Traffic Control Using Squid and Cisco Router in CentOS<\/p>\n<\/div>\n There is a few ways for redirecting client\u2019s web requests to squid machine, in this article we will show you how to redirect web traffic from a CISCO router to a Squid Cache machine using\u00a0WCCP<\/strong>\u00a0protocol.<\/p>\n The picture below is an example of a basic scenario.<\/p>\n Control Web Traffic Using Squid Cisco Router<\/p>\n<\/div>\n As you see in above picture all client\u2019s web traffics first goes to\u00a0Cisco Router<\/strong>\u00a0(That is their default gateway), then router silently redirect packets to squid machine, now squid can play it\u2019s roles, the main roles is caching web contents, limit access based on domains, time intervals, ip addresses, size of files, etc..<\/p>\n We review this scenario\u2019s configuration in two Major steps, first we should install and configure squid and Linux, then configure router to redirecting web traffic packets into squid using\u00a0WCCP<\/strong>\u00a0protocol.<\/p>\n In this scenario I use\u00a0CENTOS 6.5<\/strong>\u00a0as my LINUX server and\u00a0Cisco 2691<\/strong>\u00a0as my Router system.<\/p>\n Squid is available on default repository of\u00a0CENTOS<\/strong>, we first install it using lovely\u00a0yum command<\/a>\u00a0and then start their services and finally set automatic starting of squid service.<\/p>\n Now we must change some default behaviors of centos operation system, we need to enable packet forwarding and disable reverse Path filter (RPF<\/strong>), we enable packet forwarding to let the centos acting as a transparent forwarder (like a\u00a0router<\/strong>).<\/p>\n Let me explain in more detail, when traffics gets in centos it have their source and destination addresses, for example when a client enter\u00a0www.example.com<\/strong>\u00a0on his\/her browser a http request packet generates and it have source ip address of client machine (like\u00a0192.168.1.20<\/strong>) and destination ip address of\u00a0example.com<\/strong>\u00a0server (like\u00a02.2.2.2<\/strong>).<\/p>\n So, when packet received by centos it detect as an wrong packet because centos ip address is not as destination address of the packet, for security reasons centos drop the packet, but we want from squid to act in transparent mode. We tell this situation to centos by enabling packet forwarding potion.<\/p>\n Next we should disable Reverse path Filtering to let the centos accepting packets that not accessible by squid machine or it packets that do not have ip address in the same subnet of squid machine.<\/p>\n Next we need to create a\u00a0GRE<\/strong>\u00a0interface on CENTOS machine, for what?? Let me explain more, the\u00a0WCCP<\/strong>protocol works through a\u00a0GRE<\/strong>\u00a0Tunnel, it means the language between router and Squid is GRE, so centos need to have a GRE interface for De-encapsulate GRE packets.<\/p>\n We should create the configuration file for GRE interface in \u201c\/etc\/sysconfig\/network-script\/ifcfg-gre0<\/strong>\u201d path.<\/p>\n Enter below codes in\u00a0ifcfg-gre0<\/strong>\u00a0configuration file.<\/p>\n After creating a\u00a0GRE<\/strong>\u00a0interface we need to restart network service.<\/p>\n We need to tell squid accepting\u00a0WCCP<\/strong>\u00a0packets from router. Enter below codes in\u00a0\/etc\/squid\/squid.conf<\/strong>\u00a0file.<\/p>\n Save the configuration file and restart squid service.<\/p>\n Squid listen for packets in\u00a03128<\/strong>\u00a0port, but our packet\u2019s destination port number is\u00a080<\/strong>, so for changing destination port\u00a080<\/strong>\u00a0to\u00a03128<\/strong>, we need to create a\u00a0NAT<\/strong>\u00a0rule on CENTOS integrated firewall (that named\u00a0iptable<\/strong>).