On Wed, 2009-09-30 at 09:52 +0200, Gabor E. Tusnady wrote:
Kedves Lista!
Az augusztusi Zsiga problema, nalam nem akar megoldodni:
Telepitettem egy ubuntu 8.04.3 LTS-t, megfoltoztam a kernelt es az iptables-t, hasznalom az ubuntu sajat zorp csomagjat:
uname -a Linux ujfal 2.6.24-24-386 #1 Fri Sep 18 09:10:11 CDT 2009 i686 GNU/Linux
iptables -V iptables v1.4.0
zorpctl version Zorp 3.0.8 Revision: Compile-Date: Mar 21 2007 22:51:55 Config-Date: 2007/03/21 Trace: off Debug: off IPOptions: off IPFilter-Tproxy: off Netfilter-Tproxy: on Netfilter-Linux22-Fallback: on Linux22-Tproxy: off Conntrack: on
Zorplib 3.0.6.4.2 Revision: devel@balabit.hu--zorp-1/zorp-lib--mainline--3.0--patch-116 Compile-Date: Jun 21 2006 01:01:55 Trace: off MemTrace: off Caps: on Debug: off StackDump: on
A README-kben talalhato egyszeru test rendszert szeretnem megvalositani:
cat policy.py from Zorp.Core import * from Zorp.Http import *
Zorp.firewall_name = 'z'
InetZone("inter", "0.0.0.0/0", inbound_services=["io_http"], outbound_services=[])
InetZone("intra", "172.16.0.0/16", inbound_services=[], outbound_services=["io_http"])
class MyHttpProxy(HttpProxy): def config(self): HttpProxy.config(self) self.transparent_mode = 1 log("http",2,"S: %s C: %s" % (self.session.server_address.ip_s, self.session.client_address.ip_s))
def i2o_http(): Service("io_http", MyHttpProxy, InbandRouter()) Listener(SockAddrInet("a.b.c.d", 50080), "io_http", transparent=TRUE)
cat iptables.conf *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :DIVERT - [0:0] -A PREROUTING -p tcp -m socket -j DIVERT -A PREROUTING -j LOG --log-prefix "TPROXY: " -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 50080 --on-ip a.b.c.d --tproxy-mark 0x1/0x1 -A DIVERT -j LOG --log-prefix "DIVERT: " -A DIVERT -j MARK --set-mark 0x1 -A DIVERT -j ACCEPT COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -j LOG --log-prefix "INPUT: " COMMIT
a.b.c.d a tuzfal intranet feloli ip cime.
ip rule list 0: from all lookup local 32765: from all fwmark 0x1/0x1 lookup 100 32766: from all lookup main 32767: from all lookup default
elinditottam a zorpot:
strace -o log -f zorpctl start i2o_http
a log socket resze:
grep setso log 4492 setsockopt(14, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
itt az a gond, hogy a zorp nem hivja meg az IP_TRANSPARENT opciot. a 3.0.8 ugyanis ezt meg nem tudta. a Zsiga ujabb verziot hasznalt, es ott szerepelt is a 0x13-as setsockopt. Egy ilyet hianyolok: 11195 setsockopt(12, SOL_IP, 0x13 /* IP_??? */, [1], 4) = 0 A 3.0-as branchben nincs benne ez a tamogatas, a 3.1-ben viszont igen. -- Bazsi