Hi, I am new to this list and zorp as well. I am just playing around with zorp in a user mode linux environment and need some help with iptables configuration. There is one http zorp proxy configured right now. The system and zorp is running fine, but I get some loops when trying to connect to a web server through the zorp machine. I need to redirect connections coming in on my internal interface on, say, port 80/tcp to zorp (i.e. port 50080/tcp) and tproxy them to servers in the internet, reachabel via an external interface. Redirection works, tproxying as well, but iptables seems to redirect the connection established by zorp back to the proxy. Is there any configuration example or documentation for such a setup? I know the tutorial on the zorp gpl web page, but could not get any help for my problems out of it, maybe because of lack of detailed iptables knowledge. I currently have no access to my configuration, but I can post details later, if needed. I'd really appreciate any help, thanks in advance! Regards, Till -- DSL Komplett von GMX +++ Superg�nstig und stressfrei einsteigen! AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl
On Tue, 2005-02-22 at 13:35 +0100, Tillmann Werner wrote:
Hi,
I am new to this list and zorp as well. I am just playing around with zorp in a user mode linux environment and need some help with iptables configuration.
There is one http zorp proxy configured right now. The system and zorp is running fine, but I get some loops when trying to connect to a web server through the zorp machine.
I need to redirect connections coming in on my internal interface on, say, port 80/tcp to zorp (i.e. port 50080/tcp) and tproxy them to servers in the internet, reachabel via an external interface. Redirection works, tproxying as well, but iptables seems to redirect the connection established by zorp back to the proxy.
Is there any configuration example or documentation for such a setup? I know the tutorial on the zorp gpl web page, but could not get any help for my problems out of it, maybe because of lack of detailed iptables knowledge.
I currently have no access to my configuration, but I can post details later, if needed.
I think Zorp has not correctly detected your transparent proxying implementation, thus does not detect the actual transparent destination of your client, uses the listener address instead (e.g. the address the IP stack "thinks" your destination was), and then reconnects itself. You should check the output of your "System dependant init" log message at Zorp startup, where you should see "sysdep_tproxy=2" or sysdep_tproxy=tproxy12, depending on your Zorp version. (3.0.3 or later reports the latter one, earlier Zorp versions reported it numerically) If you see sysdep_tproxy=1 or linux22 then Zorp did not detect your tproxy correctly, maybe you don't have the autobind interface configured correctly. Zorp also reminds you about this, with a logmessage like "Error autobinding socket..." If you post the startup logs (by running /usr/lib/zorp/zorp -v8 -l -T) I might help you identify other problems as well. -- Bazsi
Hi Baszi, first of all thanks for your fast reply. I spent the last days compiling different versions of zorp gpl to make sure to "configure" with "--with-tproxy=netfilter". The stable release was the only version I could get running 'till now...
If you see sysdep_tproxy=1 or linux22 then Zorp did not detect your tproxy correctly, maybe you don't have the autobind interface configured correctly. Zorp also reminds you about this, with a logmessage like "Error autobinding socket..."
I've got "sysdep_tproxy=1" indeed. The system runs a tproxy-patched 2.6.10 kernel (uml), my python is 2.3.3. Are there any known tproxy detection problems on such a setup?
If you post the startup logs (by running /usr/lib/zorp/zorp -v8 -l -T) I might help you identify other problems as well.
This is from a freshly installed stable release with the example policy file (without the "python future warnings"): ------------------------------------------- root@tproxy:#> /usr/local/lib/zorp/zorp -v8 -l -T Zorp-INFO: core.debug(0): (noname/nosession): Verbosity level: 8 Zorp-INFO: core.debug(6): (noname/nosession): System dependant init; sysdep_tproxy='1' Zorp-INFO: core.debug(7): (noname/nosession): Start to listen; fd='5' Zorp-INFO: core.debug(6): (conntrack/thread): thread starting; Zorp-INFO: core.info(5): zorp version 2.0.9 starting up Zorp-INFO: core.debug(5): (noname/nosession): Zone(site-net): outbound service=intra_http Zorp-INFO: core.debug(5): (noname/nosession): Zone(site-net): outbound service=intra_ftp Zorp-INFO: core.debug(5): (noname/nosession): Zone(site-net): outbound service=intra_cvs Zorp-INFO: core.debug(5): (noname/nosession): Zone(local): inbound service=* Zorp-INFO: core.debug(5): (noname/nosession): Zone(internet): inbound service=* Zorp-INFO: core.error(0): (noname/nosession): Instance definition not found in policy; instance='zorp' Traceback (most recent call last): File "/usr/local/share/zorp/pylib/Zorp/Zorp.py", line 175, in init func() UnboundLocalError: local variable 'func' referenced before assignment Zorp-INFO: core.error(0): (noname/nosession): Error initializing policy; Zorp-INFO: core.error(0): (noname/nosession): Error loading initial policy, exiting; Zorp-INFO: core.info(5): zorp version 2.0.9 going down. Zorp-INFO: core.debug(6): (conntrack/thread): thread exiting; root@tproxy:#> ------------------------------------------- Till
Hi, 2005-02-24, cs keltezéssel 03.51-kor Tillmann Werner ezt írta:
first of all thanks for your fast reply. I spent the last days compiling different versions of zorp gpl to make sure to "configure" with "--with-tproxy=netfilter". The stable release was the only version I could get running 'till now...
