Re: [zorp-hu] ssh nem megy

31 May 2013

...
Nem követem napi szinten a GPLes változatot, hogy pontosan hol tart, de az általad írt 2.x és jelenlegi verzió között jelentősen változott az abszorpciós :) réteg, azaz a transzparens kapcsolatok/viselkedés kezelése. Valószínűleg ez okozhat most problémát nálad (bár nem írtál a csomagszűrő konfigról).
Szilárd írt annak idején egy rövid leírást, talán érdemes innen elindulnod:
http://szilard.blogs.balabit.com/en/tag/kzorp-en/
Ezekkel az a baj, hogy csak az intranetrol az internetre valo
transzparent proxyt igenylo beallitasok vannak. Ez nekem is mukodik,
mivel ezen leirasok alapjan keszitettem a konfigot. Nekem a masik irany
nem megy: az internetrol a tuzfal cimere ssh-zva egy dmz zona-ban levo
gepre szeretnek bejutni. Mint irtam, ez abban az esetben mukodik, ha a
DirectedRouter-t forge_addr=FALSE parameterrel hasznalom, TRUE eseten
azonban nem megy.

Alabb megtalalhatoak a konfig file-ok, illetve a syslog, es a tcpdump
eredmenye. Amit nagyon nem ertek (mert nem vagyok szakember), hogyan
lehet, hogy a tcpdump-ban sorr megjelennek a csomagok, amit a dmz-beli
gep kuld a client-nek, ugyanezen csomagok a csomagszuro logjaban nem
jelennek meg.

Minden otletet, helyes iranyba terelest orommel veszek.

Gabor

##############################
# policy.py
##############################

from Zorp.Core import *
from Zorp.Plug import *
from Zorp.Http import *

Zorp.firewall_name = 'fal'

iface_inter = "eth0"
ip_inter = "fal_ip.5.6.7.8"

iface_intra = "eth1"
ip_intra = "172.16.0.254"

iface_sys_dmz = "eth2"
ip_sys_dmz = "192.168.0.254"

InetZone("out", "0.0.0.0/0",
	inbound_services=["in_out_http"],
	outbound_services=["out_dmz_ssh"])

InetZone("dmz", "192.168.0.0/24",
	inbound_services=["out_dmz_ssh"],
	outbound_services=[])

InetZone("in", "172.16.0.0/16",
	inbound_services=[],
	outbound_services=["in_out_http"])

class MyPlugProxy(PlugProxy):
	def config(self):
		PlugProxy.config(self)
		log("plug",2,"S: %s C: %s" % (self.session.client_local, self.session.client_address))

def in2out_http():
	Service(name="in_out_http", proxy_class=HttpProxy, router=TransparentRouter())
	Dispatcher(bindto=DBIface(protocol=ZD_PROTO_TCP, iface=iface_intra, ip=ip_intra, port=50080), service="in_out_http", transparent=TRUE, threaded=FALSE, backlog=255)

def out2dmz_ssh():
	Service("out_dmz_ssh", MyPlugProxy, router=DirectedRouter(SockAddrInet("192.168.0.1", 22),TRUE))
	Dispatcher(bindto=DBIface(protocol=ZD_PROTO_TCP, iface=iface_inter, ip=ip_inter, port=22), service="out_dmz_ssh", transparent=FALSE, threaded=FALSE, backlog=255)

##############################
# instances.conf
##############################
in2out_http --log-tags --verbose 2 -p /etc/zorp/policy.py
out2dmz_ssh --log-tags --verbose 2 -p /etc/zorp/policy.py

##############################
# iptables.conf
##############################
*mangle
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PRio -
-A	PREROUTING	-i	eth1	-s	172.16.0.0/16	-j	PRio	
-A	PRio	-p	tcp	--dport	80	-j	TPROXY	--on-port	50080	--tproxy-mark	0x1/0x1	--on-ip	172.16.0.254	
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LOssh -
:LOintra -
:LOdmz -
:LOinter -
-A	INPUT	-s	127.0.0.1	-j	ACCEPT	
-A	INPUT	-p	tcp	--dport	22	-j	LOssh	
-A	INPUT	-p	tcp	--sport	22	-j	LOssh	
-A	LOssh	-j	LOG	--log-prefix	"Entering_input_ssh:	"	
-A	LOssh	-j	RETURN	
-A	INPUT	-i	eth1	-s	172.16.0.0/16	-j	LOintra	
-A	LOintra	-m	state	--state	ESTABLISHED,RELATED	-j	ACCEPT	
-A	INPUT	-i	eth2	-s	192.168.0.0/24	-j	LOdmz	
-A	LOdmz	-j	LOG	--log-prefix	"Entering_LOdmz:	"	
-A	LOdmz	-m	state	--state	ESTABLISHED,RELATED	-j	ACCEPT	
-A	INPUT	-i	eth0	-s	0.0.0.0/0	-j	LOinter	
-A	LOinter	-j	LOG	--log-prefix	"Entering_LOinter:	"	
-A	LOinter	-m	state	--state	ESTABLISHED,RELATED	-j	ACCEPT	
-A	INPUT	-j	LOG	--log-prefix	"DROP_INPUT:	"	
-A	INPUT	-j	DROP	
-A	LOintra	-j	ACCEPT	
-A	LOdmz	-j	LOG	--log-prefix	"DROP_LOdmz:	"	
-A	LOdmz	-j	DROP	
-A	LOinter	-j	LOG	--log-prefix	"DROP_LOinter:	"	
-A	LOinter	-j	DROP	
COMMIT

