Problems with the Tproxy and Zorp.

1 Mar 2010

      Hello,

I have configured a transparent HTTP proxy using Iptables and Zorp but It
does not work.

*SYSTEM INFO:*

*loop@santeles:~$ uname -a
Linux santeles 2.6.31-19-server #56-Ubuntu SMP Thu Jan 28 02:39:34 UTC 2010
x86_64 GNU/Linux

loop@santeles:~$ iptables -V
iptables v1.4.4

root@santeles:/home/loop# zorpctl version
Zorp 3.0.8
Revision:
Compile-Date: May  4 2009 04:17:42
Config-Date: 2009/05/04
Trace: off
Debug: off
IPOptions: off
IPFilter-Tproxy: off
Netfilter-Tproxy: on
Netfilter-Linux22-Fallback: on
Linux22-Tproxy: off
Conntrack: on

Zorplib 3.0.6.4.2
Revision: devel@balabit.hu--zorp-1/zorp-lib--mainline--3.0--patch-116
Compile-Date: Nov  9 2009 09:50:26
Trace: off
MemTrace: off
Caps: on
Debug: off
StackDump: off

**SYSTEM CONFIG:

root@santeles:/home/loop# ifconfig -a**
dummy0   Link encap:Ethernet  HWaddr 00:21:9b:ee:61:14
          inet addr:1.2.3.4  Bcast:1.255.255.255  Mask:255.255.255.255
          inet6 addr: fe80::24c4:26ff:fec7:914/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:210 (210.0 KB)

wlan0     Link encap:Ethernet  HWaddr 00:1f:3b:6d:30:9b
          inet addr:10.1.1.2  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::226:18ff:fef2:31bc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2910 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:900 (900.0 B)  TX bytes:1692 (1.6 KB)
          Interrupt:27 Base address:0x8000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:368 (368.0 B)  TX bytes:368 (368.0 B)

root@santeles:/home/loop# cat /etc/iproute2/rt_tables
#
# reserved values
#
255    local
254    main
253    default

200    proxy

0    unspec
#
# local
#
#1    inr.ruhep

root@santeles:/home/loop# ip rule list
0:            from all lookup local
32765:    from all fwmark 0x01 lookup proxy
32766:    from all lookup main
32767:    from all lookup default

root@santeles:/home/loop# ip route show table proxy
local default dev dummy0    scope host
*
*
root@santeles:/home/loop# cat /etc/zorp/instances.conf
secret -v10 -p /etc/zorp/policy.py --autobind-ip 1.2.3.4 --tproxy netfilter

root@DPP3-GREC:/home/evalues# cat /etc/zorp/policy.py

from Zorp.Core import *
from Zorp.Plug import *
from Zorp.Http import *

Zorp.firewall_name = 'DPP3-GREC'

InetZone("secret-net", "0.0.0.0/0",
     outbound_services=["*"],
     inbound_services=["*"])

def secret():
    Service("serv", HttpProxy )
    Listener(SockAddrInet("1.2.3.4",50080), "serv")
*
*
iptables rules*

*   iptables -t mangle -P PREROUTING ACCEPT

   iptables -t mangle -N DIVERT
   iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
   iptables -t mangle -A DIVERT -j MARK --set-mark 1
   iptables -t mangle -A DIVERT -j ACCEPT

    iptables -t mangle -A PREROUTING  -p tcp --dport 80  -j LOG
--log-prefix  "Passing request to proxy" --log-level debug
    iptables -t mangle -A PREROUTING  -p tcp --dport 80 -j TPROXY  --on-ip
1.2.3.4 --tproxy-mark 1 --on-port 50080
    iptables -t mangle -P OUTPUT ACCEPT

    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
*
*IPTABLES IS LOADED CORRECTLY
*
*root@DPP3-GREC:/home/evalues# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level debug
prefix `Input'

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level debug
prefix `Forward'

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level debug
prefix `Output'

root@DPP3-GREC:/home/evalues# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DIVERT     tcp  --  anywhere             anywhere            socket
LOG        tcp  --  anywhere             anywhere            tcp dpt:www LOG
level debug prefix `Passing request to proxy'
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
TPROXY redirect 1.2.3.4:50080 mark 0x1/0xffffffff

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain DIVERT (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere            MARK xset
0x1/0xffffffff
ACCEPT     all  --  anywhere             anywhere

