Hello,

I have configured a transparent HTTP proxy using Iptables and Zorp but It does not work.

SYSTEM INFO:

loop@santeles:~$ uname -a
Linux santeles 2.6.31-19-server #56-Ubuntu SMP Thu Jan 28 02:39:34 UTC 2010 x86_64 GNU/Linux

loop@santeles:~$ iptables -V
iptables v1.4.4

root@santeles:/home/loop# zorpctl version
Zorp 3.0.8
Revision:
Compile-Date: May 4 2009 04:17:42
Config-Date: 2009/05/04
Trace: off
Debug: off
IPOptions: off
IPFilter-Tproxy: off
Netfilter-Tproxy: on
Netfilter-Linux22-Fallback: on
Linux22-Tproxy: off
Conntrack: on

Zorplib 3.0.6.4.2
Revision: devel@balabit.hu--zorp-1/zorp-lib--mainline--3.0--patch-116
Compile-Date: Nov 9 2009 09:50:26
Trace: off
MemTrace: off
Caps: on
Debug: off
StackDump: off

SYSTEM CONFIG:

root@santeles:/home/loop# ifconfig -a
dummy0 Link encap:Ethernet HWaddr 00:21:9b:ee:61:14
          inet addr:1.2.3.4 Bcast:1.255.255.255 Mask:255.255.255.255
          inet6 addr: fe80::24c4:26ff:fec7:914/64 Scope:Link
          UP BROADCAST MULTICAST MTU:1500 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B) TX bytes:210 (210.0 KB)

wlan0     Link encap:Ethernet HWaddr 00:1f:3b:6d:30:9b
          inet addr:10.1.1.2 Bcast:10.1.1.255 Mask:255.255.255.0
          inet6 addr: fe80::226:18ff:fef2:31bc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2910 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:900 (900.0 B) TX bytes:1692 (1.6 KB)
          Interrupt:27 Base address:0x8000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:368 (368.0 B) TX bytes:368 (368.0 B)

root@santeles:/home/loop# cat /etc/iproute2/rt_tables
#
# reserved values
#
255    local
254    main
253    default

200    proxy

0    unspec
#
# local
#
#1    inr.ruhep

root@santeles:/home/loop# ip rule list
0:            from all lookup local
32765:    from all fwmark 0x01 lookup proxy
32766:    from all lookup main
32767:    from all lookup default

root@santeles:/home/loop# ip route show table proxy
local default dev dummy0    scope host

root@santeles:/home/loop# cat /etc/zorp/instances.conf
secret -v10 -p /etc/zorp/policy.py --autobind-ip 1.2.3.4 --tproxy netfilter

root@DPP3-GREC:/home/evalues# cat /etc/zorp/policy.py

from Zorp.Core import *
from Zorp.Plug import *
from Zorp.Http import *

Zorp.firewall_name = 'DPP3-GREC'

InetZone("secret-net", "0.0.0.0/0",
    outbound_services=["*"],
    inbound_services=["*"])

def secret():
    Service("serv", HttpProxy )
    Listener(SockAddrInet("1.2.3.4",50080), "serv")

iptables rules

   iptables -t mangle -P PREROUTING ACCEPT

   iptables -t mangle -N DIVERT
   iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
   iptables -t mangle -A DIVERT -j MARK --set-mark 1
   iptables -t mangle -A DIVERT -j ACCEPT


    iptables -t mangle -A PREROUTING -p tcp --dport 80 -j LOG --log-prefix "Passing request to proxy" --log-level debug
    iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-ip 1.2.3.4 --tproxy-mark 1 --on-port 50080
    iptables -t mangle -P OUTPUT ACCEPT

    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT

IPTABLES IS LOADED CORRECTLY

root@DPP3-GREC:/home/evalues# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
LOG        all -- anywhere             anywhere            LOG level debug prefix `Input'

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
LOG        all -- anywhere             anywhere            LOG level debug prefix `Forward'

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
LOG        all -- anywhere             anywhere            LOG level debug prefix `Output'

root@DPP3-GREC:/home/evalues# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DIVERT     tcp -- anywhere             anywhere            socket
LOG        tcp -- anywhere             anywhere            tcp dpt:www LOG level debug prefix `Passing request to proxy'
TPROXY     tcp -- anywhere             anywhere            tcp dpt:www TPROXY redirect 1.2.3.4:50080 mark 0x1/0xffffffff

