Hello,<br><br>I have configured a transparent HTTP proxy using Iptables and Zorp but It does not work. <br><br><b>SYSTEM INFO:</b><br><br><i><b>loop@santeles:~$ uname -a</b><br>Linux santeles 2.6.31-19-server #56-Ubuntu SMP Thu Jan 28 02:39:34 UTC 2010 x86_64 GNU/Linux<br>
<br><b>loop@santeles:~$ iptables -V</b><br>iptables v1.4.4<br><b><br>root@santeles:/home/loop# zorpctl version</b><br>Zorp 3.0.8<br>Revision: <br>Compile-Date: May 4 2009 04:17:42<br>Config-Date: 2009/05/04<br>Trace: off<br>
Debug: off<br>IPOptions: off<br>IPFilter-Tproxy: off<br>Netfilter-Tproxy: on<br>Netfilter-Linux22-Fallback: on<br>Linux22-Tproxy: off<br>Conntrack: on<br><br>Zorplib 3.0.6.4.2<br>Revision: devel@balabit.hu--zorp-1/zorp-lib--mainline--3.0--patch-116<br>
Compile-Date: Nov 9 2009 09:50:26<br>Trace: off<br>MemTrace: off<br>Caps: on<br>Debug: off<br>StackDump: off<br><b><br></b></i><b>SYSTEM CONFIG:<br><i><br>root@santeles:/home/loop# ifconfig -a</i></b><i><br>dummy0 Link encap:Ethernet HWaddr 00:21:9b:ee:61:14 <br>
inet addr:1.2.3.4 Bcast:1.255.255.255 Mask:255.255.255.255<br> inet6 addr: fe80::24c4:26ff:fec7:914/64 Scope:Link<br> UP BROADCAST MULTICAST MTU:1500 Metric:1<br> RX packets:0 errors:0 dropped:0 overruns:0 frame:0<br>
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0<br> collisions:0 txqueuelen:1000 <br> RX bytes:0 (0.0 B) TX bytes:210 (210.0 KB)<br><br>wlan0 Link encap:Ethernet HWaddr 00:1f:3b:6d:30:9b <br>
inet addr:10.1.1.2 Bcast:10.1.1.255 Mask:255.255.255.0<br>
inet6 addr: fe80::226:18ff:fef2:31bc/64 Scope:Link<br>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
RX packets:14 errors:0 dropped:0 overruns:0 frame:0<br>
TX packets:2910 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 txqueuelen:1000 <br>
RX bytes:900 (900.0 B) TX bytes:1692 (1.6 KB)<br>
Interrupt:27 Base address:0x8000<br> <br>lo Link encap:Local Loopback <br> inet addr:127.0.0.1 Mask:255.0.0.0<br> inet6 addr: ::1/128 Scope:Host<br> UP LOOPBACK RUNNING MTU:16436 Metric:1<br>
RX packets:4 errors:0 dropped:0 overruns:0 frame:0<br> TX packets:4 errors:0 dropped:0 overruns:0 carrier:0<br> collisions:0 txqueuelen:0 <br> RX bytes:368 (368.0 B) TX bytes:368 (368.0 B)<br>
<br><br><b>root@santeles:/home/loop# cat /etc/iproute2/rt_tables</b><br>#<br># reserved values<br>#<br>255 local<br>254 main<br>253 default<br><br>200 proxy<br><br>0 unspec<br>#<br># local<br>#<br>#1 inr.ruhep<br>
<br><b>root@santeles:/home/loop# ip rule list</b><br>0: from all lookup local <br>32765: from all fwmark 0x01 lookup proxy <br>32766: from all lookup main <br>32767: from all lookup default <br><br><b>root@santeles:/home/loop# ip route show table proxy</b><br>
local default dev dummy0 scope host<br></i>
<br><i><br><b>root@santeles:/home/loop# cat /etc/zorp/instances.conf</b><br>secret -v10 -p /etc/zorp/policy.py --autobind-ip 1.2.3.4 --tproxy netfilter<br><br><b>root@DPP3-GREC:/home/evalues# cat /etc/zorp/policy.py</b><br>
<br>from Zorp.Core import *<br>from Zorp.Plug import *<br>from Zorp.Http import *<br><br>Zorp.firewall_name = 'DPP3-GREC'<br><br>InetZone("secret-net", "<a href="http://0.0.0.0/0">0.0.0.0/0</a>", <br>
outbound_services=["*"],<br> inbound_services=["*"])<br><br>def secret():<br> Service("serv", HttpProxy )<br> Listener(SockAddrInet("1.2.3.4",50080), "serv")<br>
