[zorp] Why client can see ip address of dummy interface
Zhou Li
zhou.li at ca-jc.com
Fri Jul 13 08:49:24 CEST 2007
Dear Johns,
Yes,you are right, the real environment is more complicated than my last description. so I create a new simple environment and test it
again, the new environment have four nodes only, client(firefox) <->tcpdump<-> zorp <-> server(Internet)
zorp config:
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.003048427898 no eth0
eth1
# ifconfig -a
br0 Link encap:Ethernet HWaddr 00:30:48:42:78:98
inet addr:192.168.88.221 Bcast:192.168.88.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:2562 errors:0 dropped:0 overruns:0 frame:0
TX packets:371 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:448376 (437.8 Kb) TX bytes:136651 (133.4 Kb)
dummy0 Link encap:Ethernet HWaddr 42:CC:24:E8:34:AE
inet addr:172.16.44.10 Bcast:172.16.44.11 Mask:255.255.255.254
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
eth0 Link encap:Ethernet HWaddr 00:30:48:42:78:98
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:9934 errors:0 dropped:0 overruns:0 frame:0
TX packets:571 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:822121 (802.8 Kb) TX bytes:197993 (193.3 Kb)
Base address:0xa000 Memory:ec000000-ec020000
eth1 Link encap:Ethernet HWaddr 00:30:48:42:78:99
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:364 errors:0 dropped:0 overruns:0 frame:0
TX packets:1962 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:169726 (165.7 Kb) TX bytes:302393 (295.3 Kb)
Base address:0xa400 Memory:ec020000-ec040000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:33 errors:0 dropped:0 overruns:0 frame:0
TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1916 (1.8 Kb) TX bytes:1916 (1.8 Kb)
# ip route list
172.16.44.10/31 dev dummy0 scope link
192.168.88.0/24 dev br0 scope link
127.0.0.0/8 dev lo scope link
default via 192.168.88.1 dev br0
client ip is 192.168.88.166
tcpdump is in bridge mode too, and ip is 192.168.88.220
After test it again and again, I think I maybe found something about why zorp dummy ip will been see by client, tcpdump output below
14:35:06.298555 IP 172.16.44.10.60080 > 192.168.88.166.1665: P 991843042:991843074(32) ack 779229395 win 6432
14:35:06.298923 IP 172.16.44.10.60080 > 192.168.88.166.1665: . 32:1492(1460) ack 1 win 6432
14:35:06.298956 IP 172.16.44.10.60080 > 192.168.88.166.1665: . 1492:2952(1460) ack 1 win 6432
14:35:06.298982 IP 172.16.44.10.60080 > 192.168.88.166.1665: FP 2952:3530(578) ack 1 win 6432
14:35:06.299275 IP 192.168.88.166.1665 > 172.16.44.10.60080: R 779229395:779229395(0) win 0
14:35:06.299298 IP 192.168.88.166.1665 > 172.16.44.10.60080: R 779229395:779229395(0) win 0
14:35:06.299317 IP 192.168.88.166.1665 > 172.16.44.10.60080: R 779229395:779229395(0) win 0
14:35:06.299742 IP 192.168.88.166.1665 > 172.16.44.10.60080: R 779229395:779229395(0) win 0
14:35:09.298919 IP 172.16.44.10.60080 > 192.168.88.166.1665: P 0:32(32) ack 1 win 6432
14:35:09.300223 IP 192.168.88.166.1665 > 172.16.44.10.60080: R 779229395:779229395(0) win 0
14:35:15.296912 IP 172.16.44.10.60080 > 192.168.88.166.1665: P 0:32(32) ack 1 win 6432
14:35:15.298446 IP 192.168.88.166.1665 > 172.16.44.10.60080: R 779229395:779229395(0) win 0
14:35:26.355720 IP 172.16.44.10.60080 > 192.168.88.166.1666: P 1004186045:1004186077(32) ack 784265389 win 6432
if /proc/net/tproxy exist a client<->server entry, zorp will use it to hide dummy ip, when the entry been delete for some reason,
the zorp can't hide dummy ip.
but why the entry will been delete before zorp finish it's job, I don't know, maybe it's a bug or a unmatched timeout setup, I guess
//ZhouLi
----- Original Message -----
From: A Johns
To: Zorp users mailing list
Sent: Wednesday, July 11, 2007 07:15
Subject: Re: [zorp] Why client can see ip address of dummy interface
Li,
More questions than answers, but we'll get to the cause of this...
