Step1i.

sudo gedit /etc/sysconfig/selinux

Change the line that says “SELINUX=enforcing” to this:

SELINUX=disabled

Step 1ii.Τσεκάρουμε οτί τα στοιχεία στο φάκελο /etc/sysctl.conf είναι

έτσι όπως τα βλέπουμε:

/etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.tun0.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
#Enable GRE interface to go up on boot
net.inet.gre.allow=1
net.inet.gre.wccp=1

Step2. Δημιουργούμε το interface gre

We need to load the gre kernel module, and also set it to load at boot time.
modprobe ip_gre

Now set it to start at boot. Enter as admin first:

Sudo -s

# echo "/sbin/modprobe ip_gre > /dev/null 2>&1" >

/etc/sysconfig/modules/ip_gre.modules && chmod 755
/etc/sysconfig/modules/ip_gre.modules

/etc/sysconfig/network-scripts/ifcfg-tun0
DEVICE=tun0
TYPE=GRE
BOOTPROTO=none
STARTMODE=onboot
MY_INNER_IPADDR=172.16.1.1
PEER_OUTER_IPADDR=10.7.128.170 (the router id that cisco ASA show)
PEER_INNER_IPADDR=172.16.1.2
NETMASK=255.255.255.252
ONBOOT=yes
IPV6INIT=no
USERCTL=no

Step3. /etc/sysconfig/iptables

yum install iptables

systemctl stop firewalld
systemctl disable firewalld
systemctl start iptables
systemctl enable iptables

But. If you check iptables status.

1 systemctl status iptables

2
3 iptables.service - IPv4 firewall with iptables
4 Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
5 Active: inactive (dead)
6 start condition failed at Tue 2014-05-13 16:04:28 EST; 1s ago
7 ConditionPathExists=/etc/sysconfig/iptables was not met
8
9 May 13 16:04:28 cetus systemd[1]: Started IPv4 firewall with iptables.

Then if you check loadded iptables, you get this, whereas 192.168.120.0/24 is added
by libvirt-daemon-config-network package.

1 iptables -L
2
3 Chain INPUT (policy ACCEPT)
4 target prot opt source destination
5 ACCEPT udp – anywhere anywhere udp dpt:domain
6 ACCEPT tcp – anywhere anywhere tcp dpt:domain
7 ACCEPT udp – anywhere anywhere udp dpt:bootps
 ACCEPT tcp – anywhere anywhere tcp dpt:bootps
8
Chain FORWARD (policy ACCEPT)
9
target prot opt source destination
10
ACCEPT all – anywhere 192.168.122.0/24 ctstate
11
RELATED,ESTABLISHED
12
ACCEPT all – 192.168.122.0/24 anywhere
13
ACCEPT all – anywhere anywhere
14
REJECT all – anywhere anywhere reject-with icmp-port-
15
unreachable
16
REJECT all – anywhere anywhere reject-with icmp-port-
17
unreachable
18
19
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

There is missing file /etc/sysconfig/iptables. So let’s generate it from legacy init

script. A couple of way.

Αν δεν πιάσει ο παραπάνω τρόπος τότε δημιουργούμε από το terminal των

linux πρώτα τα iptables και μετά τα σώζουμε για να δημιουργηθεί ο
φάκελος στο directory /etc/sysconfig/iptables:

iptables -F -t nat #diagrafh kanonwn nat apo to ip tables

ip tables -t nat -A PREROUTING -i tun0 -m tcp --dport 80 -j REDIRECT

--to-ports 3129

iptables -t filter -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT

iptables -t filter -A INPUT -p tcp -m tcp --dport 3129 -j ACCEPT

iptables -t filter -A INPUT -s 10.2.132.100/32 -p gre -j ACCEPT

iptables -t filter -A INPUT -s 10.7.128.170/32 -p gre -j ACCEPTService

iptables save

Shell

1 service iptables save

2 (OR)
3 /usr/libexec/initscripts/legacy-actions/iptables/save
4 (OR)
5 /usr/libexec/iptables/iptables.init sav
Start iptable service: sudo service iptables start

Δευτερος τρόπος:

Go to : gedit /etc/sysconfig/iptables

-A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port

3129

Example:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port
3129
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [38:4348]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.1.254 -d 192.168.1.253 -p gre -j ACCEPT
-A INPUT -m tcp -p tcp --dport 3129 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohi

Step4.Squid Configuration
Now we configure the squid for the wccp , squid supports wccp version
2 and you have to tell him the IP address of the WCCP Router or in
our case the ASA .

So open the squid.config :

1 Sudo gedit /etc/squid/squid.conf

And add follow line into :

1 wccp2_router 10.2.132.1 ( oxi to router id – η internal ip address

2 toy ASA )
 Squid Configuration
Now we configure the squid for the wccp , squid supports wccp version 2 and you
have to tell him the IP address of the WCCP Router or in our case the ASA .

So open the squid.config :

1 nano /etc/squid/squid.conf

And add follow line into :

wccp2_router 172.16.1.254 ( the IP address of ASA )

1
2
wccp_version 4
3
4
wccp2_forwarding_method gre
5
6
wccp2_return_method gre
7
wccp2_service standard 0 password=cisco123

to use the transparent redirection add

1 http_port 3129 transparent

3
4
5 to the squid.conf and save and exit
6
7 --In addition adjust disk cache

Cache_dir ufs /var/spool/squid 20000 16 256

---Maximum cache size

maximum_object_size 5 GB

Now start the squid on the CentOS und make sure that this service will be run after
restart the Server :

1 service squid start

2
3 chkconfig squid on

Actually the Configuration is ready to use , from now the ASA sends all web-
request from the Network 192.168.1.0/24 to the squid he started to download the
website and forwards it to the client, the proxy Server will also cashing the web
contents for the next client request .
to use the transparent redirection add

1 http_port 3129 transparent

to the squid.conf and save and exit

Now start the squid on the CentOS und make sure that this service will be run after
restart the Server :

1 service squid start

2
3 chkconfig squid on

Actually the Configuration is ready to use , from now the ASA sends all web-request
from the Network 192.168.1.0/24 to the squid he started to download the website and
forwards it to the client, the proxy Server will also cashing the web contents for the
next client request .

TROUBLESHOOTING

1.I can see the router forwarding packets through the gre tunnel:

[root_at_tsv-squid1 ~]# tcpdump -i gre0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gre0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
20:40:04.370754 IP 10.114.32.51.62007 > 190.93.248.164.http: Flags [S], seq
2779756886, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:40:04.370861 IP 10.114.32.51.62008 > 190.93.248.164.http: Flags [S], seq
1665803222, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:40:07.381696 IP 10.114.32.51.62007 > 190.93.248.164.http: Flags [S], seq
2779756886, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:40:07.381779 IP 10.114.32.51.62008 > 190.93.248.164.http: Flags [S], seq
1665803222, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:40:13.387792 IP 10.114.32.51.62007 > 190.93.248.164.http: Flags [S], seq
2779756886, win 8192, options [mss 1460,nop,nop,sackOK], length 0
20:40:13.387812 IP 10.114.32.51.62008 > 190.93.248.164.http: Flags [S], seq
1665803222, win 8192, options [mss 1460,nop,nop,sackOK], length 0

2.Check if the squid triew to get in contact with public web servers

Sudo gedit /var/log/squid/access.log

Sudo tail –f tail /var/log/access.log

Sudo vi /var/log/access.log