<\/p>\n First we should enable\u00a0WCCP<\/strong>\u00a0on cisco router.<\/p>\n Next we define another access list for two different purpose first we should except\u00a0SQUID<\/strong>\u00a0traffics from redirecting by\u00a0WCCP<\/strong>\u00a0protocol (if not we fall into an infinite loop!!) second we define which\u00a0LAN<\/strong>\u00a0traffics we want to passing through\u00a0WCCP<\/strong>\u00a0and\u00a0SQUID<\/strong>.<\/p>\n After creating our access-list we must configure WCCP protocol on router.<\/p>\n Every things is ready for final step, we must tell the router that in which interface\/interfaces it must redirect traffics using their WCCP configuration.<\/p>\n It\u2019s time to summarize all commands and texts in a few lines for better understanding, according to the scenario we redirect staffs web surfing packets (that is on TCP port 80) from the\u00a0ROUTER<\/strong>\u00a0(that is default gateway of the clients) toward the squid cache machine using WCCP protocol.<\/p>\n All these process happened silently and there is no additional configuration on client side. So we can control and set policies on web traffics in the LAN. For example, we can gain web surfing access just in a limited time, limit maximum download size, define our custom blacklist and whitelist, generate full reports of internet activity usage and etc.<\/p>\n One of the interesting facts in this scenario is when squid machine goes down router detect this issue and stop redirecting packets toward it, so you can enjoy from zero-downtime in your network.<\/p>\n If you have any questions regarding to this article please leave a reply through below comment box.<\/p>\n![\"Traffic](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/08\/Squid-Traffic-Control-Using-Router-in-CentOS.png\")
<\/a><\/p>\n<\/a><\/p>\nTesting Environment<\/h4>\n
Operating System<\/strong>: CENTOS 6.5\r\nApplication<\/strong>: Squid\r\nRouter<\/strong>: Cisco 2691\r\n<\/pre>\n
Step 1: Installing Squid Cache<\/h3>\n
# yum -y install squid\r\n# service squid start\r\n# chkconfig squid on\r\n<\/pre>\n
Step 2: Preparing Squid Cache<\/h3>\n
# nano \/etc\/sysctl.conf\r\n<\/pre>\n
net.ipv4.ip_forward = 1<\/strong> #set to 1 for enable the packet forwarding feature\r\nnet.ipv4.conf.default.rp_filter = 0<\/strong> # set to 0 for disable the reverse path filter behavior\r\n<\/pre>\n
DEVICE=gre0\r\nBOOTPROTO=static\r\nIPADDR=10.0.0.2 #unused ip address in your network\r\nNETMASK=255.255.255.252\r\nONBOOT=yes\r\nIPV6INIT=no\r\n<\/pre>\n
# service network restart\r\n<\/pre>\n
Step 3: Configuring Squid Cache<\/h3>\n
http_port 3128 intercept # Define SQUID listening port\r\nwccp2_router 192.168.1.254 #ip address of the router\r\nwccp2_forwarding_method gre\r\nwccp2_return_method gre\r\nwccp2_service standard 0\r\n<\/pre>\n
# service squid restart\r\n<\/pre>\n
# iptables -t nat -A PREROUTING -i gre0 -p tcp --dport 80 -j REDIRECT --to-port 3128\r\n# iptables -t nat -A POSTROUTING -j MASQUERADE\r\n<\/pre>\n
Step 4: Cisco Router Configurations<\/h3>\n
R1(config)# ip wccp version 2\r\nThen we must use an ACL for introducing SQUID cache machine to router\r\nR1(config)# ip access-list standard SQUID-MACHINE\r\nR1(config-std-nacl)# permit host 192.168.1.10\r\n<\/pre>\n
R1(config)#ip access-list LAN-TRAFFICS\r\nR1(config-ext-nacl)#deny ip host 192.168.1.10 any #Prevent SQUID to get in loop\r\nR1(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any equal www #define LAN Traffics\r\n<\/pre>\n
R1(config)# ip wccp web-cache redirect-list LAN-TRAFFIC group-list SQUID-MACHINE\r\n<\/pre>\n
R1(config)#interface fastEthernet 0\/0\r\nR1((config-if)# ip wccp web-cache redirect in\r\n<\/pre>\n
Summary<\/h3>\n