RadHat AS5+Squid2.6.19+ASA 5520 8.2 透明代理

写前：

透明代理：客户端无需要手工设置代理，网络系统自动重定向到代理服务上。

WCCP协议：Cisco专有协议，在Cisco的路由器、中高端交换机、某些Cache中支持，相关厂家也支持，本文配置的Squid 软件也支持；四层交换机和普通代理服务器也可实现透明代理。

用户有这么需求，同时ASA防火墙做了NAT以后，内存占用很多，对性能要求很高，建议用透明代理增加带宽，同时配置透明代理来较少客户端的配置工作。

对Linux的Iptables了解有限，网站详细能实现的案例是在少的可怜，以下详细配置实属不易….

 

1 、网络拓扑

 

 

2 、环境

 

2.1 防火墙版本

InternetFireWall# sh ver

 

Cisco Adaptive Security Appliance Software Version 8.0(3)

Device Manager Version 6.0(3)

 

Compiled on Tue 06-Nov-07 22:59 by builders

System p_w_picpath file is "disk0:/asa803-k8.bin"

Config file at boot was "startup-config"

 

 

Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

2.2 、 Linux 的版本

[admin@netproxy ~]$ uname -a

Linux netproxy 2.6.18 -53.el5xen #1 SMP Wed Oct 10 17:06:12 EDT 2007 i686 i686 i386 GNU/Linux

[admin@netproxy ~]$

 

2.3 、 squid 的版本及编译参数(没有系统自带的squid，重新安装）

[admin@netproxy sbin]$ ./squid -v

Squid Cache: Version 2.6.STABLE19

configure options:  '--prefix=/usr/local/squid' '--enable-dlmalloc' '--with-pthreads' '--enable-poll' '--disable-internal-dns' '--enable-stacktrace' '--enable-removal-policies=heap,lru' '--enable-delay-pools' '--enable-storeio=aufs,coss,diskd,ufs'

[admin@netproxy sbin]$

3 、 AS5 编辑

 

3.1 编辑 /etc/sysctl.conf  文件

 

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

 

3.2 编辑 squid.conf 文件

 

/usr/local/squid/etc/squid.conf

 

http_port 3128 transparent
wccp2_router 192.168.205.1
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1

#查找 acl，确保 需要上网的网段放开

acl all src 0.0.0 .0/0.0.0.0
http_access allow all

 

 

建立GRE（参考资料说也可采用IP-wccp ，两者只能用一个，AS5 自带GRE模块，Ip-wccp需要在squid网站下载安装）

 

modprobe ip_gre

ifconfig gre0 127.0.0.3 up

 

iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.0.0 -d ! 192.168.0.0/255.255.0.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to 192.168.205.4:3128

iptables -t nat -A PREROUTING -s 172.16.0.0/255.255.0.0 -d ! 172.16.0.0/255.255.0.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to 192.168.205.4:3128

 

[root@netproxy usr]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00: 1A :64: 0A :B3:98 
          inet addr:192.168.205.4  Bcast:192.168.205.7  Mask:255.255.255.248
          inet6 addr: fe80:: 21a :64ff:fe 0a :b398/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59335758 errors:0 dropped:0 overruns:0 frame:0
          TX packets:60489065 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1517502610 (1.4 GiB)  TX bytes:1056225077 (1007.2 MiB)

gre0      Link encap:UNSPEC  HWaddr
00-00-00-00-DA-BF-A8-35-00-00-00-00-00-00-00-00 
          inet addr:127.0.0.3  Mask:255.0.0.0
          UP RUNNING NOARP  MTU:1476  Metric:1
          RX packets:22683975 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1214455678 (1.1 GiB)  TX bytes:0 (0.0 b)

 

3.3 验证

[root@netproxy etc]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
DNAT       tcp  --  192.168.0.0/16        !192.168.0.0/16        tcp dpt:http
to:192.168.205.4:3128
DNAT       tcp  --  172.16.0.0/16       !172.16.0.0/16       tcp dpt:http
to:192.168.205.4:3128

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
MASQUERADE  all  --  192.168.122.0/24     anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
[root@netproxy etc]#

 

4 、 ASA 上的配置

4.1 接口

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 61.x.x.x   255.255.255.252
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.205.1 255.255.255.248

