Kedves Lista, Zsiga tanacsara megprobaltam ezt a rendszert letrehozni:
A kernel 2.6.30-1, de hogy melyik kzorp verzio van benne, azt most nem tudnam megmondani. A Debian verzioja 5.0.3 (Lenny). A zorp konfigjaban nincs elteres a 3.0-s sorozathoz kepest, a csomagszuroben viszont van.
cat /etc/debian_version 5.0.3
iptables -V iptables v1.4.6
uname -a Linux fal 2.6.32-trunk-amd64 #1 SMP Sat Dec 26 17:13:29 UTC 2009 x86_64 GNU/Linux
zorpctl --version Zorp 3.1.15c Revision: devel@balabit.hu--zorp-1/zorp-core--update--3.1.15--patch-7 Compile-Date: Jan 3 2010 22:56:39 Config-Date: 2010/01/03 Trace: off Debug: off IPOptions: off IPFilter-Tproxy: off Netfilter-Tproxy: on Netfilter-Linux22-Fallback: on Linux22-Tproxy: off
libzorpll 3.1.8.4 Revision: devel@balabit.hu--zorp-1/zorp-lib--mainline--3.1--patch-254 Compile-Date: Jan 3 2010 22:50:06 Trace: off MemTrace: off Caps: on Debug: off StackDump: off
cat /etc/zorp/policy.py from Zorp.Core import * from Zorp.Plug import * from Zorp.Http import *
Zorp.firewall_name = 'fal' InetZone("intra", "172.16.0.0/16", inbound_services=[], outbound_services=["web"]) InetZone("inter", "0.0.0.0/0", inbound_services=["web"], outbound_services=[]) class MyHttpProxy(HttpProxy): def config(self): HttpProxy.config(self) self.transparent_mode = 1 log("http",2,"S: %s C: %s" % (self.session.server_address.ip_s, self.session.client_address.ip_s)) def web(): Service("web", MyHttpProxy, InbandRouter()) Listener(SockAddrInet("172.16.0.254", 50080), "web", transparent=TRUE)
cat /etc/iptables.conf.in *mangle :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :DIVERT - -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A PREROUTING -p tcp -m socket -j LOG --log-prefix "SOCKET forgalom: " -A PREROUTING -p tcp -m socket -j DIVERT -A PREROUTING -p tcp --dport 80 -j LOG --log-prefix "PREROUTING forgalom: " -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip 172.16.0.254 --on-port 50080 -A DIVERT -j LOG --log-prefix "DIVERT forgalom: " -A DIVERT -j MARK --set-mark 1 -A DIVERT -j ACCEPT COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -j LOG --log-prefix "INPUT forgalom: " COMMIT
strace -f -o /tmp/zorp.log zorpctl start grep setsock /tmp/zorp.log 2336 setsockopt(10, SOL_IP, 0x2c0a /* IP_??? */, "\0\0\0\0\0\0\0\3\0\0\0\0"..., 12) = -1 ENOPROTOOPT (Protocol not available) 2336 setsockopt(10, SOL_IP, 0x2c0a /* IP_??? */, "\0\0\0\0\0\0\0\2\0\0\0\0"..., 12) = -1 ENOPROTOOPT (Protocol not available) 2336 setsockopt(12, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 2336 setsockopt(12, SOL_IP, 0x13 /* IP_??? */, [1], 4) = 0
grep forgalom /var/log/syslog: Jan 10 21:26:30 fal kernel: [ 2990.633514] INPUT forgalom: IN=eth1 OUT= MAC=00:1f:c6:2f:66:03:00:1d:72:13:9f:46:08:00 SRC=172.16.7.52 DST=172.16.0.254 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=55896 DF PROTO=UDP SPT=51853 DPT=53 LEN=41 Jan 10 21:26:30 fal kernel: [ 2990.633647] INPUT forgalom: IN=eth1 OUT= MAC=00:1f:c6:2f:66:03:00:1d:72:13:9f:46:08:00 SRC=172.16.7.52 DST=172.16.0.254 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=55897 DF PROTO=UDP SPT=51853 DPT=53 LEN=41 Jan 10 21:26:32 fal kernel: [ 2992.663343] PREROUTING forgalom: IN=eth1 OUT= MAC=00:1f:c6:2f:66:03:00:1d:72:13:9f:46:08:00 SRC=172.16.7.52 DST=217.20.130.97 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23999 DF PROTO=TCP SPT=34234 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
tehat meg mindig nem jutnak el a csomagok a DIVERT chain-ig. pedig ott az --on-ip kapcsolo... Tud valaki valami otletet, tanacsot adni, mit nezzek, mit valtoztassak, hogy vegre mukodesre birjam a zorpot? Koszonom, tusi