I test Zorp 3.0.14b + 2.0.6 cttproxy for kernel 2.6.17 and It work fine for me, but I found client can see ip address of dummy interface that I can't understand. client(192.168.88.166) <--> zorp(dummy ip 172.16.44.10) <--> server(192.168.88.10) # iptables -t tproxy -I PREROUTING -p tcp --dport 80 -j TPROXY --on-ip 172.16.44.10 --on-port 60080 instances.conf: http -T -v 1 -s core.error:0 -p /usr/local/etc/zorp/http.py -B 172.16.44.10 http.py: . . . def zorp(): Service("http", MyHttp, router=TransparentRouter(forge_addr=TRUE, forge_port=Z_PORT_EXACT)) Listener(SockAddrInet(172.16.44.10, 60080), "http", transparent=TRUE, mark_tproxy=TRUE) when I make a new http request from client to server and tcpdump will display the information below tcpdump on client # tcpdump | grep 172.16.44.10 16:10:57.975579 802.1Q vlan#3 P0 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF) 16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF) 16:10:57.975831 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:3812615646(0) win 0 16:10:57.975860 802.1Q vlan#3 P0 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:38126156 tcpdump on server # tcpdump | grep 172.16.44.10 16:10:57.538207 arp who-has 192.168.88.10 tell 172.16.44.10 my question is how to avoid client see dummy ip address? ZhouLi ____ KILL邮件安全网关 已经扫描了这封邮件 ____
Hi ZhouLi, See below On 7/9/07, Zhou Li <zhou.li@ca-jc.com> wrote:
I test Zorp 3.0.14b + 2.0.6 cttproxy for kernel 2.6.17 and It work fine for me, but I found client can see ip address of dummy interface that I can't understand.
client(192.168.88.166) <--> zorp(dummy ip 172.16.44.10) <--> server( 192.168.88.10)
# iptables -t tproxy -I PREROUTING -p tcp --dport 80 -j TPROXY --on-ip 172.16.44.10 --on-port 60080
instances.conf: http -T -v 1 -s core.error:0 -p /usr/local/etc/zorp/http.py -B 172.16.44.10
http.py: . . . def zorp(): Service("http", MyHttp, router=TransparentRouter(forge_addr=TRUE, forge_port=Z_PORT_EXACT)) Listener(SockAddrInet(172.16.44.10, 60080), "http", transparent=TRUE, mark_tproxy=TRUE)
when I make a new http request from client to server and tcpdump will display the information below
tcpdump on client # tcpdump | grep 172.16.44.10 16:10:57.975579 802.1Q vlan#3 P0 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF) 16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF) 16:10:57.975831 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:3812615646(0) win 0 16:10:57.975860 802.1Q vlan#3 P0 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:38126156
tcpdump on server # tcpdump | grep 172.16.44.10 16:10:57.538207 arp who-has 192.168.88.10 tell 172.16.44.10
my question is how to avoid client see dummy ip address?