Hmm, this may be a problem, since only the 3.0 branch of Zorp is compatible with Linux 2.6... (To be more accurate, only TProxy 2.0 has a Linux 2.6 version available, and only Zorp 3 has support for TProxy 2.0.)
If you see sysdep_tproxy=1 or linux22 then Zorp did not detect your tproxy correctly, maybe you don't have the autobind interface configured correctly. Zorp also reminds you about this, with a logmessage like "Error autobinding socket..."
I've got "sysdep_tproxy=1" indeed. The system runs a tproxy-patched 2.6.10 kernel (uml), my python is 2.3.3. Are there any known tproxy detection problems on such a setup?
Yes, as I've stated above it's incompatible with TProxy 2.0. Please try to upgrade to Zorp 3 GPL, it is probably a better choice than downgrading your UML kernel to 2.4. If you have any compilation problems, please let us know. -- Regards, Krisztian Kovacs
Hi,
Hmm, this may be a problem, since only the 3.0 branch of Zorp is compatible with Linux 2.6... (To be more accurate, only TProxy 2.0 has a Linux 2.6 version available, and only Zorp 3 has support for TProxy 2.0.)
Ok.
Yes, as I've stated above it's incompatible with TProxy 2.0. Please try to upgrade to Zorp 3 GPL, it is probably a better choice than downgrading your UML kernel to 2.4. If you have any compilation problems, please let us know.
I downloaded the libzorpll_3.0.5.3.tar.gz, which compiles well. Zorp itself from zorp_3.0.3.tar.gz does not, it breaks in zorp: --------------------------- Making all in zorp make[2]: Entering directory `/usr/src/zorp-3.0.3.1/zorp' if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/src/zorp-3.0.3.1/lib -I/usr/src/zorp-3.0.3.1 -D_GNU_SOURCE -pthread -I/usr/local/include -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/python2.3 -I/usr/include/python2.3/ExtensionClass -O2 -Wall -W -g -D_GNU_SOURCE -MT main.o -MD -MP -MF ".deps/main.Tpo" \ -c -o main.o `test -f 'main.c' || echo './'`main.c; \ then mv -f ".deps/main.Tpo" ".deps/main.Po"; \ else rm -f ".deps/main.Tpo"; exit 1; \ fi main.c: In function `z_main_loop': main.c:302: warning: implicit declaration of function `z_log_change_verbose_level' main.c: In function `z_version': main.c:348: warning: too few arguments for format main.c: In function `main': main.c:643: warning: passing arg 2 of `z_log_init' makes pointer from integer without a cast main.c:643: warning: passing arg 3 of `z_log_init' makes integer from pointer without a cast main.c:643: error: too many arguments to function `z_log_init' main.c:643: error: wrong type argument to unary exclamation mark make[2]: *** [main.o] Error 1 make[2]: Leaving directory `/usr/src/zorp-3.0.3.1/zorp' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/src/zorp-3.0.3.1' make: *** [all] Error 2 ---------------------------------- A quick look at z_log_init tells that there is no parameter for verbose_level, i I am right. Till
Hi, 2005-02-24, cs keltezéssel 05.40-kor Tillmann Werner ezt írta:
I downloaded the libzorpll_3.0.5.3.tar.gz, which compiles well. Zorp itself from zorp_3.0.3.tar.gz does not, it breaks in zorp:
Please try libzorpll 3.0.6.3 instead: http://www.balabit.com/downloads/zorp/zorp-os/pool/l/libzorpll/libzorpll_3.0... -- Regards, Krisztian Kovacs
On Thu, 2005-02-24 at 05:40 +0100, Tillmann Werner wrote:
Hi,
Hmm, this may be a problem, since only the 3.0 branch of Zorp is compatible with Linux 2.6... (To be more accurate, only TProxy 2.0 has a Linux 2.6 version available, and only Zorp 3 has support for TProxy 2.0.)
