Dear Johns,
Yes,you are right, the real environment is more
complicated than my last description. so
I create a new simple environment and test it
again, the new environment have four nodes only, client(firefox)
<->tcpdump<-> zorp <-> server(Internet)
zorp config:
# brctl show
bridge name
bridge
id
STP enabled
interfaces
br0
8000.003048427898
no
eth0
eth1
# ifconfig -a
br0 Link
encap:Ethernet HWaddr 00:30:48:42:78:98
inet
addr:192.168.88.221 Bcast:192.168.88.255
Mask:255.255.255.0
UP
BROADCAST RUNNING PROMISC MULTICAST MTU:1500
Metric:1
RX
packets:2562 errors:0 dropped:0 overruns:0
frame:0
TX packets:371
errors:0 dropped:0 overruns:0
carrier:0
collisions:0
txqueuelen:0
RX
bytes:448376 (437.8 Kb) TX bytes:136651 (133.4 Kb)
dummy0 Link encap:Ethernet
HWaddr 42:CC:24:E8:34:AE
inet
addr:172.16.44.10 Bcast:172.16.44.11
Mask:255.255.255.254
UP BROADCAST RUNNING NOARP MTU:1500
Metric:1
RX packets:0
errors:0 dropped:0 overruns:0
frame:0
TX packets:0
errors:0 dropped:0 overruns:0
carrier:0
collisions:0
txqueuelen:0
RX
bytes:0 (0.0 b) TX bytes:0 (0.0 b)
eth0 Link
encap:Ethernet HWaddr 00:30:48:42:78:98
UP BROADCAST RUNNING
PROMISC MULTICAST MTU:1500
Metric:1
RX
packets:9934 errors:0 dropped:0 overruns:0
frame:0
TX packets:571
errors:0 dropped:0 overruns:0
carrier:0
collisions:0
txqueuelen:1000
RX
bytes:822121 (802.8 Kb) TX bytes:197993 (193.3
Kb)
Base
address:0xa000 Memory:ec000000-ec020000
eth1 Link
encap:Ethernet HWaddr 00:30:48:42:78:99
UP BROADCAST RUNNING
PROMISC MULTICAST MTU:1500
Metric:1
RX
packets:364 errors:0 dropped:0 overruns:0
frame:0
TX
packets:1962 errors:0 dropped:0 overruns:0
carrier:0
collisions:0
txqueuelen:1000
RX
bytes:169726 (165.7 Kb) TX bytes:302393 (295.3
Kb)
Base
address:0xa400 Memory:ec020000-ec040000
lo Link
encap:Local Loopback
inet
addr:127.0.0.1
Mask:255.0.0.0
UP
LOOPBACK RUNNING MTU:16436
Metric:1
RX packets:33
errors:0 dropped:0 overruns:0
frame:0
TX packets:33
errors:0 dropped:0 overruns:0
carrier:0
collisions:0
txqueuelen:0
RX
bytes:1916 (1.8 Kb) TX bytes:1916 (1.8 Kb)
# ip route list
172.16.44.10/31 dev dummy0
scope link
192.168.88.0/24 dev br0 scope link
127.0.0.0/8 dev
lo scope link
default via 192.168.88.1 dev br0
client ip is 192.168.88.166
tcpdump is in bridge mode too, and ip is
192.168.88.220
After test it again and again, I think I maybe
found something about why zorp dummy ip will been see by client,
tcpdump output below
14:35:06.298555 IP 172.16.44.10.60080 >
192.168.88.166.1665: P 991843042:991843074(32) ack 779229395 win
6432
14:35:06.298923 IP 172.16.44.10.60080 > 192.168.88.166.1665: .
32:1492(1460) ack 1 win 6432
14:35:06.298956 IP 172.16.44.10.60080 >
192.168.88.166.1665: . 1492:2952(1460) ack 1 win 6432
14:35:06.298982 IP
172.16.44.10.60080 > 192.168.88.166.1665: FP 2952:3530(578) ack 1 win
6432
14:35:06.299275 IP 192.168.88.166.1665 > 172.16.44.10.60080: R
779229395:779229395(0) win 0
14:35:06.299298 IP 192.168.88.166.1665 >
172.16.44.10.60080: R 779229395:779229395(0) win 0
14:35:06.299317 IP
192.168.88.166.1665 > 172.16.44.10.60080: R 779229395:779229395(0) win
0
14:35:06.299742 IP 192.168.88.166.1665 > 172.16.44.10.60080: R
779229395:779229395(0) win 0
14:35:09.298919 IP 172.16.44.10.60080 >
192.168.88.166.1665: P 0:32(32) ack 1 win 6432
14:35:09.300223 IP
192.168.88.166.1665 > 172.16.44.10.60080: R 779229395:779229395(0) win
0
14:35:15.296912 IP 172.16.44.10.60080 > 192.168.88.166.1665: P 0:32(32)
ack 1 win 6432
14:35:15.298446 IP 192.168.88.166.1665 >
172.16.44.10.60080: R 779229395:779229395(0) win 0
14:35:26.355720 IP
172.16.44.10.60080 > 192.168.88.166.1666: P 1004186045:1004186077(32) ack
784265389 win 6432
if /proc/net/tproxy exist a client<->server
entry, zorp will use it to hide dummy ip, when the entry been delete
for some reason,
the zorp can't hide dummy ip.
