[tproxy] iptables setup for Zorp

[Balazs Scheidler]

On Wed, 2008-05-28 at 17:38 +0200, Tim Feld wrote:
> Hi,
> 
> I am having difficulties to transfer the zorp tutorial iptables setup to the new tproxy version without the tproxy table. 
> 
> This is the setup in iptables-save/restore syntax found at balabit's website (https://www.balabit.com/network-security/zorp-gateway/gpl/tutorial/):
> *tproxy
> :PREROUTING ACCEPT
> :OUTPUT ACCEPT
> :PRintra -
> :PRinter -
> :PRdmz -
> -A PREROUTING -i IFintra -j PRintra
> -A PREROUTING -i IFinter -j PRinter
> -A PREROUTING -i IFdmz   -j PRdmz
> // PRintra chain
> -A PRintra -p tcp --dport 80 -j TPROXY --on-port 50080
> -A PRintra -p tcp --dport 443 -j TPROXY --on-port 50443
> -A PRintra -p tcp --dport 21 -j TPROXY --on-port 50021
> // PRinter chain
> -A PRinter -p tcp --dport 80 -j TPROXY --on-port 50080
> // PRdmz chain
> // no services permitted
> COMMIT
> *filter
> :INPUT DENY
> :FORWARD DENY
> :OUTPUT ACCEPT
> :noise -
> :spoof -
> :spoofdrop DROP
> :LOintra -
> :LOinter -
> :LOdmz -
> -A INPUT -j noise
> -A INPUT -j spoof
> // permit all traffic initiated by transparent proxies
> -A INPUT -m tproxy  -j ACCEPT
> //
> // permit all TCP traffic initiated by local processes, or allowed by rules
> // below, we don't trust the state match for UDP traffic, they will be handled
> // by individual rules below.
> //
> -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
> // permit all loopback traffic
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i IFintra -j LOintra
> -A INPUT -i IFinter -j LOinter
> -A INPUT -i IFdmz   -j LOdmz
> -A INPUT -j DROP
> -A FORWARD -j LOG --log-prefix "FORWARD DROP: "
> -A FORWARD -j DROP
> // LOintra
> -A LOintra -p udp --dport 53 -j ACCEPT
> -A LOintra -p udp --dport 123 -j ACCEPT
> -A LOintra -p tcp --syn --dport 25 -j ACCEPT
> -A LOintra -j LOG --log-prefix "LOintra DROP: "
> -A LOintra -j DROP
> // LOinter
> // permit DNS replies, bind is configured to send out DNS packets from this
> // port. We could also use the state match in our INPUT chain.
> -A LOinter -p udp -s DNS_SERVERS --dport 53000 -j ACCEPT
> -A LOinter -p udp -s NTP_SERVERS --dport 123 -j ACCEPT
> -A LOinter -p tcp --syn --dport 25 -j ACCEPT
> -A LOinter -j LOG --log-prefix "LOinter DROP: "
> -A LOinter -j DROP
> // LOdmz
> -A LOdmz -p udp --dport 53 -j ACCEPT
> -A LOdmz -p udp --dport 123 -j ACCEPT
> -A LOdmz -p tcp --syn --dport 25 -j ACCEPT
> -A LOdmz -j LOG --log-prefix "LOdmz DROP: "
> -A LOdmz -j DROP
> //
> // noise chain, should drop all packets which need not be logged,
> // otherwise it should return to the main ruleset
> //
> -A noise -p udp --dport 137:139 -j DROP
> -A noise -j RETURN
> //
> // spoof chain, should drop all packets with spoofed source address
> // otherwise it should return to the main ruleset
> //
> -A spoof -i lo -j RETURN
> -A spoof ! -i lo -s 127.0.0.0/8 -j spoofdrop
> -A spoof -i IFintra ! -s NETintra -j spoofdrop
> -A spoof ! -i IFintra -s NETintra -j spoofdrop
> -A spoof -i IFdmz ! -s NETdmz -j spoofdrop
> -A spoof ! -i IFdmz -s NETdmz -j spoofdrop
> -A spoof -j RETURN
> //
> -A spoofdrop -j LOG --log-prefix "Spoofed packet: "
> -A spoofdrop -j DROP
> COMMIT
> 
> 
> I tried to do the tproxy table stuff in mangle but did not succeed. All packets are dropped. Apart from that I do not know how to replace -A INPUT -m tproxy -j ACCEPT.
> 
> I really hope someone can help me.

I can try :) the new tproxy avoids the routing tricks the earlier
implementation used to divert packets to the local IP stack. It requries
manual configuration of the routing instead by using fwmark and advanced
routing.

The point is: you can specify an fwmark to the TPROXY target that gets
attached to every matching packet and then you need an advanced routing
rule the makes this traffic go to the local stack.

This document has additional details:

http://www.balabit.com/support/community/products/tproxy/README.txt

"-m tproxy" is substituted by the socket match, again the document above
has more info.

-- 
Bazsi