</i><br><b><br>iptables rules</b><br><br><i> iptables -t mangle -P PREROUTING ACCEPT<br><br><br> iptables -t mangle -N DIVERT<br> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT<br> iptables -t mangle -A DIVERT -j MARK --set-mark 1<br>
iptables -t mangle -A DIVERT -j ACCEPT<br><br> <br> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j LOG --log-prefix "Passing request to proxy" --log-level debug<br> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-ip 1.2.3.4 --tproxy-mark 1 --on-port 50080<br>
iptables -t mangle -P OUTPUT ACCEPT<br><br> iptables -P INPUT ACCEPT <br> iptables -P FORWARD ACCEPT<br> iptables -P OUTPUT ACCEPT <br></i><br><b>IPTABLES IS LOADED CORRECTLY <br></b><br><i><b>root@DPP3-GREC:/home/evalues# iptables -L</b><br>
Chain INPUT (policy ACCEPT)<br>target prot opt source destination <br>LOG all -- anywhere anywhere LOG level debug prefix `Input' <br><br>Chain FORWARD (policy ACCEPT)<br>
target prot opt source destination <br>LOG all -- anywhere anywhere LOG level debug prefix `Forward' <br><br>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination <br>
LOG all -- anywhere anywhere LOG level debug prefix `Output' <br><b><br>root@DPP3-GREC:/home/evalues# iptables -t mangle -L</b><br>Chain PREROUTING (policy ACCEPT)<br>target prot opt source destination <br>
DIVERT tcp -- anywhere anywhere socket <br>LOG tcp -- anywhere anywhere tcp dpt:www LOG level debug prefix `Passing request to proxy' <br>TPROXY tcp -- anywhere anywhere tcp dpt:www TPROXY redirect <a href="http://1.2.3.4:50080">1.2.3.4:50080</a> mark 0x1/0xffffffff<br>
<br>Chain INPUT (policy ACCEPT)<br>target prot opt source destination <br><br>Chain FORWARD (policy ACCEPT)<br>target prot opt source destination <br><br>Chain OUTPUT (policy ACCEPT)<br>
target prot opt source destination <br><br>Chain POSTROUTING (policy ACCEPT)<br>target prot opt source destination <br><br>Chain DIVERT (1 references)<br>target prot opt source destination <br>
MARK all -- anywhere anywhere MARK xset 0x1/0xffffffff <br>ACCEPT all -- anywhere anywhere <br><br><br></i><b>ZORP STARTS WITHOUT PROBLEM</b><br><br><i><b>root@DPP3-GREC:/home/evalues# zorpctl start</b><br>
Starting Zorp Firewall Suite: secret <br><br><b>root@DPP3-GREC:/home/evalues# netstat -a -p | grep zorp</b><br>tcp 0 0 <a href="http://1.2.3.4:50080">1.2.3.4:50080</a> *:* LISTEN 1700/zorp <br>
unix 2 [ ACC ] STREAM LISTENING 8096 1700/zorp /var/run/zorp/zorpctl.secret<br>unix 2 [ ] DGRAM 8094 1700/zorp <br>unix 2 [ ] DGRAM 8090 1699/zorpctl superv <br>
<b><br>root@DPP3-GREC:/home/evalues# tail -n 18 /var/log/syslog </b><br>Mar 1 17:10:42 DPP3-GREC secret[1734]: (noname/nosession): Starting up; verbose_level='10', version='3.0.8'<br>Mar 1 17:10:42 DPP3-GREC secret[1734]: (noname/nosession): System dependant init; sysdep_tproxy='tproxy12'<br>
Mar 1 17:10:42 DPP3-GREC secret[1734]: (szig): thread starting;<br>Mar 1 17:10:42 DPP3-GREC secret[1734]: (szig): Start to listen; fd='8', address='AF_UNIX(/var/run/zorp/zorpctl.secret)'<br>Mar 1 17:10:42 DPP3-GREC secret[1734]: (Log thread): thread starting;<br>
Mar 1 17:10:42 DPP3-GREC secret[1734]: (conntrack/thread): thread starting;<br>Mar 1 17:10:42 DPP3-GREC secret[1734]: (Log thread): /usr/lib/python2.4/whrandom.py:38: DeprecationWarning: the whrandom module is deprecated; please use the random module#012<br>