ZhouLi
Does TProxy work in bridge mode - you appear to have the same network address/mask on both zorp interfaces - is this correct? Or is this on a VMWare system? -- Regards AJ NetSafety - Intenet Security Made Easy
Yes, Johns, It work in bridge mode. //ZhouLi ----- Original Message ----- From: A Johns To: Zorp users mailing list Sent: Tuesday, July 10, 2007 14:56 Subject: Re: [zorp] Why client can see ip address of dummy interface Hi ZhouLi, See below On 7/9/07, Zhou Li <zhou.li@ca-jc.com> wrote: I test Zorp 3.0.14b + 2.0.6 cttproxy for kernel 2.6.17 and It work fine for me, but I found client can see ip address of dummy interface that I can't understand. client(192.168.88.166) <--> zorp(dummy ip 172.16.44.10) <--> server( 192.168.88.10) # iptables -t tproxy -I PREROUTING -p tcp --dport 80 -j TPROXY --on-ip 172.16.44.10 --on-port 60080 instances.conf: http -T -v 1 -s core.error:0 -p /usr/local/etc/zorp/http.py -B 172.16.44.10 http.py: . . . def zorp(): Service("http", MyHttp, router=TransparentRouter(forge_addr=TRUE, forge_port=Z_PORT_EXACT)) Listener(SockAddrInet(172.16.44.10, 60080), "http", transparent=TRUE, mark_tproxy=TRUE) when I make a new http request from client to server and tcpdump will display the information below tcpdump on client # tcpdump | grep 172.16.44.10 16:10:57.975579 802.1Q vlan#3 P0 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF) 16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF) 16:10:57.975831 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:3812615646(0) win 0 16:10:57.975860 802.1Q vlan#3 P0 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:38126156 tcpdump on server # tcpdump | grep 172.16.44.10 16:10:57.538207 arp who-has 192.168.88.10 tell 172.16.44.10 my question is how to avoid client see dummy ip address? ZhouLi Does TProxy work in bridge mode - you appear to have the same network address/mask on both zorp interfaces - is this correct? Or is this on a VMWare system? -- Regards AJ NetSafety - Intenet Security Made Easy ____ KILLÓʼþ°²È«Íø¹Ø ÒѾɨÃèÁËÕâ·âÓʼþ ____ ------------------------------------------------------------------------------ _______________________________________________ zorp mailing list zorp@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/zorp ____ KILLSJ<~02H+Mx9X RQ>-I(ChAKUb7bSJ<~ ____ ____ KILLÓʼþ°²È«Íø¹Ø ÒѾɨÃèÁËÕâ·âÓʼþ ____
Li, More questions than answers, but we'll get to the cause of this... Does zorp have a 192.168.88.x address assigned to either of it's interface? Does it have 2 interfaces or more? Can you provide a tcpdump trace of the sequence leading up to the below and include any ARP requests also? # tcpdump | grep 172.16.44.10 16:10:57.975579 802.1Q vlan#3 P0 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF) 16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF) 16:10:57.975831 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:3812615646(0) win 0 16:10:57.975860 802.1Q vlan#3 P0 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:38126156 ie: was there a 3-way TCP handshake between client and server (or zorp) before the above? What ARP requests/replies were sent/received by the client/zorp/server, if any? And can you include 'netstat -rn' (routing table) info too please - I'm not sure how these devices are communicating directly unless you have multiple networks (ie 192.168.88.0/24 and 172.16.44.0/24) attached to the same network segment? I agree that you should not be able to see the client IP - did it work before in the past or is this the first time you've done this? I see you have VLANs configured also - are these 3 devices the only devices on the network or is it much more complicated than the original ascii diagram? Can you provide a more detailed diagram showing any other switches/firewalls/gateways on your network? -- Regards AJ NetSafety - Internet Security Made Easy On 7/10/07, Zhou Li <zhou.li@ca-jc.com> wrote:
Yes, Johns, It work in bridge mode. //ZhouLi
----- Original Message ----- *From:* A Johns <andrew.johns@gmail.com> *To:* Zorp users mailing list <zorp@lists.balabit.hu> *Sent:* Tuesday, July 10, 2007 14:56 *Subject:* Re: [zorp] Why client can see ip address of dummy interface
Hi ZhouLi,
See below
On 7/9/07, Zhou Li <zhou.li@ca-jc.com> wrote:
I test Zorp 3.0.14b + 2.0.6 cttproxy for kernel 2.6.17 and It work fine for me, but I found client can see ip address of dummy interface that I can't understand.
client(192.168.88.166) <--> zorp(dummy ip 172.16.44.10) <--> server(192.168.88.10 )
# iptables -t tproxy -I PREROUTING -p tcp --dport 80 -j TPROXY --on-ip 172.16.44.10 --on-port 60080
instances.conf: http -T -v 1 -s core.error:0 -p /usr/local/etc/zorp/http.py -B 172.16.44.10
http.py: . . . def zorp(): Service("http", MyHttp, router=TransparentRouter(forge_addr=TRUE, forge_port=Z_PORT_EXACT)) Listener(SockAddrInet(172.16.44.10, 60080), "http", transparent=TRUE, mark_tproxy=TRUE)
when I make a new http request from client to server and tcpdump will display the information below
tcpdump on client # tcpdump | grep 172.16.44.10 16:10:57.975579 802.1Q vlan#3 P0 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF) 16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF) 16:10:57.975831 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:3812615646(0) win 0 16:10:57.975860 802.1Q vlan#3 P0 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:38126156
tcpdump on server # tcpdump | grep 172.16.44.10 16:10:57.538207 arp who-has 192.168.88.10 tell 172.16.44.10
my question is how to avoid client see dummy ip address?
