🔗 WCCP2 和 NAT 在私有内部网络上

🔗 目录

• Cisco 2651 双速以太网路由器；在 fa0/0 上终止 PPPoE，并在 fa0/1 上运行 VLAN 到 DMZ 和内部网络
• 接入 VLAN 感知交换机，将 VLAN 分发到多个端口
• 在 NAT 化的 DMZ IP 上运行 WCCP；不是全部
• Squid 服务器有两个以太网端口 - 一个 IP 在 DMZ，一个 IP 在内部网络
• 重定向的请求发送到 Squid 服务器的内部网络端口
• Squid 服务器通过 DMZ IP 发出请求；避免被 WCCP 拦截

这种网络架构不是很理想，因为

• 最好在出站接口上执行 WCCPv2 拦截，而不是从内部接口(s)传入；
• 最好尝试使用单个网络端口而不是两个端口来处理 Squid 缓存 - 但谢天谢地，这是我的家庭开发环境

🔗 图示

🔗 Cisco 路由器配置

路由器版本：2651 运行 12.4(2)T1 C2600-TELCO-M，96Mb RAM，16Mb Flash

!
! Last configuration change at 16:26:40 UTC Sat Sep 2 2006
! NVRAM config last updated at 16:26:41 UTC Sat Sep 2 2006
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cacheboy-1
!
logging buffered 8192 debugging
no logging console
enable secret 5 <password>
!
no network-clock-participate wic 0
ip subnet-zero
ip wccp web-cache
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.128
ip dhcp excluded-address 192.168.7.1 192.168.7.128
!
ip dhcp pool localnet
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   domain-name home.cacheboy.net
   dns-server 203.56.15.78
   lease 30
!
!
no ip domain lookup
ip name-server 203.56.14.17
ip name-server 203.56.14.20
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.3.2 255.255.255.0
 duplex auto
 speed auto
 pppoe enable
 pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip wccp web-cache redirect in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1.2
 description DMZ
 encapsulation dot1Q 2
 ip address 203.56.15.73 255.255.255.248
 no snmp trap link-status
!
interface Dialer1
 description ADSL
 ip address negotiated
 no ip redirects
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 load-interval 30
 dialer pool 1
 dialer string <username>
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp chap hostname <username>
 ppp chap password 7 <password>
 ppp chap refuse
 ppp pap sent-username <username> password 7 <password>
!
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip nat translation timeout never
ip nat translation tcp-timeout never
ip nat translation udp-timeout never
ip nat translation finrst-timeout never
ip nat translation syn-timeout never
ip nat translation dns-timeout never
ip nat translation icmp-timeout never
ip nat inside source list 11 interface Dialer1 overload
!
access-list 3 permit any
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 11 permit 192.168.65.0 0.0.0.255
access-list 11 permit 192.168.66.0 0.0.0.255
access-list 11 permit 192.168.67.0 0.0.0.255
access-list 11 permit 192.168.68.0 0.0.0.255
access-list 12 permit 203.56.15.72 0.0.0.3
access-list 13 permit 192.168.0.0 0.0.255.255
dialer-list 1 protocol ip permit
snmp-server community <password> RO
!
control-plane
!
!
line con 0
 speed 115200
 flowcontrol hardware
line aux 0
 transport input telnet
 stopbits 1
line vty 0 4
 password 7 <password>
 login
!
ntp clock-period 17207619
ntp server 130.95.128.58
end

🔗 Squid 配置

cache_effective_user adrian
# This is the standard port 80 web redirection service
wccp2_service standard 0
# Use the non-NAT'ted external interface to make web requests
tcp_outgoing_address 203.56.15.78
# Talk the routers' internal interface for WCCP
wccp2_router 192.168.1.1:2048
# Two ports: 192.168.1.10 is the local network interface where WCCPv2 interception
# will occur; localhost is where cachemgr talks to
http_port 192.168.1.10:3128 transparent vport=80
http_port localhost:3128
icp_port 3130
debug_options ALL,1
visible_hostname cindy.cacheboy.net
acl all src 0.0.0.0/0
acl lcl src 192.168.0.0/16 203.56.15.72/29 127.0.0.1/32
acl mgr src localhost
acl manager proto cache_object
http_access allow manager mgr
http_access deny manager
http_access allow lcl
miss_access allow all
http_access deny all
icp_access deny all
cache_mem 8 MB
cache_dir ufs /usr/local/squid/cache 512 16 64

🔗 Linux 服务器配置

/root/wccp.sh - 启动时运行一次以启用 WCCPv2 数据包解封装和重定向

ifconfig gre0 inet 1.2.3.4 netmask 255.255.255.0 up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter
iptables -F -t nat
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10:3128

内核版本

adrian@cindy:~$ uname -a
Linux cindy 2.6.17-1.2174_FC5xenU #1 SMP Tue Aug 8 17:36:31 EDT 2006 i686 GNU/Linux

---

⚠️ Disclaimer: Any example presented here is provided "as-is" with no support
or guarantee of suitability. If you have any further questions about
these examples please email the squid-users mailing list.

类别： ConfigExample

导航：网站搜索、网站页面、分类、🔼 向上