Настройка связки cisco wccp+squid на freebsd 10

[f1nka]

Дня доброго.
Решил запилить прозрачный сквид по схеме cisco+cisco wccp+squid
Собираю на freebsd 10 в такой конфигурации.

Ядро:

Код: Выделить всё

options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=50
#options         IPFIREWALL_FORWARD
options         IPDIVERT
options         DUMMYNET
options         IPFIREWALL_DEFAULT_TO_ACCEPT

#options IPFIREWALL_FORWARD с этой опцией не конфигуриться, читал что а 10 уже не нужно компилить ядро с такой опцией.

squid.conf

Код: Выделить всё

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all
visible_hostname Stat

# Squid normally listens to port 3128
http_port 10.8.0.161:3128 intercept
http_port 127.0.0.1:3128 intercept

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 300 32 512

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

wccp2_router 10.8.0.1
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1

rc.firewall

Код: Выделить всё

#!/bin/sh

NET_IF="gre1"
IPFW="/sbin/ipfw -q"

$IPFW -f flush



$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 via gre1 in
$IPFW add 1111 fwd 127.0.0.1,3128 ip from any to any 80 via gre1 in

rc.conf

hostname="statistic"
ifconfig_em0="inet 10.8.0.161 netmask 255.254.0.0"
defaultrouter="10.8.0.1"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

gateway_enable="YES"
firewall_enable="YES"
firewall_type="open"
firewall_script="/etc/rc.firewall"
#firewall_nat_enable="YES"
mysql_enable="YES"
apache22_enable="YES"
snmpd_enable="YES"
squid_enable="YES"
ipfw_load="YES"
ipdivert_load="YES"

ifconfig gre1 create
ifconfig gre1 10.8.0.161 10.20.30.40 netmask 255.255.255.255 link2 tunnel 10.8.0.161 10.8.0.1 up

Проблема в том, что при запуске перестает работать инет (80) порт, ну и когда слушаешь tcpdump -i gre1 никакой статистики нет

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[Raven2000]

=== Прозрачное проксирование через Cisco по WCCP ===
==== Необходимо настроить роутер ====
Укажем, что будем использовать wccp, где и какие ACL:

Код: Выделить всё

#show running-config
ip wccp web-cache redirect-list FW-WCCP-SQ

~
interface Loopback10
description *For to JD*
ip address ---------------
ip nat outside
ip virtual-reassembly in

~

interface GigabitEthernet0/1
description *INTERNET*
ip address ------------------
ip access-group FROMWAN in
ip access-group FORLANS out
ip accounting output-packets
ip accounting precedence input
ip wccp web-cache redirect out
ip nat outside
ip inspect VERIFY out
ip virtual-reassembly in
duplex auto
speed 100
no cdp enable
no mop enabled

~

ip access-list extended FW-WCCP-SQ
deny tcp host 10.1.3.253 any eq www
deny tcp host 10.1.3.39 any eq www
deny tcp host 10.1.3.253 any eq 8000
deny tcp host 10.1.3.253 any eq 8080
permit tcp 10.0.0.0 0.255.255.255 any eq www
permit tcp 10.0.0.0 0.255.255.255 any eq 8000
permit tcp 10.0.0.0 0.255.255.255 any eq 8080

Проверим индикатор который будет использоваться для туннелирования (Router Identifier):

Код: Выделить всё

#show ip wccp
Global WCCP information:
Router information:
Router Identifier: 10.35.75.242
Protocol Version: 2.0

Service Identifier: web-cache
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 1000361
Process: 1006
CEF: 999355
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect Access-list: FW-WCCP-SQ
Total Packets Denied Redirect: 4638
Total Packets Unassigned: 19611
Group Access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0

==== Необходимо настроить FreeBSD и squid ====

Настроим туннелирование до интерфейса роутера:
e

Код: Выделить всё

tsys-ul# vi /etc/rc.conf
cloned_interfaces="gre0"
ifconfig_gre0="link2 tunnel 10.1.3.253 10.35.75.242 up"
firewall_enable="YES"
firewall_type="open"
firewall_script="/usr/local/etc/ipfw.rules"

# cat /usr/local/etc/ipfw.rules
ipfw -q flush
cmd="ipfw -q add "
$cmd 100 allow ip from any to any via lo0
$cmd 150 fwd 127.0.0.1,3129 tcp from any to any dst-port 80 in via gre0
$cmd 200 deny ip from any to 127.0.0.0/8
$cmd 300 deny ip from 127.0.0.0/8 to any
$cmd 400 deny ip from any to ::1
$cmd 500 deny ip from ::1 to any
$cmd 650 allow ip from any to any
$cmd 655 deny ip from any to any

Где 10.1.3.253 свой IP адрес, а 10.35.75.242 адрес Loopback10 и он же Router Identifier в cisco и с ним будем туннелировать. Перезагружаем Freebsd и проверяем туннель(gre0):

Код: Выделить всё

# ifconfig
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet 10.1.3.253 netmask 0xffffff00 broadcast 10.1.3.255
ether 00:0b:cd:cf:22:ba
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
gre0: flags=d011<UP,POINTOPOINT,LINK0,LINK2,MULTICAST> mtu 1476
tunnel inet 10.1.3.253 --> 10.35.75.242

Заходим в конфигурационный файл squid и указываем IP роутера и прозрачную передачу и перезагружаем сквид:

Код: Выделить всё

etsys-ul# vi /usr/local/etc/squid/squid.conf
http_port 3129 intercept
~~
wccp2_router 10.1.3.1
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0

Добавляем правило в IPFW (SQUID должен быть собран с поддержкой прозрачного проксирования)

Код: Выделить всё

etsys# ipfw add 150 fwd 127.0.0.1,3129 tcp from any to any dst-port 80 in via gre0

==== Проверка работы ====

Код: Выделить всё

#show ip wccp web-cache detail
WCCP Client information:
WCCP Client ID: 10.1.3.253
Protocol Version: 2.0
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment: HASH
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets s/w Redirected: 922243
Connect Time: 00:44:12
GRE Bypassed Packets
Process: 0
CEF: 0
Errors: 0

etsys# ipfw show
00100 4291 171640 allow ip from any to any via lo0
00150 28890 3767277 fwd 127.0.0.1,3129 tcp from any to any dst-port 80 in via gre0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 deny ip from any to ::1
00500 0 0 deny ip from ::1 to any
00600 0 0 allow ipv6-icmp from :: to ff02::/16
00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 1 96 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65000 158291 141477452 allow ip from any to any
65535 0 0 deny ip from any to any

etsys# tcpdump -i gre0

~~должны бегать пакеты

==== Дополнительно ====
* Есть фича - нет привязки индикатора к какому то определенному Loopback
* [http://docwiki.cisco.com/wiki/Cisco_WAA ... oting_WCCP Сisco WAAS Troubleshooting Guide for Release 4.1.3 and Later -- Troubleshooting WCCP]