 

4.2 NAT

global (outside) 1 1x.x.x.66-70
nat (inside) 1 0.0.0 .0 0.0.0.0

 

4.3 WCCP-ACL

（注意：扩展列表，仅为 www ，其他不要，否则出问题，也可将UDP 8000 转过来，否则可能影响QQ）

access-list wccpacl extended permit tcp 192.168.0.0 255.255.0.0 any eq www
access-list wccpacl extended permit tcp 172.16.0.0 255.255.0.0 any eq www

 

4.4 WCCP

wccp web-cache redirect-list wccpacl
wccp interface inside web-cache redirect in

 

5 、验证如下

 

InternetFireWall#   sh wccp web-cache view

 

    WCCP Routers Informed of:

        61.x.x.x

 

    WCCP Cache Engines Visible:

        192.168.205.4

 

    WCCP Cache Engines NOT Visible:

        -none-

InternetFireWall#   sh wccp web-cache service

 

WCCP service information definition:

        Type:          Standard

        Id:            0

        Priority:      240

        Protocol:      6

        Options:       0x00000512

        --------

            Hash:      DstIP

            Alt Hash:  SrcIP SrcPort

            Ports:     Destination:: 80 0 0 0 0 0 0 0

InternetFireWall#   sh wccp web-cache detail

 

WCCP Cache-Engine information:

        Web Cache ID:          192.168.205.4

        Protocol Version:      2.0

        State:                 Usable

        Initial Hash Info:     00000000000000000000000000000000

                               00000000000000000000000000000000

        Assigned Hash Info:    FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

                               FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

        Hash Allotment:        256 (100.00%)

        Packets Redirected:    363329

        Connect Time:          00:20:30

InternetFireWall# sh mem

Free memory:       207303064 bytes (39%)

Used memory:       329567848 bytes (61%)

-------------     ----------------

Total memory:      536870912 bytes (100%)

InternetFireWall# sh wccp

 

Global WCCP information:

    Router information:

        Router Identifier:                   61.x.x.x  （防火墙外口为路由标识）

        Protocol Version:                    2.0

 

    Service Identifier: web-cache

        Number of Cache Engines:             1

        Number of routers:                   1

        Total Packets Redirected:            679038

        Redirect access-list:                wccpacl

        Total Connections Denied Redirect:   0

        Total Packets Unassigned:            58

        Group access-list:                   -none-

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total Bypassed Packets Received:     0

InternetFireWall# sh wccp interfaces detail

 

WCCP interface configuration details:

    GigabitEthernet0/1

        Output services: 0

        Input services:  1

        Static:          Web-cache

        Dynamic:         None

        Mcast services:  0

        Exclude In:      FALSE

InternetFireWall# sh wccp web-cache view

 

    WCCP Routers Informed of:

        61.x.x.x

 

    WCCP Cache Engines Visible:

        192.168.205.4

 

    WCCP Cache Engines NOT Visible:

        -none-

InternetFireWall# sh wccp web-cache detail

 

WCCP Cache-Engine information:

        Web Cache ID:          192.168.205.4

        Protocol Version:      2.0

        State:                 Usable

        Initial Hash Info:     00000000000000000000000000000000

                               00000000000000000000000000000000

        Assigned Hash Info:    FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

                               FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

        Hash Allotment:        256 (100.00%)

        Packets Redirected:    701985

        Connect Time:          00:26:41

InternetFireWall# sh wccp web-cache b

 

WCCP hash bucket assignments:

 

        Index  Cache Engine:

          00   192.168.205.4

          FF   NOT ASSIGNED

 

        XX|  0  1  2  3  4  5  6  7   8  9   A   B  C  D  E  F

        --|-------------------------------------------------

        00| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

        10| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

        20| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

        30| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

        40| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

        50| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

        60| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

        70| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

        80| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

        90| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

        A0| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

        B0| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

        C0| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

        D0| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

        E0| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

        F0| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

 

写后：

 

本来想在Cisco 4500 系列交换机4代引擎上实现，但是交换机上支持L2-redirect，不支持GRE，测试N多次，没有成功。

 

关于在交换机测试，还在继续，但愿哪天搞定….