Does zorp have a 192.168.88.x address assigned to either of it's interface? Does it have 2 interfaces or more? Can you provide a tcpdump trace of the sequence leading up to the below and include any ARP requests also?
# tcpdump | grep 172.16.44.10
16:10:57.975579 802.1Q vlan#3 P0 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF)
16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF)
16:10:57.975831 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:3812615646(0) win 0
16:10:57.975860 802.1Q vlan#3 P0 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:38126156
ie: was there a 3-way TCP handshake between client and server (or zorp) before the above? What ARP requests/replies were sent/received by the client/zorp/server, if any? And can you include 'netstat -rn' (routing table) info too please - I'm not sure how these devices are communicating directly unless you have multiple networks (ie 192.168.88.0/24 and 172.16.44.0/24) attached to the same network segment?
I agree that you should not be able to see the client IP - did it work before in the past or is this the first time you've done this?
I see you have VLANs configured also - are these 3 devices the only devices on the network or is it much more complicated than the original ascii diagram? Can you provide a more detailed diagram showing any other switches/firewalls/gateways on your network?
--
Regards
AJ
NetSafety - Internet Security Made Easy
On 7/10/07, Zhou Li <zhou.li at ca-jc.com > wrote:
Yes, Johns, It work in bridge mode. //ZhouLi
----- Original Message -----
From: A Johns
To: Zorp users mailing list
Sent: Tuesday, July 10, 2007 14:56
Subject: Re: [zorp] Why client can see ip address of dummy interface
Hi ZhouLi,
See below
On 7/9/07, Zhou Li <zhou.li at ca-jc.com> wrote:
I test Zorp 3.0.14b + 2.0.6 cttproxy for kernel 2.6.17 and It work fine for me, but I found client can
see ip address of dummy interface that I can't understand.
client(192.168.88.166) <--> zorp(dummy ip 172.16.44.10) <--> server( 192.168.88.10)
# iptables -t tproxy -I PREROUTING -p tcp --dport 80 -j TPROXY --on-ip 172.16.44.10 --on-port 60080
instances.conf:
http -T -v 1 -s core.error:0 -p /usr/local/etc/zorp/http.py -B 172.16.44.10
http.py:
.
.
.
def zorp():
Service("http", MyHttp, router=TransparentRouter(forge_addr=TRUE, forge_port=Z_PORT_EXACT))
Listener(SockAddrInet(172.16.44.10, 60080), "http", transparent=TRUE, mark_tproxy=TRUE)
when I make a new http request from client to server and tcpdump will display the information below
tcpdump on client
# tcpdump | grep 172.16.44.10
16:10:57.975579 802.1Q vlan#3 P0 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF)
16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF)
16:10:57.975831 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:3812615646(0) win 0
16:10:57.975860 802.1Q vlan#3 P0 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:38126156
tcpdump on server
# tcpdump | grep 172.16.44.10
16:10:57.538207 arp who-has 192.168.88.10 tell 172.16.44.10
my question is how to avoid client see dummy ip address?
ZhouLi
Does TProxy work in bridge mode - you appear to have the same network address/mask on both zorp interfaces - is this correct? Or is this on a VMWare system?
------------------------------------------------------------------------------
_______________________________________________
zorp mailing list
zorp at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/zorp
____ KILLÓʼþ°²È«Íø¹Ø ÒѾɨÃèÁËÕâ·âÓʼþ ____
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/zorp/attachments/20070713/16fa94a3/attachment.htm
More information about the zorp
mailing list