[zorp-hu] tproxy 4.1.0 + iptables szabalyok + zorp 3.1

Balazs Scheidler bazsi at balabit.hu
2009. Aug. 5., Sze, 15:04:41 CEST 

Kozben kinyomoztuk, es a megoldas az volt, hogy a TPROXY szabaly-nak meg
kell adni a listener IP cimet is, valamiert nem mukodik az a logika,
hogy defaultbol a bejovo interface elsodleges IP cimet hasznalja.

Magyarul ez kellett:

-A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip x.y.z.h --on-port 50080

ahol x.y.z.h a listener IP cime.

On Tue, 2009-08-04 at 10:58 +0200, Kosa Attila wrote:
> On Fri, Jul 31, 2009 at 11:10:41AM +0200, Balazs Scheidler wrote:
> > On Thu, 2009-07-30 at 12:26 +0200, Kosa Attila wrote:
> > > 
> > > Igy inditottam:
> > > # strace -f -o /tmp/zorp.log /etc/init.d/zorp start
> > > # grep -i transpa /tmp/zorp.log
> > > # grep -i setsock /tmp/zorp.log
> > > 2396  setsockopt(10, SOL_IP, 0x2c0a /* IP_??? */, "\0\0\0\0\0\0\0\3\0\0\0\0"..., 12) = -1 ENOPROTOOPT (Protocol not available)
> > > 2396  setsockopt(10, SOL_IP, 0x2c0a /* IP_??? */, "\0\0\0\0\0\0\0\2\0\0\0\0"..., 12) = -1 ENOPROTOOPT (Protocol not available)
> > > 2396  setsockopt(12, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
> > > 
> > > Az latszik, hogy a zorp listenel a megfelelo interfeszen, azonban
> > > a csomagok nem kerulnek fel hozza.
> 
> # grep -i transpa /tmp/zorp.log
> # grep -i setsock /tmp/zorp.log
> 11195 setsockopt(10, SOL_IP, 0x2c0a /* IP_??? */, "\0\0\0\0\0\0\0\3\0\0\0\0"..., 12) = -1 ENOPROTOOPT (Protocol not available)
> 11195 setsockopt(10, SOL_IP, 0x2c0a /* IP_??? */, "\0\0\0\0\0\0\0\2\0\0\0\0"..., 12) = -1 ENOPROTOOPT (Protocol not available)
> 11195 setsockopt(12, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
> 11195 setsockopt(12, SOL_IP, 0x13 /* IP_??? */, [1], 4) = 0
> 
> # cat /etc/zorp/policy-http.py
> from Zorp.Core import *
> from Zorp.Http import *
> 
> Zorp.firewall_name = 'zorp-http at x.hu'
> 
> InetZone("webezes", "10.10.10.0/24",
>     inbound_services=[],
>     outbound_services=["intra_http"])
> 
> InetZone("internet", "0.0.0.0/0",
>     inbound_services=["intra_http"],
>     outbound_services=[])
> 
> class IntraHttp(HttpProxy):
>     def config(self):
> 	HttpProxy.config(self)
> 	self.transparent_mode = 1
> 
> def zorp_http():
> 	Service("intra_http", IntraHttp, InbandRouter())
> 
> 	Listener(SockAddrInet("10.10.10.10", 50080), "intra_http", transparent=TRUE)
> 
> > ez az uzenet startup-kor jon -v6 -os loglevelen. mi jon ki itt:
> > 
> >   z_log(NULL, CORE_DEBUG, 6, "System dependant init; sysdep_tproxy='%s'", sysdep_tproxy_str[sysdep_tproxy]);
> 
> Aug  4 10:22:12 gplzorp-lenny zorp/zorp_http[11195]: (nosession): System dependant init; sysdep_tproxy='tproxy40'
> 
> # ip rule list
> 0:	from all lookup local 
> 32765:	from all fwmark 0x1 lookup 100 
> 32766:	from all lookup main 
> 32767:	from all lookup default 
> 
> # cat /etc/iptables.conf.in
> *mangle
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :DIVERT -
> -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> -A PREROUTING -p tcp -m socket -j LOG --log-prefix "SOCKET forgalom: "
> -A PREROUTING -p tcp -m socket -j DIVERT
> -A PREROUTING -p tcp --dport 80 -j LOG --log-prefix "PREROUTING forgalom: "
> -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 50080
> -A DIVERT -j LOG --log-prefix "DIVERT forgalom: "
> -A DIVERT -j MARK --set-mark 1
> -A DIVERT -j ACCEPT
> COMMIT
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -j LOG --log-prefix "INPUT forgalom: "
> COMMIT
> 
> A tcpdump szerint csak a SYN-es csomag jut el a tuzfalig, es
> semmi nem megy vissza a klienshez.
> 
> A tproxy-s szabaly szamlaloi emelkednek, de a divert chain
> szamlaloi nem.
> 
> # grep forgalom /var/log/syslog
> Aug  4 10:54:43 gplzorp-lenny kernel: [427773.913935] INPUT forgalom: IN=eth1 OUT= MAC=00:0c:29:c1:1a:35:00:0c:29:9b:d1:7e:08:00 SRC=10.10.10.100 DST=10.10.10.10 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=19689 DF PROTO=UDP SPT=32770 DPT=53 LEN=34 
> Aug  4 10:54:43 gplzorp-lenny kernel: [427773.915082] INPUT forgalom: IN=eth1 OUT= MAC=00:0c:29:c1:1a:35:00:0c:29:9b:d1:7e:08:00 SRC=10.10.10.100 DST=10.10.10.10 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=19689 DF PROTO=UDP SPT=32770 DPT=53 LEN=46 
> Aug  4 10:54:43 gplzorp-lenny kernel: [427773.915842] INPUT forgalom: IN=eth1 OUT= MAC=00:0c:29:c1:1a:35:00:0c:29:9b:d1:7e:08:00 SRC=10.10.10.100 DST=10.10.10.10 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=19690 DF PROTO=UDP SPT=32770 DPT=53 LEN=34 
> Aug  4 10:54:43 gplzorp-lenny kernel: [427773.925156] PREROUTING forgalom: IN=eth1 OUT= MAC=00:0c:29:c1:1a:35:00:0c:29:9b:d1:7e:08:00 SRC=10.10.10.100 DST=217.20.130.97 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60218 DF PROTO=TCP SPT=35813 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 
> Aug  4 10:54:46 gplzorp-lenny kernel: [427776.920697] PREROUTING forgalom: IN=eth1 OUT= MAC=00:0c:29:c1:1a:35:00:0c:29:9b:d1:7e:08:00 SRC=10.10.10.100 DST=217.20.130.97 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60219 DF PROTO=TCP SPT=35813 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 
> 
-- 
Bazsi

További információk a(z) zorp-hu levelezőlistáról