##############################
# indito script
##############################
#!/bin/bash

set -o nounset
iptables="/sbin/iptables"
ip="/sbin/ip"

echo 1 > /proc/sys/net/ipv4/ip_forward

${ip} route add local 0.0.0.0/0 dev lo table 100
${ip} rule add fwmark 1 lookup 100
${ip} route flush cache

${iptables} -t mangle -N DIVERT
${iptables} -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
${iptables} -t mangle -A DIVERT -j MARK --set-mark 1
${iptables} -t mangle -A DIVERT -j ACCEPT

iptables-restore < /etc/zorp/iptables.conf
zorpctl start

##############################
# syslog
##############################
May 31 20:01:19 fal kernel: [28131.652257] Entering_input_ssh:	IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=42174 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0 
May 31 20:01:19 fal kernel: [28131.652271] Entering_LOinter:	IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=42174 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0 
May 31 20:01:19 fal kernel: [28131.671309] Entering_input_ssh:	IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=42175 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0 
May 31 20:01:19 fal kernel: [28131.671322] Entering_LOinter:	IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=42175 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0 
May 31 20:01:19 fal zorp/out2dmz_ssh[14499]: plug(2): (group): S: AF_INET(fal_ip.5.6.7.8:22) C: AF_INET(client_ip.1.2.3.4:37285)
May 31 20:01:19 fal kernel: [28131.820858] Entering_input_ssh:	IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=52 TOS=0x00 PREC=0x00 TTL=58 ID=42176 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=913 RES=0x00 ACK URGP=0 
May 31 20:01:19 fal kernel: [28131.820871] Entering_LOinter:	IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=52 TOS=0x00 PREC=0x00 TTL=58 ID=42176 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=913 RES=0x00 ACK URGP=0 
May 31 20:01:19 fal kernel: [28131.852090] Entering_input_ssh:	IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=69 TOS=0x00 PREC=0x00 TTL=58 ID=42177 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=913 RES=0x00 ACK PSH URGP=0 
May 31 20:01:19 fal kernel: [28131.852104] Entering_LOinter:	IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=69 TOS=0x00 PREC=0x00 TTL=58 ID=42177 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=913 RES=0x00 ACK PSH URGP=0 
May 31 20:01:19 fal kernel: [28131.860767] Entering_input_ssh:	IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=64 TOS=0x00 PREC=0x00 TTL=58 ID=42178 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=913 RES=0x00 ACK URGP=0 
May 31 20:01:19 fal kernel: [28131.860781] Entering_LOinter:	IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=64 TOS=0x00 PREC=0x00 TTL=58 ID=42178 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=913 RES=0x00 ACK URGP=0 
May 31 20:01:49 fal zorp/out2dmz_ssh[14499]: core.error(2): (svc/out_dmz_ssh:1/plug): Connection to remote end failed; local='AF_INET(client_ip.1.2.3.4:46711)', remote='AF_INET(dmz_ip.a.b.c.d:22)', error='connection timed out'

