[tproxy] Problems with the Tproxy and Zorp.
Lupi The Loop
lupitheloop at gmail.com
Mon Mar 1 17:23:09 CET 2010
Hello,
I have configured a transparent HTTP proxy using Iptables and Zorp but It
does not work.
*SYSTEM INFO:*
*loop at santeles:~$ uname -a
Linux santeles 2.6.31-19-server #56-Ubuntu SMP Thu Jan 28 02:39:34 UTC 2010
x86_64 GNU/Linux
loop at santeles:~$ iptables -V
iptables v1.4.4
root at santeles:/home/loop# zorpctl version
Zorp 3.0.8
Revision:
Compile-Date: May 4 2009 04:17:42
Config-Date: 2009/05/04
Trace: off
Debug: off
IPOptions: off
IPFilter-Tproxy: off
Netfilter-Tproxy: on
Netfilter-Linux22-Fallback: on
Linux22-Tproxy: off
Conntrack: on
Zorplib 3.0.6.4.2
Revision: devel at balabit.hu--zorp-1/zorp-lib--mainline--3.0--patch-116
Compile-Date: Nov 9 2009 09:50:26
Trace: off
MemTrace: off
Caps: on
Debug: off
StackDump: off
**SYSTEM CONFIG:
root at santeles:/home/loop# ifconfig -a**
dummy0 Link encap:Ethernet HWaddr 00:21:9b:ee:61:14
inet addr:1.2.3.4 Bcast:1.255.255.255 Mask:255.255.255.255
inet6 addr: fe80::24c4:26ff:fec7:914/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:210 (210.0 KB)
wlan0 Link encap:Ethernet HWaddr 00:1f:3b:6d:30:9b
inet addr:10.1.1.2 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::226:18ff:fef2:31bc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:2910 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:900 (900.0 B) TX bytes:1692 (1.6 KB)
Interrupt:27 Base address:0x8000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:368 (368.0 B) TX bytes:368 (368.0 B)
root at santeles:/home/loop# cat /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
200 proxy
0 unspec
#
# local
#
#1 inr.ruhep
root at santeles:/home/loop# ip rule list
0: from all lookup local
32765: from all fwmark 0x01 lookup proxy
32766: from all lookup main
32767: from all lookup default
root at santeles:/home/loop# ip route show table proxy
local default dev dummy0 scope host
*
*
root at santeles:/home/loop# cat /etc/zorp/instances.conf
secret -v10 -p /etc/zorp/policy.py --autobind-ip 1.2.3.4 --tproxy netfilter
root at DPP3-GREC:/home/evalues# cat /etc/zorp/policy.py
from Zorp.Core import *
from Zorp.Plug import *
from Zorp.Http import *
Zorp.firewall_name = 'DPP3-GREC'
InetZone("secret-net", "0.0.0.0/0",
outbound_services=["*"],
inbound_services=["*"])
def secret():
Service("serv", HttpProxy )
Listener(SockAddrInet("1.2.3.4",50080), "serv")
*
*
iptables rules*
* iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j LOG
--log-prefix "Passing request to proxy" --log-level debug
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-ip
1.2.3.4 --tproxy-mark 1 --on-port 50080
iptables -t mangle -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
*
*IPTABLES IS LOADED CORRECTLY
*
*root at DPP3-GREC:/home/evalues# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug
prefix `Input'
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug
prefix `Forward'
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug
prefix `Output'
root at DPP3-GREC:/home/evalues# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DIVERT tcp -- anywhere anywhere socket
LOG tcp -- anywhere anywhere tcp dpt:www LOG
level debug prefix `Passing request to proxy'
TPROXY tcp -- anywhere anywhere tcp dpt:www
TPROXY redirect 1.2.3.4:50080 mark 0x1/0xffffffff
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain DIVERT (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK xset
0x1/0xffffffff
ACCEPT all -- anywhere anywhere
**ZORP STARTS WITHOUT PROBLEM*
*root at DPP3-GREC:/home/evalues# zorpctl start
Starting Zorp Firewall Suite: secret
root at DPP3-GREC:/home/evalues# netstat -a -p | grep zorp
tcp 0 0 1.2.3.4:50080 *:*
LISTEN 1700/zorp
unix 2 [ ACC ] STREAM LISTENING 8096
1700/zorp /var/run/zorp/zorpctl.secret
unix 2 [ ] DGRAM 8094
1700/zorp
unix 2 [ ] DGRAM 8090 1699/zorpctl
superv
root at DPP3-GREC:/home/evalues# tail -n 18 /var/log/syslog
Mar 1 17:10:42 DPP3-GREC secret[1734]: (noname/nosession): Starting up;
verbose_level='10', version='3.0.8'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (noname/nosession): System dependant