Mar 1 17:10:42 DPP3-GREC secret[1734]: (Log thread): DeprecationWarning)#012<br>Mar 1 17:10:42 DPP3-GREC secret[1734]: (noname/nosession): Outbound service; zone='secret-net', service='*'<br>Mar 1 17:10:42 DPP3-GREC secret[1734]: (noname/nosession): Inbound service; zone='secret-net', service='*'<br>
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC): Dispatcher on address; proto='1', local='AF_INET(1.2.3.4:50080)', prio='100'<br>Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC): Start to listen; fd='14', address='AF_INET(<a href="http://1.2.3.4:50080">1.2.3.4:50080</a>)'<br>
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): read blob systems default attributes; tmpdir='/var/lib/zorp/tmp/', max_disk_usage='1073741824', max_mem_usage='268435456', lowat='100663296', hiwat='134217728', noswap_max='16384'<br>
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): creating blob management thread;<br>Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob management thread starting;<br>Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob management thread signalling back to constructor;<br>
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): waiting for the queue;<br>Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob management thread up and running;<br></i><br><b>HOWEVER, IPTABLES FORWARDS THE HTTP PACKETs TO THE PROXY, BUT THE PROXY DOES NOT RECEIVE ANYTHING</b><br>
<br><i><b>root@DPP3-GREC:/home/evalues# tail -n 10 /var/log/syslog </b><br>Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC): Start to listen; fd='14', address='AF_INET(<a href="http://1.2.3.4:50080">1.2.3.4:50080</a>)'<br>
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): read blob systems default attributes; tmpdir='/var/lib/zorp/tmp/', max_disk_usage='1073741824', max_mem_usage='268435456', lowat='100663296', hiwat='134217728', noswap_max='16384'<br>
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): creating blob management thread;<br>Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob management thread starting;<br>Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob management thread signalling back to constructor;<br>
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): waiting for the queue;<br>Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob management thread up and running;<br>Mar 1 17:14:08 DPP3-GREC kernel: [ 5253.789761] Passing request to proxyIN=eth0 OUT= MAC=00:26:18:f2:31:bc:00:60:97:ba:c0:53:08:00 SRC=10.0.1.2 DST=10.0.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55686 DF PROTO=TCP SPT=44711 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 <br>
Mar 1 17:14:11 DPP3-GREC kernel: [ 5256.789037] Passing request to proxyIN=eth0 OUT= MAC=00:26:18:f2:31:bc:00:60:97:ba:c0:53:08:00 SRC=10.0.1.2 DST=10.0.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55687 DF PROTO=TCP SPT=44711 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 <br>
Mar 1 17:14:17 DPP3-GREC kernel: [ 5262.786612] Passing request to proxyIN=eth0 OUT= MAC=00:26:18:f2:31:bc:00:60:97:ba:c0:53:08:00 SRC=10.0.1.2 DST=10.0.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55688 DF PROTO=TCP SPT=44711 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 <br>
</i><br><br>Any idea of what can be happening? <br><br>Thanks in advance<br><br><br>