##############################
# tcpdump
##############################
20:01:19.212812 IP client_ip.1.2.3.4.37285 > fal_ip.5.6.7.8.ssh: Flags [S], seq 1306370996, win 14600, options [mss 1392,sackOK,TS val 8652554 ecr 0,nop,wscale 4], length 0
20:01:19.213211 IP fal_ip.5.6.7.8.ssh > client_ip.1.2.3.4.37285: Flags [S.], seq 213728138, ack 1306370997, win 14480, options [mss 1460,sackOK,TS val 6974069 ecr 8652554,nop,wscale 6], length 0
20:01:19.231921 IP client_ip.1.2.3.4.37285 > fal_ip.5.6.7.8.ssh: Flags [S], seq 1306370996, win 14600, options [mss 1392,sackOK,TS val 8652654 ecr 0,nop,wscale 4], length 0
20:01:19.231977 IP fal_ip.5.6.7.8.ssh > client_ip.1.2.3.4.37285: Flags [S.], seq 213728138, ack 1306370997, win 14480, options [mss 1460,sackOK,TS val 6974074 ecr 8652554,nop,wscale 6], length 0
20:01:19.381813 IP client_ip.1.2.3.4.37285 > fal_ip.5.6.7.8.ssh: Flags [.], ack 1, win 913, options [nop,nop,TS val 8652679 ecr 6974069], length 0
20:01:19.382877 IP client_ip.1.2.3.4.46711 > dmz_ip.a.b.c.d.ssh: Flags [S], seq 2592204305, win 14600, options [mss 1460,sackOK,TS val 6974111 ecr 0,nop,wscale 6], length 0
20:01:19.383057 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905137 ecr 6974111,nop,wscale 4], length 0
20:01:19.383069 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905137 ecr 6974111,nop,wscale 4], length 0
20:01:19.413117 IP client_ip.1.2.3.4.37285 > fal_ip.5.6.7.8.ssh: Flags [P.], seq 1:18, ack 1, win 913, options [nop,nop,TS val 8652679 ecr 6974069], length 17
20:01:19.413175 IP fal_ip.5.6.7.8.ssh > client_ip.1.2.3.4.37285: Flags [.], ack 18, win 227, options [nop,nop,TS val 6974119 ecr 8652679], length 0
20:01:19.421814 IP client_ip.1.2.3.4.37285 > fal_ip.5.6.7.8.ssh: Flags [.], ack 1, win 913, options [nop,nop,TS val 8652679 ecr 6974074,nop,nop,sack 1 {0:1}], length 0
20:01:20.379890 IP client_ip.1.2.3.4.46711 > dmz_ip.a.b.c.d.ssh: Flags [S], seq 2592204305, win 14600, options [mss 1460,sackOK,TS val 6974361 ecr 0,nop,wscale 6], length 0
20:01:20.380065 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905386 ecr 6974111,nop,wscale 4], length 0
20:01:20.380081 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905386 ecr 6974111,nop,wscale 4], length 0
20:01:20.782112 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905487 ecr 6974111,nop,wscale 4], length 0
20:01:20.782127 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905487 ecr 6974111,nop,wscale 4], length 0
20:01:22.383892 IP client_ip.1.2.3.4.46711 > dmz_ip.a.b.c.d.ssh: Flags [S], seq 2592204305, win 14600, options [mss 1460,sackOK,TS val 6974862 ecr 0,nop,wscale 6], length 0
20:01:22.383995 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905887 ecr 6974111,nop,wscale 4], length 0
20:01:22.384012 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905887 ecr 6974111,nop,wscale 4], length 0
20:01:22.782099 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905987 ecr 6974111,nop,wscale 4], length 0
20:01:22.782114 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905987 ecr 6974111,nop,wscale 4], length 0
20:01:26.391889 IP client_ip.1.2.3.4.46711 > dmz_ip.a.b.c.d.ssh: Flags [S], seq 2592204305, win 14600, options [mss 1460,sackOK,TS val 6975864 ecr 0,nop,wscale 6], length 0
20:01:26.392062 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294906889 ecr 6974111,nop,wscale 4], length 0
20:01:26.392079 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294906889 ecr 6974111,nop,wscale 4], length 0
20:01:26.782139 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294906987 ecr 6974111,nop,wscale 4], length 0
20:01:26.782155 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294906987 ecr 6974111,nop,wscale 4], length 0
20:01:34.407890 IP client_ip.1.2.3.4.46711 > dmz_ip.a.b.c.d.ssh: Flags [S], seq 2592204305, win 14600, options [mss 1460,sackOK,TS val 6977868 ecr 0,nop,wscale 6], length 0
20:01:34.408031 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294908893 ecr 6974111,nop,wscale 4], length 0
20:01:34.408049 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294908893 ecr 6974111,nop,wscale 4], length 0
20:01:34.782138 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294908987 ecr 6974111,nop,wscale 4], length 0
20:01:34.782153 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294908987 ecr 6974111,nop,wscale 4], length 0
20:01:49.412919 IP fal_ip.5.6.7.8.ssh > client_ip.1.2.3.4.37285: Flags [F.], seq 1, ack 18, win 227, options [nop,nop,TS val 6981619 ecr 8652679], length 0
20:01:49.412935 IP fal_ip.5.6.7.8.ssh > client_ip.1.2.3.4.37285: Flags [R.], seq 2, ack 18, win 227, options [nop,nop,TS val 6981619 ecr 8652679], length 0
20:01:50.782246 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294912987 ecr 6974111,nop,wscale 4], length 0
20:01:50.782263 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294912987 ecr 6974111,nop,wscale 4], length 0

Re: [zorp-hu] ssh nem megy

tusi