[zorp-hu] Zorp+tproxy=endless loop?
kkk lll
zorp-hu@lists.balabit.hu
Mon, 13 Dec 2004 17:26:32 +0100
Hi
A segitsegeteket szeretnem kerni 1 aprocska problema megoldasban:
adott egy 2.0.8-os zorp GPL a kov. konfiggal:
from Zorp.Core import *
from Zorp.Http import *
InetZone('intra', '192.168.1.0/24', outbound_services=['*'])
InetZone('inter', '0.0.0.0/0', inbound_services=['*'])
def intra():
Service('intra_HTTP', HttpProxy, router=TransparentRouter())
Listener(SockAddrInet('192.168.1.1', 50080), 'intra_HTTP')
def inter():
pass
valamint egy tproxy patch-el ellatott 2.4.27-es kernel, es 1.2.7a-s
szinten tproxy patch-es iptables.
A gond csak annyi, hogy nem enged csatlakozni, a logban ennyi van:
Dec 13 18:34:15 ax intra[3024]: (zorp/intra_HTTP): Starting service;
name='intra_HTTP'
Dec 13 18:34:15 ax intra[3024]: (zorp/intra_HTTP:1): Starting proxy
instance; client_fd='17', client_address='AF_INET(192.168.1.2:1074)',
client_zone='Zone(intra, 192.168.1.0/24)',
client_local='AF_INET(192.168.1.1:50080)'
Dec 13 18:34:15 ax intra[3024]: (zorp/intra_HTTP:1/http): Proxy
starting; class='HttpProxy', module='http'
Dec 13 18:34:15 ax intra[3024]: (intra@zorp/nosession): accept count;
accepts='1'
Dec 13 18:34:15 ax intra[3620]: (zorp/intra_HTTP:1): Inbound service not
permitted (cached); service='intra_HTTP', zone='Zone(intra,
192.168.1.0/24)'
Dec 13 18:34:15 ax intra[3620]: (zorp/intra_HTTP:1/http): DAC policy
violation;
Dec 13 18:34:15 ax intra[3620]: (zorp/intra_HTTP:1/http): Proxy ending;
class='HttpProxy', module='http'
Dec 13 18:34:15 ax intra[3620]: (zorp/intra_HTTP:1): Ending proxy instance;
Dec 13 18:34:15 ax intra[3620]: (zorp/intra_HTTP:1/http/client):
accounting info; type='stream', duration='0', sent='843', received='417'
Ha viszont engedelyezem mindket zonaban az in/outbound-ot, akkor
timeout-tal kilep, es a netstat szerint visszatcsatlakozik a sajat
(50080) portjara.
Az iptables konfig ide vonatkozo resze:
iptables -A INPUT -m tproxy -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --dport 50080 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p udp --dport 50080 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 1024:65535 --sport 80 -m state
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --dport 1024:65535 --sport 80 -m state
--state ESTABLISHED,RELATED -j ACCEPT
(u. ez kifele, OUTPUT-nal)
iptables -t tproxy -A PREROUTING -i eth0 -s 192.168.1.0/24 -d !
192.168.1.1 -p tcp --dport 80 -j TPROXY --on-port 50080
iptables -t tproxy -A PREROUTING -i eth0 -s 192.168.1.0/24 -d !
192.168.1.1 -p udp --dport 80 -j TPROXY --on-port 50080
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -o ppp0 --dport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -p udp -o ppp0 --dport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.0/24 -j MASQUERADE
iptables -t nat -A OUTPUT -p tcp -o ppp0 --dport 80 -j ACCEPT
iptables -t nat -A OUTPUT -p udp -o ppp0 --dport 80 -j ACCEPT
Probaltam mar megadni a forras/celcimeket egyenkent kezzel, eddig semmi
eredmeny... A jelenseg u.ez sima NAT-os REDIRECT eseten is.
A furcsa csak annyi, hogy u.ezzel a konfiggal egy transzparens POP3
proxy gond nelkul mukodik...
Segitsegeteket elore is koszonom: KL