSE, LPI, PM, IPv6, ..

Month List