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain DIVERT (1 references)
target     prot opt source               destination
MARK       all -- anywhere             anywhere            MARK xset 0x1/0xffffffff
ACCEPT     all -- anywhere             anywhere

ZORP STARTS WITHOUT PROBLEM

root@DPP3-GREC:/home/evalues# zorpctl start
Starting Zorp Firewall Suite: secret

root@DPP3-GREC:/home/evalues# netstat -a -p | grep zorp
tcp        0      0 1.2.3.4:50080           *:*                     LISTEN      1700/zorp
unix 2      [ ACC ]     STREAM     LISTENING     8096     1700/zorp           /var/run/zorp/zorpctl.secret
unix 2      [ ]         DGRAM                    8094     1700/zorp
unix 2      [ ]         DGRAM                    8090     1699/zorpctl superv

root@DPP3-GREC:/home/evalues# tail -n 18 /var/log/syslog
Mar 1 17:10:42 DPP3-GREC secret[1734]: (noname/nosession): Starting up; verbose_level='10', version='3.0.8'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (noname/nosession): System dependant init; sysdep_tproxy='tproxy12'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (szig): thread starting;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (szig): Start to listen; fd='8', address='AF_UNIX(/var/run/zorp/zorpctl.secret)'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (Log thread): thread starting;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (conntrack/thread): thread starting;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (Log thread): /usr/lib/python2.4/whrandom.py:38: DeprecationWarning: the whrandom module is deprecated; please use the random module#012
Mar 1 17:10:42 DPP3-GREC secret[1734]: (Log thread):   DeprecationWarning)#012
Mar 1 17:10:42 DPP3-GREC secret[1734]: (noname/nosession): Outbound service; zone='secret-net', service='*'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (noname/nosession): Inbound service; zone='secret-net', service='*'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC): Dispatcher on address; proto='1', local='AF_INET(1.2.3.4:50080)', prio='100'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC): Start to listen; fd='14', address='AF_INET(1.2.3.4:50080)'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): read blob systems default attributes; tmpdir='/var/lib/zorp/tmp/', max_disk_usage='1073741824', max_mem_usage='268435456', lowat='100663296', hiwat='134217728', noswap_max='16384'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): creating blob management thread;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob management thread starting;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob management thread signalling back to constructor;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): waiting for the queue;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob management thread up and running;

HOWEVER, IPTABLES FORWARDS THE HTTP PACKETs TO THE PROXY, BUT THE PROXY DOES NOT RECEIVE ANYTHING

root@DPP3-GREC:/home/evalues# tail -n 10 /var/log/syslog
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC): Start to listen; fd='14', address='AF_INET(1.2.3.4:50080)'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): read blob systems default attributes; tmpdir='/var/lib/zorp/tmp/', max_disk_usage='1073741824', max_mem_usage='268435456', lowat='100663296', hiwat='134217728', noswap_max='16384'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): creating blob management thread;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob management thread starting;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob management thread signalling back to constructor;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): waiting for the queue;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob management thread up and running;
Mar 1 17:14:08 DPP3-GREC kernel: [ 5253.789761] Passing request to proxyIN=eth0 OUT= MAC=00:26:18:f2:31:bc:00:60:97:ba:c0:53:08:00 SRC=10.0.1.2 DST=10.0.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55686 DF PROTO=TCP SPT=44711 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 1 17:14:11 DPP3-GREC kernel: [ 5256.789037] Passing request to proxyIN=eth0 OUT= MAC=00:26:18:f2:31:bc:00:60:97:ba:c0:53:08:00 SRC=10.0.1.2 DST=10.0.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55687 DF PROTO=TCP SPT=44711 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 1 17:14:17 DPP3-GREC kernel: [ 5262.786612] Passing request to proxyIN=eth0 OUT= MAC=00:26:18:f2:31:bc:00:60:97:ba:c0:53:08:00 SRC=10.0.1.2 DST=10.0.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55688 DF PROTO=TCP SPT=44711 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

Any idea of what can be happening?

Thanks in advance