but why the entry will been delete before zorp
finish it's job, I don't know, maybe it's a bug or a unmatched timeout setup, I
guess
//ZhouLi
----- Original Message -----
Sent: Wednesday, July 11, 2007
07:15
Subject: Re: [zorp] Why client can see ip
address of dummy interface
Li,
More questions than answers, but we'll get
to the cause of this...
Does zorp have a 192.168.88.x address assigned
to either of it's interface? Does it have 2 interfaces or more? Can you
provide a tcpdump trace of the sequence leading up to the below and include
any ARP requests also?
16:10:57.975579 802.1Q vlan#3 P0
172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680
(DF)
16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P
0:32(32) ack 1 win 11680 (DF)
16:10:57.975831 192.168.88.166.2883 >
172.16.44.10.60080: R 3812615646:3812615646(0) win 0
16:10:57.975860 802.1Q
vlan#3 P0 192.168.88.166.2883 > 172.16.44.10.60080: R
3812615646:38126156
ie: was there a 3-way TCP handshake
between client and server (or zorp) before the above? What ARP
requests/replies were sent/received by the client/zorp/server, if any?
And can you include 'netstat -rn' (routing table) info too please - I'm not
sure how these devices are communicating directly unless you have multiple
networks (ie 192.168.88.0/24 and 172.16.44.0/24) attached to the same network
segment?
I agree that you should not be able to see the client IP - did
it work before in the past or is this the first time you've done this?
I see you have VLANs configured also - are these 3 devices the only
devices on the network or is it much more complicated than the original ascii
diagram? Can you provide a more detailed diagram showing any other
switches/firewalls/gateways on your network?
--
Regards
AJ
NetSafety - Internet Security Made
Easy
On 7/10/07, Zhou Li
<zhou.li@ca-jc.com >
wrote:
Yes, Johns, It work in bridge mode.
//ZhouLi
-----
Original Message -----
Sent:
Tuesday, July 10, 2007 14:56
Subject:
Re: [zorp] Why client can see ip address of dummy interface
Hi ZhouLi,
See below
On 7/9/07, Zhou
Li <zhou.li@ca-jc.com>
wrote:
I test Zorp 3.0.14b +
2.0.6 cttproxy for kernel 2.6.17 and It work fine for me, but I
found client can
see ip address of dummy
interface that I can't understand.
# iptables -t tproxy -I PREROUTING -p tcp
--dport 80 -j TPROXY --on-ip 172.16.44.10 --on-port
60080
instances.conf:
http -T -v 1 -s core.error:0 -p
/usr/local/etc/zorp/http.py -B 172.16.44.10
http.py:
.
.
.
def zorp():
Service("http",
MyHttp, router=TransparentRouter(forge_addr=TRUE,
forge_port=Z_PORT_EXACT))
Listener(SockAddrInet(172.16.44.10, 60080),
"http", transparent=TRUE, mark_tproxy=TRUE)
when I make a new http request from client
to server and tcpdump will display the information
below
tcpdump on client
16:10:57.975579 802.1Q vlan#3 P0
172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680
(DF)
16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P
0:32(32) ack 1 win 11680 (DF)
16:10:57.975831 192.168.88.166.2883
> 172.16.44.10.60080: R 3812615646:3812615646(0) win
0
16:10:57.975860 802.1Q vlan#3 P0 192.168.88.166.2883 >
172.16.44.10.60080: R 3812615646:38126156
tcpdump on server
my question is how to avoid client see
dummy ip address?
ZhouLi
Does TProxy work in bridge mode - you appear to have the same
network address/mask on both zorp interfaces - is this correct? Or is this
on a VMWare system?
_______________________________________________
zorp mailing
list
zorp@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/zorp
____ KILL邮件安全网关 已经扫描了这封邮件 ____