<I would be very interested in your setup, especially <the following: < <o How you got the GRE tunnel going <o How the firewall config was affected by the GRE <setup <o What errors, if any, you got from the kernel after < compiling wccp into it
---------------------------------------------------------------------------- ------------------------- My environment: RedHat AS2.1, Dell 650 Server with 2GB RAM, 145GB Hard Drive McAfee WebShield E500 (virus scanning HTTP traffic) WatchGuard Firewall All HTTP traffic hits the main router interface, it is then redirected via wccp to my squid cache, the webshield is configured as the cache_peer parent then all requests go to internet. In order to make things work, you need to follow the FAQ: http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.11 gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -Wno-tri graphs -O2 -fomit-frame-pointer -fno-strict-aliasing -fno-common -pipe -mpre ferred-stack-boundary=2 -march=i686 -DMODULE -DMODVERSIONS -include /usr/src/linux/include/linux/modversions.h -c -o ip_wccp.o ip_wccp.c Compile ip_wccp.c Copy the newly created ip_wccp.o to: /lib/modules/[kernel-version]/kernel/net/ipv4 Run depmod -a Run modprobe ip_wccp Modify the /etc/rc.d/rc.local file to include the following lines insmod ip_wccp iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 Modify the /etc/sysctl.conf file: net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 Ensure the following lines are in the squid.conf file httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on wccp_router X.X.X.X wccp_version 4 [squid-home-dir]/bin/./RunCache & What you are doing is: � Installing a kernel module that understands WCCP natively � Modifying settings so the machine can 'route' between the WCCP virtual network and the internet � Modifying squid to use WCCP, and forward packets received on port 80 as if they were received on port 3128 WCCP uses the GRE protocol to encapsulate requests. The kernel module greatly simplifies handling these. It is possible to do it with the "ip_gre" module, but far more complex (if more secure).
