Dear All,

I have finally succeded in getting SQUID working as a
transparent proxy on a Debian Linux box (version 2.6.18) using WCCP
from a CISCO router. The solution will follow shortly after I rant just
a little bit.

RANT:
I'd like to say it was a carefully reasoned solution as a
result of an improved understading of linux networking. It wasn't. I'd
even be happy to say that it was something stupid I missed early on and
that I am now flailing myself every evening in recompense. It wasn't
that either. In the end - I just tried everything I could possibly
think of in as many combinations as possible until something stuck.
This is the worst kind of brute-force approach and I feel it important
to document my solution somewhere so that other people don't have to go
through this as well.

SOLUTION:
So I upgraded to linux 2.6.18 as it has support for the
non-standard GRE packets that CISCO uses for WCCP built in (I don't
have to use ip_wccp). I set my SQUID up as per all the helpful FAQs.

I made sure my "ip spoofing protection" was switched off and "ip
forwarding" was switched on by editing /etc/sysctl.conf to say :
net.ipv4.ip_forward =1
net.ipv4.conf.all.rp_filter = 0

I made a GRE tunnel like so
modprobe ip_gre
iptunnel add gre1 mode gre remote $routerPublicIP local \
$webCacheIP dev eth0
ifconfig gre1 $greAdapterIP up # greAdapterIP = 127.0.0.2

I checked my rp_filter settings for the gre interface and eth0:
cat /proc/sys/net/ipv4/conf/all/rp_filter
cat /proc/sys/net/ipv4/conf/eth0/rp_filter
cat /proc/sys/net/ipv4/conf/gre1/rp_filter
(they should all print out "0")

Then I set up my ipTables as follows:
iptables -A INPUT -i gre1 -j ACCEPT #allow everything in from
gre tunnel
iptables -t nat -A PREROUTING -i gre1 -d 0/0 -p tcp --dport 80 -j
DNAT --to-destination $webCacheIP:$webCachePort
# Redirect anything coming in the gre interface to the webcache
proxy on it's proxy port.

Note I used DNAT in stead of REDIRECT. This is because REDIRECT
just didn't work with anything coming out of the GRE tunnel. Honestly.
I can log stuff just before it gets redirected without a problem, but
then the packets just disappear. Vanish. But DNAT does work. That's the
real key. Don't ask me why, but it does. It is the failure of the
REDIRECT target that really caused the problem and no end of headaches.
Two weeks worth of headaches to be exact.

Please refer to my previous post :
http://groups.google.com/group/maili...8c2bc2b7c05cca
for background.

I hope this has helped someone. If anyone has an explanation as
to why this works and REDIRECT doesn't, I'd be happy to hear it.

Regards,

Ben.