**ZORP STARTS WITHOUT PROBLEM*

*root@DPP3-GREC:/home/evalues# zorpctl start
Starting Zorp Firewall Suite: secret

root@DPP3-GREC:/home/evalues# netstat -a -p | grep zorp
tcp        0      0 1.2.3.4:50080           *:*
LISTEN      1700/zorp
unix  2      [ ACC ]     STREAM     LISTENING     8096
1700/zorp           /var/run/zorp/zorpctl.secret
unix  2      [ ]         DGRAM                    8094
1700/zorp
unix  2      [ ]         DGRAM                    8090     1699/zorpctl
superv

root@DPP3-GREC:/home/evalues# tail -n 18 /var/log/syslog
Mar  1 17:10:42 DPP3-GREC secret[1734]: (noname/nosession): Starting up;
verbose_level='10', version='3.0.8'
Mar  1 17:10:42 DPP3-GREC secret[1734]: (noname/nosession): System dependant
init; sysdep_tproxy='tproxy12'
Mar  1 17:10:42 DPP3-GREC secret[1734]: (szig): thread starting;
Mar  1 17:10:42 DPP3-GREC secret[1734]: (szig): Start to listen; fd='8',
address='AF_UNIX(/var/run/zorp/zorpctl.secret)'
Mar  1 17:10:42 DPP3-GREC secret[1734]: (Log thread): thread starting;
Mar  1 17:10:42 DPP3-GREC secret[1734]: (conntrack/thread): thread starting;
Mar  1 17:10:42 DPP3-GREC secret[1734]: (Log thread):
/usr/lib/python2.4/whrandom.py:38: DeprecationWarning: the whrandom module
is deprecated; please use the random module#012
Mar  1 17:10:42 DPP3-GREC secret[1734]: (Log thread):
DeprecationWarning)#012
Mar  1 17:10:42 DPP3-GREC secret[1734]: (noname/nosession): Outbound
service; zone='secret-net', service='*'
Mar  1 17:10:42 DPP3-GREC secret[1734]: (noname/nosession): Inbound service;
zone='secret-net', service='*'
Mar  1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC): Dispatcher on
address; proto='1', local='AF_INET(1.2.3.4:50080)', prio='100'
Mar  1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC): Start to listen;
fd='14', address='AF_INET(1.2.3.4:50080)'
Mar  1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): read
blob systems default attributes; tmpdir='/var/lib/zorp/tmp/',
max_disk_usage='1073741824', max_mem_usage='268435456', lowat='100663296',
hiwat='134217728', noswap_max='16384'
Mar  1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession):
creating blob management thread;
Mar  1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob
management thread starting;
Mar  1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob
management thread signalling back to constructor;
Mar  1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession):
waiting for the queue;
Mar  1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob
management thread up and running;
*
*HOWEVER, IPTABLES FORWARDS THE HTTP PACKETs TO THE PROXY, BUT THE PROXY
DOES NOT RECEIVE ANYTHING*

*root@DPP3-GREC:/home/evalues# tail -n 10 /var/log/syslog
Mar  1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC): Start to listen;
fd='14', address='AF_INET(1.2.3.4:50080)'
Mar  1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): read
blob systems default attributes; tmpdir='/var/lib/zorp/tmp/',
max_disk_usage='1073741824', max_mem_usage='268435456', lowat='100663296',
hiwat='134217728', noswap_max='16384'
Mar  1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession):
creating blob management thread;
Mar  1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob
management thread starting;
Mar  1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob
management thread signalling back to constructor;
Mar  1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession):
waiting for the queue;
Mar  1 17:10:42 DPP3-GREC secret[1734]: (secret@DPP3-GREC/nosession): blob
management thread up and running;
Mar  1 17:14:08 DPP3-GREC kernel: [ 5253.789761] Passing request to
proxyIN=eth0 OUT= MAC=00:26:18:f2:31:bc:00:60:97:ba:c0:53:08:00 SRC=10.0.1.2
DST=10.0.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55686 DF PROTO=TCP
SPT=44711 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Mar  1 17:14:11 DPP3-GREC kernel: [ 5256.789037] Passing request to
proxyIN=eth0 OUT= MAC=00:26:18:f2:31:bc:00:60:97:ba:c0:53:08:00 SRC=10.0.1.2
DST=10.0.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55687 DF PROTO=TCP
SPT=44711 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Mar  1 17:14:17 DPP3-GREC kernel: [ 5262.786612] Passing request to
proxyIN=eth0 OUT= MAC=00:26:18:f2:31:bc:00:60:97:ba:c0:53:08:00 SRC=10.0.1.2
DST=10.0.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55688 DF PROTO=TCP
SPT=44711 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
*

Any idea of what can be happening?

Thanks in advance

Lupi The Loop

Balazs Scheidler

Lupi The Loop

tags

participants (2)