init; sysdep_tproxy='tproxy12'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (szig): thread starting;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (szig): Start to listen; fd='8',
address='AF_UNIX(/var/run/zorp/zorpctl.secret)'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (Log thread): thread starting;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (conntrack/thread): thread starting;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (Log thread):
/usr/lib/python2.4/whrandom.py:38: DeprecationWarning: the whrandom module
is deprecated; please use the random module#012
Mar 1 17:10:42 DPP3-GREC secret[1734]: (Log thread):
DeprecationWarning)#012
Mar 1 17:10:42 DPP3-GREC secret[1734]: (noname/nosession): Outbound
service; zone='secret-net', service='*'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (noname/nosession): Inbound service;
zone='secret-net', service='*'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret at DPP3-GREC): Dispatcher on
address; proto='1', local='AF_INET(1.2.3.4:50080)', prio='100'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret at DPP3-GREC): Start to listen;
fd='14', address='AF_INET(1.2.3.4:50080)'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret at DPP3-GREC/nosession): read
blob systems default attributes; tmpdir='/var/lib/zorp/tmp/',
max_disk_usage='1073741824', max_mem_usage='268435456', lowat='100663296',
hiwat='134217728', noswap_max='16384'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret at DPP3-GREC/nosession):
creating blob management thread;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret at DPP3-GREC/nosession): blob
management thread starting;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret at DPP3-GREC/nosession): blob
management thread signalling back to constructor;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret at DPP3-GREC/nosession):
waiting for the queue;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret at DPP3-GREC/nosession): blob
management thread up and running;
*
*HOWEVER, IPTABLES FORWARDS THE HTTP PACKETs TO THE PROXY, BUT THE PROXY
DOES NOT RECEIVE ANYTHING*
*root at DPP3-GREC:/home/evalues# tail -n 10 /var/log/syslog
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret at DPP3-GREC): Start to listen;
fd='14', address='AF_INET(1.2.3.4:50080)'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret at DPP3-GREC/nosession): read
blob systems default attributes; tmpdir='/var/lib/zorp/tmp/',
max_disk_usage='1073741824', max_mem_usage='268435456', lowat='100663296',
hiwat='134217728', noswap_max='16384'
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret at DPP3-GREC/nosession):
creating blob management thread;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret at DPP3-GREC/nosession): blob
management thread starting;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret at DPP3-GREC/nosession): blob
management thread signalling back to constructor;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret at DPP3-GREC/nosession):
waiting for the queue;
Mar 1 17:10:42 DPP3-GREC secret[1734]: (secret at DPP3-GREC/nosession): blob
management thread up and running;
Mar 1 17:14:08 DPP3-GREC kernel: [ 5253.789761] Passing request to
proxyIN=eth0 OUT= MAC=00:26:18:f2:31:bc:00:60:97:ba:c0:53:08:00 SRC=10.0.1.2
DST=10.0.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55686 DF PROTO=TCP
SPT=44711 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 1 17:14:11 DPP3-GREC kernel: [ 5256.789037] Passing request to
proxyIN=eth0 OUT= MAC=00:26:18:f2:31:bc:00:60:97:ba:c0:53:08:00 SRC=10.0.1.2
DST=10.0.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55687 DF PROTO=TCP
SPT=44711 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 1 17:14:17 DPP3-GREC kernel: [ 5262.786612] Passing request to
proxyIN=eth0 OUT= MAC=00:26:18:f2:31:bc:00:60:97:ba:c0:53:08:00 SRC=10.0.1.2
DST=10.0.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55688 DF PROTO=TCP
SPT=44711 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
*
Any idea of what can be happening?
Thanks in advance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20100301/caefd163/attachment.htm
More information about the tproxy
mailing list