Software Effect Enterprises, Inc Home | Site Map

Software Effect Enterprises TOC


Squid Notes

The following is the configuration I used to set up squid on Fedora Core 6 and configure it to use WCCP with a Cisco router

Cisco Router Settings

Interface ethernet0/0 is connected the firewall of my network. All of the clients are connected to ethernet1/0 and ethernet 1/1

ip wccp version 1
ip wccp web-cache
interface Ethernet0/0
ip wccp web-cache redirect out

Squid configuration on Fedora Core 6

edit /etc/sysctl.conf to say:
net.ipv4.ip_forward =1
net.ipv4.conf.all.rp_filter = 0

and reboot

Checked your rp_filter settings for the gre interface and eth0: (or the ethernet interface you are using)

cat /proc/sys/net/ipv4/conf/all/rp_filter
cat /proc/sys/net/ipv4/conf/eth0/rp_filter
cat /proc/sys/net/ipv4/conf/gre1/rp_filter
(they should all print out "0")

Put this at the TOP of /etc/sysconfig/iptables. Replace with the ip address of the squid server

-A PREROUTING -i gre1 -d 0/0 -p tcp --dport 80 -j DNAT --to-destination

Put these lines in the middle of the *filter section of the /etc/sysconfig/iptables. Replace with the IP address of the router that is running WCCP

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -s -p gre -j ACCEPT

Create a file named /usr/local/sbin/squidtunnel

# set the next line to the ethernet interface that you are using on your squid server
IPADDR=`ifconfig $EINTERFACE | grep "inet addr" | awk -F ":" {'print $2'} | awk {'print $1'}`
IPROUTER=`egrep \^wccp_router /etc/squid/squid.conf | awk {'print $2'}`

# set up tunnel for squid
modprobe ip_gre
iptunnel add gre1 mode gre remote $IPROUTER local $IPADDR dev $EINTERFACE
ifconfig gre1 up

##### end of /usr/local/sbin/squidtunnel

chown 700 /usr/local/sbin/squidtunnel

edit /etc/rc.d/rc.local and add the following line to the end


edit /etc/squid/squid.conf and make sure it contains the following. (Remarks removed for brevity) Replace with the IP address of the router that is running WCCP Replace with the ip address range of your client machines. If you have more than one network range (i.e. and list each range on the same line with "acl our_networks src" separated by spaces

http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src
acl manager proto cache_object
acl localhost src
acl our_networks src
acl to_localhost dst
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access allow our_networks
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid

Today's date is: Saturday September 23, 2017
This document last modifiedSunday May 29, 2005