[zorp-hu] tproxy - iptables - zorp

Gabor E. Tusnady tusi at enzim.hu
2010. Jan. 11., H, 10:32:34 CET


Kedves Lista,

Zsiga tanacsara megprobaltam ezt a rendszert letrehozni:

> A kernel 2.6.30-1, de hogy melyik kzorp verzio van benne, azt
> most nem tudnam megmondani. A Debian verzioja 5.0.3 (Lenny). A
> zorp konfigjaban nincs elteres a 3.0-s sorozathoz kepest, a
> csomagszuroben viszont van.
> 

>cat /etc/debian_version 
5.0.3

>iptables -V
iptables v1.4.6

>uname -a
Linux fal 2.6.32-trunk-amd64 #1 SMP Sat Dec 26 17:13:29 UTC 2009 x86_64 GNU/Linux

>zorpctl --version
Zorp 3.1.15c
Revision: devel at balabit.hu--zorp-1/zorp-core--update--3.1.15--patch-7
Compile-Date: Jan  3 2010 22:56:39
Config-Date: 2010/01/03
Trace: off
Debug: off
IPOptions: off
IPFilter-Tproxy: off
Netfilter-Tproxy: on
Netfilter-Linux22-Fallback: on
Linux22-Tproxy: off

libzorpll 3.1.8.4
Revision: devel at balabit.hu--zorp-1/zorp-lib--mainline--3.1--patch-254
Compile-Date: Jan  3 2010 22:50:06
Trace: off
MemTrace: off
Caps: on
Debug: off
StackDump: off


>cat /etc/zorp/policy.py 
from Zorp.Core import *
from Zorp.Plug import *
from Zorp.Http import *

Zorp.firewall_name = 'fal'

InetZone("intra", "172.16.0.0/16",
	inbound_services=[],
	outbound_services=["web"])

InetZone("inter", "0.0.0.0/0",
	inbound_services=["web"],
	outbound_services=[])

class MyHttpProxy(HttpProxy):
	def config(self):
		HttpProxy.config(self)
		self.transparent_mode = 1
		log("http",2,"S: %s C: %s" % (self.session.server_address.ip_s, self.session.client_address.ip_s))

def web():
	Service("web", MyHttpProxy, InbandRouter())
	Listener(SockAddrInet("172.16.0.254", 50080), "web", transparent=TRUE)



>cat /etc/iptables.conf.in 
*mangle
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DIVERT -
-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A PREROUTING -p tcp -m socket -j LOG --log-prefix "SOCKET forgalom: "
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp --dport 80 -j LOG --log-prefix "PREROUTING forgalom: "
-A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip 172.16.0.254 --on-port 50080
-A DIVERT -j LOG --log-prefix "DIVERT forgalom: "
-A DIVERT -j MARK --set-mark 1
-A DIVERT -j ACCEPT
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j LOG --log-prefix "INPUT forgalom: "
COMMIT



>strace -f -o /tmp/zorp.log zorpctl start
>grep setsock /tmp/zorp.log
2336  setsockopt(10, SOL_IP, 0x2c0a /* IP_??? */, "\0\0\0\0\0\0\0\3\0\0\0\0"..., 12) = -1 ENOPROTOOPT (Protocol not available)
2336  setsockopt(10, SOL_IP, 0x2c0a /* IP_??? */, "\0\0\0\0\0\0\0\2\0\0\0\0"..., 12) = -1 ENOPROTOOPT (Protocol not available)
2336  setsockopt(12, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
2336  setsockopt(12, SOL_IP, 0x13 /* IP_??? */, [1], 4) = 0


>grep forgalom /var/log/syslog:
Jan 10 21:26:30 fal kernel: [ 2990.633514] INPUT forgalom: IN=eth1 OUT= MAC=00:1f:c6:2f:66:03:00:1d:72:13:9f:46:08:00 SRC=172.16.7.52 DST=172.16.0.254 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=55896 DF PROTO=UDP SPT=51853 DPT=53 LEN=41 
Jan 10 21:26:30 fal kernel: [ 2990.633647] INPUT forgalom: IN=eth1 OUT= MAC=00:1f:c6:2f:66:03:00:1d:72:13:9f:46:08:00 SRC=172.16.7.52 DST=172.16.0.254 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=55897 DF PROTO=UDP SPT=51853 DPT=53 LEN=41 
Jan 10 21:26:32 fal kernel: [ 2992.663343] PREROUTING forgalom: IN=eth1 OUT= MAC=00:1f:c6:2f:66:03:00:1d:72:13:9f:46:08:00 SRC=172.16.7.52 DST=217.20.130.97 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23999 DF PROTO=TCP SPT=34234 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 


tehat meg mindig nem jutnak el a csomagok a DIVERT chain-ig.
pedig ott az --on-ip kapcsolo...

Tud valaki valami otletet, tanacsot adni, mit nezzek, mit valtoztassak,
hogy vegre mukodesre birjam a zorpot?

Koszonom,
tusi



További információk a(z) zorp-hu levelezőlistáról