ZhouLi
Does TProxy work in bridge mode - you appear to have the same network address/mask on both zorp interfaces - is this correct? Or is this on a VMWare system?
Dear Johns, Yes,you are right, the real environment is more complicated than my last description. so I create a new simple environment and test it again, the new environment have four nodes only, client(firefox) <->tcpdump<-> zorp <-> server(Internet) zorp config: # brctl show bridge name bridge id STP enabled interfaces br0 8000.003048427898 no eth0 eth1 # ifconfig -a br0 Link encap:Ethernet HWaddr 00:30:48:42:78:98 inet addr:192.168.88.221 Bcast:192.168.88.255 Mask:255.255.255.0 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:2562 errors:0 dropped:0 overruns:0 frame:0 TX packets:371 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:448376 (437.8 Kb) TX bytes:136651 (133.4 Kb) dummy0 Link encap:Ethernet HWaddr 42:CC:24:E8:34:AE inet addr:172.16.44.10 Bcast:172.16.44.11 Mask:255.255.255.254 UP BROADCAST RUNNING NOARP MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) eth0 Link encap:Ethernet HWaddr 00:30:48:42:78:98 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:9934 errors:0 dropped:0 overruns:0 frame:0 TX packets:571 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:822121 (802.8 Kb) TX bytes:197993 (193.3 Kb) Base address:0xa000 Memory:ec000000-ec020000 eth1 Link encap:Ethernet HWaddr 00:30:48:42:78:99 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:364 errors:0 dropped:0 overruns:0 frame:0 TX packets:1962 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:169726 (165.7 Kb) TX bytes:302393 (295.3 Kb) Base address:0xa400 Memory:ec020000-ec040000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:33 errors:0 dropped:0 overruns:0 frame:0 TX packets:33 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1916 (1.8 Kb) TX bytes:1916 (1.8 Kb) # ip route list 172.16.44.10/31 dev dummy0 scope link 192.168.88.0/24 dev br0 scope link 127.0.0.0/8 dev lo scope link default via 192.168.88.1 dev br0 client ip is 192.168.88.166 tcpdump is in bridge mode too, and ip is 192.168.88.220 After test it again and again, I think I maybe found something about why zorp dummy ip will been see by client, tcpdump output below 14:35:06.298555 IP 172.16.44.10.60080 > 192.168.88.166.1665: P 991843042:991843074(32) ack 779229395 win 6432 14:35:06.298923 IP 172.16.44.10.60080 > 192.168.88.166.1665: . 32:1492(1460) ack 1 win 6432 14:35:06.298956 IP 172.16.44.10.60080 > 192.168.88.166.1665: . 1492:2952(1460) ack 1 win 6432 14:35:06.298982 IP 172.16.44.10.60080 > 192.168.88.166.1665: FP 2952:3530(578) ack 1 win 6432 14:35:06.299275 IP 192.168.88.166.1665 > 172.16.44.10.60080: R 779229395:779229395(0) win 0 14:35:06.299298 IP 192.168.88.166.1665 > 172.16.44.10.60080: R 779229395:779229395(0) win 0 14:35:06.299317 IP 192.168.88.166.1665 > 172.16.44.10.60080: R 779229395:779229395(0) win 0 14:35:06.299742 IP 192.168.88.166.1665 > 172.16.44.10.60080: R 779229395:779229395(0) win 0 14:35:09.298919 IP 172.16.44.10.60080 > 192.168.88.166.1665: P 0:32(32) ack 1 win 6432 14:35:09.300223 IP 192.168.88.166.1665 > 172.16.44.10.60080: R 779229395:779229395(0) win 0 14:35:15.296912 IP 172.16.44.10.60080 > 192.168.88.166.1665: P 0:32(32) ack 1 win 6432 14:35:15.298446 IP 192.168.88.166.1665 > 172.16.44.10.60080: R 779229395:779229395(0) win 0 14:35:26.355720 IP 172.16.44.10.60080 > 192.168.88.166.1666: P 1004186045:1004186077(32) ack 784265389 win 6432 if /proc/net/tproxy exist a client<->server entry, zorp will use it to hide dummy ip, when the entry been delete for some reason, the zorp can't hide dummy ip. but why the entry will been delete before zorp finish it's job, I don't know, maybe it's a bug or a unmatched timeout setup, I guess //ZhouLi ----- Original Message ----- From: A Johns To: Zorp users mailing list Sent: Wednesday, July 11, 2007 07:15 Subject: Re: [zorp] Why client can see ip address of dummy interface Li, More questions than answers, but we'll get to the cause of this... Does zorp have a 192.168.88.x address assigned to either of it's interface? Does it have 2 interfaces or more? Can you provide a tcpdump trace of the sequence leading up to the below and include any ARP requests also? # tcpdump | grep 172.16.44.10 16:10:57.975579 802.1Q vlan#3 P0 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF) 16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF) 16:10:57.975831 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:3812615646(0) win 0 16:10:57.975860 802.1Q vlan#3 P0 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:38126156 ie: was there a 3-way TCP handshake between client and server (or zorp) before the above? What ARP requests/replies were sent/received by the client/zorp/server, if any? And can you include 'netstat -rn' (routing table) info too please - I'm not sure how these devices are communicating directly unless you have multiple networks (ie 192.168.88.0/24 and 172.16.44.0/24) attached to the same network segment? I agree that you should not be able to see the client IP - did it work before in the past or is this the first time you've done this? I see you have VLANs configured also - are these 3 devices the only devices on the network or is it much more complicated than the original ascii diagram? Can you provide a more detailed diagram showing any other switches/firewalls/gateways on your network? -- Regards AJ NetSafety - Internet Security Made Easy On 7/10/07, Zhou Li <zhou.li@ca-jc.com > wrote: Yes, Johns, It work in bridge mode. //ZhouLi ----- Original Message ----- From: A Johns To: Zorp users mailing list Sent: Tuesday, July 10, 2007 14:56 Subject: Re: [zorp] Why client can see ip address of dummy interface Hi ZhouLi, See below On 7/9/07, Zhou Li <zhou.li@ca-jc.com> wrote: I test Zorp 3.0.14b + 2.0.6 cttproxy for kernel 2.6.17 and It work fine for me, but I found client can see ip address of dummy interface that I can't understand. client(192.168.88.166) <--> zorp(dummy ip 172.16.44.10) <--> server( 192.168.88.10) # iptables -t tproxy -I PREROUTING -p tcp --dport 80 -j TPROXY --on-ip 172.16.44.10 --on-port 60080 instances.conf: http -T -v 1 -s core.error:0 -p /usr/local/etc/zorp/http.py -B 172.16.44.10 http.py: . . . def zorp(): Service("http", MyHttp, router=TransparentRouter(forge_addr=TRUE, forge_port=Z_PORT_EXACT)) Listener(SockAddrInet(172.16.44.10, 60080), "http", transparent=TRUE, mark_tproxy=TRUE) when I make a new http request from client to server and tcpdump will display the information below tcpdump on client # tcpdump | grep 172.16.44.10 16:10:57.975579 802.1Q vlan#3 P0 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF) 16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF) 16:10:57.975831 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:3812615646(0) win 0 16:10:57.975860 802.1Q vlan#3 P0 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:38126156 tcpdump on server # tcpdump | grep 172.16.44.10 16:10:57.538207 arp who-has 192.168.88.10 tell 172.16.44.10 my question is how to avoid client see dummy ip address? ZhouLi Does TProxy work in bridge mode - you appear to have the same network address/mask on both zorp interfaces - is this correct? Or is this on a VMWare system? ------------------------------------------------------------------------------ _______________________________________________ zorp mailing list zorp@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/zorp ____ KILLÓʼþ°²È«Íø¹Ø ÒѾɨÃèÁËÕâ·âÓʼþ ____
participants (2)
-
A Johns
-
Zhou Li