Ok.
Yes, as I've stated above it's incompatible with TProxy 2.0. Please try to upgrade to Zorp 3 GPL, it is probably a better choice than downgrading your UML kernel to 2.4. If you have any compilation problems, please let us know.
I downloaded the libzorpll_3.0.5.3.tar.gz, which compiles well. Zorp itself from zorp_3.0.3.tar.gz does not, it breaks in zorp:
Sigh. I'll have to clean up the synchronization scripts or remove downloads/zorp/<versions> directories completely as those are only replicas of the originals under downloads/zorp/zorp-os/pool which is the direct output of our build system. Sorry for the confusion, there were some incompatible changes in libzorpll 3.0.6.x (hence the different 3rd version number), and although our commercial and gpl versions use the same branch no Zorp GPL was released at the same time the commercial one was released. Anyway, I'm packaging a Zorp GPL 3.0.3.2 which should compile with your libzorpll and come back with the results. (takes about a half an hour, just to make sure it properly compiles) -- Bazsi
On Fri, 2005-02-25 at 10:54 +0100, Balazs Scheidler wrote:
On Thu, 2005-02-24 at 05:40 +0100, Tillmann Werner wrote:
Hi,
Hmm, this may be a problem, since only the 3.0 branch of Zorp is compatible with Linux 2.6... (To be more accurate, only TProxy 2.0 has a Linux 2.6 version available, and only Zorp 3 has support for TProxy 2.0.)
Ok.
Yes, as I've stated above it's incompatible with TProxy 2.0. Please try to upgrade to Zorp 3 GPL, it is probably a better choice than downgrading your UML kernel to 2.4. If you have any compilation problems, please let us know.
I downloaded the libzorpll_3.0.5.3.tar.gz, which compiles well. Zorp itself from zorp_3.0.3.tar.gz does not, it breaks in zorp:
Sigh. I'll have to clean up the synchronization scripts or remove downloads/zorp/<versions> directories completely as those are only replicas of the originals under downloads/zorp/zorp-os/pool which is the direct output of our build system.
Sorry for the confusion, there were some incompatible changes in libzorpll 3.0.6.x (hence the different 3rd version number), and although our commercial and gpl versions use the same branch no Zorp GPL was released at the same time the commercial one was released.
Anyway, I'm packaging a Zorp GPL 3.0.3.2 which should compile with your libzorpll and come back with the results. (takes about a half an hour, just to make sure it properly compiles)
Released, compiled and briefly tested Zorp GPL 3.0.3.2 which is available at: http://www.balabit.hu/downloads/zorp/zorp-os/pool/z/zorp/ Remember to compile it using libzorpll 3.0.6.0.3, which is available at: http://www.balabit.hu/downloads/zorp/zorp-os/pool/l/libzorpll -- Bazsi
Hi Baszi and Krisztian,
Released, compiled and briefly tested Zorp GPL 3.0.3.2 which is available at:
http://www.balabit.hu/downloads/zorp/zorp-os/pool/z/zorp/
Remember to compile it using libzorpll 3.0.6.0.3, which is available at:
http://www.balabit.hu/downloads/zorp/zorp-os/pool/l/libzorpll
Many thanks for your help! I finally got one combination running, but I'll try 3.0.3.2/3.0.6.0.3 this weekend. Another question: My first Zorp configuration, a simple http proxy, is completely transparent for the client, but the server would see the ip address of the gateway machine (it does not because of a nat firewall in front of the alg). Please have a look at my policy.py below, is there a switch missing for transparency from the server point of view? Have a nice weekend, Till ---------------------- from Zorp.Core import * from Zorp.Http import * InetZone('intra', '10.0.0.0/24', outbound_services=['http']) InetZone('inter', '0.0.0.0/0', inbound_services=['*'], outbound_services=['http']) class InternHttp(HttpProxy): def config(self): HttpProxy.config(self) self.transparent_mode = TRUE def intra(): Service('http', InternHttp) Listener(SockAddrInet('192.168.3.30', 50080), 'http') def inter(): pass
On Fri, 2005-02-25 at 19:42 +0100, Tillmann Werner wrote:
def intra(): Service('http', InternHttp) Listener(SockAddrInet('192.168.3.30', 50080), 'http')
Try this as your Service definition: Service('http', InternHttp, router=TransparentRouter(forge_addr=1)) MCS
participants (5)
-
Balazs Scheidler
-
KOVACS Krisztian
-
Major Csaba
-
Tillmann Werner
-
Tillmann Werner