我实现了这个场景:
ISP <==> ASA <==> SWITCH <==> LAN + SQUID
Squid 服务器位于同一个 INSIDE ASA 接口内,但位于不同的 VLAN 内。
tcpdump -nni wccp0 -p tcp and port 80
09:59:10.013059 IP 10.30.0.104.43210 > 134.170.58.121.80: Flags [S],
seq 28582661, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale
7], length 0
09:59:18.127053 IP 10.30.0.104.56278 >
45.121.219.210.80: Flags [S], seq 867504285, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:59:18.641802 IP
192.168.192.2.56099 > 140.108.21.70.80: Flags [R], seq 1167442925, win 0, length 0 09:59:19.126040 IP 10.30.0.104.56278 >
45.121.219.210.80: Flags [S], seq 867504285, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 09:59:21.130148 IP
10.30.0.104.56278 > 45.121.219.210.80: Flags [S], seq 867504285, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:59:25.134761 IP 10.30.0.104.56278 > 45.121.219.210.80: Flags [S],
seq 867504285, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale
7], length 0*
root@proxy-bsn:/home/test-proxy# iptables -S -t nat -v
-P PREROUTING ACCEPT -c 218 29419
-P INPUT ACCEPT -c 330 35243
-P OUTPUT ACCEPT -c 121 7535
-P POSTROUTING ACCEPT -c 121 7535
-A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -c **112 5824** -j DNAT --to-destination 10.30.0.120:3129
tcpdump
显示 ASA 和代理盒之间的 WCCP 工作正常,但从客户端的角度来看,浏览器错误是
This page can’t be displayed
假设是防火墙造成的,所以我检查了一下,得到了这个:
$ sysctl -a | grep rp_filter
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.em1.arp_filter = 0
net.ipv4.conf.em1.rp_filter = 0
net.ipv4.conf.em2.arp_filter = 0
net.ipv4.conf.em2.rp_filter = 0
net.ipv4.conf.em3.arp_filter = 0
net.ipv4.conf.em3.rp_filter = 0
net.ipv4.conf.em4.arp_filter = 0
net.ipv4.conf.em4.rp_filter = 0
net.ipv4.conf.em49.arp_filter = 0
net.ipv4.conf.em49.rp_filter = 0
net.ipv4.conf.em50.arp_filter = 0
net.ipv4.conf.em50.rp_filter = 0
net.ipv4.conf.gre0.arp_filter = 0
net.ipv4.conf.gre0.rp_filter = 0
net.ipv4.conf.gretap0.arp_filter = 0
net.ipv4.conf.gretap0.rp_filter = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.wccp0.arp_filter = 0
net.ipv4.conf.wccp0.rp_filter = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.em1.stable_secret"
sysctl: reading key "net.ipv6.conf.em2.stable_secret"
sysctl: reading key "net.ipv6.conf.em3.stable_secret"
sysctl: reading key "net.ipv6.conf.em4.stable_secret"
sysctl: reading key "net.ipv6.conf.em49.stable_secret"
sysctl: reading key "net.ipv6.conf.em50.stable_secret"
sysctl: reading key "net.ipv6.conf.gre0.stable_secret"
sysctl: reading key "net.ipv6.conf.gretap0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
sysctl: reading key "net.ipv6.conf.wccp0.stable_secret"
$ sysctl -a | grep forwarding
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.em1.forwarding = 1
net.ipv4.conf.em1.mc_forwarding = 0
net.ipv4.conf.em2.forwarding = 1
net.ipv4.conf.em2.mc_forwarding = 0
net.ipv4.conf.em3.forwarding = 1
net.ipv4.conf.em3.mc_forwarding = 0
net.ipv4.conf.em4.forwarding = 1
net.ipv4.conf.em4.mc_forwarding = 0
net.ipv4.conf.em49.forwarding = 1
net.ipv4.conf.em49.mc_forwarding = 0
net.ipv4.conf.em50.forwarding = 1
net.ipv4.conf.em50.mc_forwarding = 0
net.ipv4.conf.gre0.forwarding = 1
net.ipv4.conf.gre0.mc_forwarding = 0
net.ipv4.conf.gretap0.forwarding = 1
net.ipv4.conf.gretap0.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.wccp0.forwarding = 1
net.ipv4.conf.wccp0.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.default.stable_secret"
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em1.stable_secret"
net.ipv6.conf.em1.forwarding = 1
net.ipv6.conf.em1.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em2.stable_secret"
net.ipv6.conf.em2.forwarding = 1
net.ipv6.conf.em2.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em3.stable_secret"
net.ipv6.conf.em3.forwarding = 1
net.ipv6.conf.em3.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em4.stable_secret"
net.ipv6.conf.em4.forwarding = 1
net.ipv6.conf.em4.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em49.stable_secret"
net.ipv6.conf.em49.forwarding = 1
net.ipv6.conf.em49.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em50.stable_secret"
net.ipv6.conf.em50.forwarding = 1
net.ipv6.conf.em50.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.gre0.stable_secret"
net.ipv6.conf.gre0.forwarding = 1
net.ipv6.conf.gre0.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.gretap0.stable_secret"
net.ipv6.conf.gretap0.forwarding = 1
net.ipv6.conf.gretap0.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.wccp0.stable_secret"
net.ipv6.conf.wccp0.forwarding = 1
net.ipv6.conf.wccp0.mc_forwarding = 0
我没有看到任何问题。有一篇文章说,使用 ASA+Squid 的 wccp 部署应该在同一个子网中。好吧,我试过了,也失败了。
这是我的代理盒uname:
$ uname -a
Linux proxy-bsn 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
$ squid3 -v
Squid Cache: Version 3.3.8
http_port 3128
http_port 3129 intercept
wccp_version 4
wccp2_router 192.192.168.254
wccp2_forwarding_method gre
wccp2_return_method gre
最后,我尝试点击端口 3129 上的 tcpdump...什么也没发生。