[zorp-hu] ssh nem megy
tusi
tusi at enzim.hu
2013. Május. 31., P, 20:25:45 CEST
> Nem követem napi szinten a GPLes változatot, hogy pontosan hol tart, de az általad írt 2.x és jelenlegi verzió között jelentősen változott az abszorpciós :) réteg, azaz a transzparens kapcsolatok/viselkedés kezelése. Valószínűleg ez okozhat most problémát nálad (bár nem írtál a csomagszűrő konfigról).
>
> Szilárd írt annak idején egy rövid leírást, talán érdemes innen elindulnod:
> http://szilard.blogs.balabit.com/en/tag/kzorp-en/
>
Ezekkel az a baj, hogy csak az intranetrol az internetre valo
transzparent proxyt igenylo beallitasok vannak. Ez nekem is mukodik,
mivel ezen leirasok alapjan keszitettem a konfigot. Nekem a masik irany
nem megy: az internetrol a tuzfal cimere ssh-zva egy dmz zona-ban levo
gepre szeretnek bejutni. Mint irtam, ez abban az esetben mukodik, ha a
DirectedRouter-t forge_addr=FALSE parameterrel hasznalom, TRUE eseten
azonban nem megy.
Alabb megtalalhatoak a konfig file-ok, illetve a syslog, es a tcpdump
eredmenye. Amit nagyon nem ertek (mert nem vagyok szakember), hogyan
lehet, hogy a tcpdump-ban sorr megjelennek a csomagok, amit a dmz-beli
gep kuld a client-nek, ugyanezen csomagok a csomagszuro logjaban nem
jelennek meg.
Minden otletet, helyes iranyba terelest orommel veszek.
Gabor
##############################
# policy.py
##############################
from Zorp.Core import *
from Zorp.Plug import *
from Zorp.Http import *
Zorp.firewall_name = 'fal'
iface_inter = "eth0"
ip_inter = "fal_ip.5.6.7.8"
iface_intra = "eth1"
ip_intra = "172.16.0.254"
iface_sys_dmz = "eth2"
ip_sys_dmz = "192.168.0.254"
InetZone("out", "0.0.0.0/0",
inbound_services=["in_out_http"],
outbound_services=["out_dmz_ssh"])
InetZone("dmz", "192.168.0.0/24",
inbound_services=["out_dmz_ssh"],
outbound_services=[])
InetZone("in", "172.16.0.0/16",
inbound_services=[],
outbound_services=["in_out_http"])
class MyPlugProxy(PlugProxy):
def config(self):
PlugProxy.config(self)
log("plug",2,"S: %s C: %s" % (self.session.client_local, self.session.client_address))
def in2out_http():
Service(name="in_out_http", proxy_class=HttpProxy, router=TransparentRouter())
Dispatcher(bindto=DBIface(protocol=ZD_PROTO_TCP, iface=iface_intra, ip=ip_intra, port=50080), service="in_out_http", transparent=TRUE, threaded=FALSE, backlog=255)
def out2dmz_ssh():
Service("out_dmz_ssh", MyPlugProxy, router=DirectedRouter(SockAddrInet("192.168.0.1", 22),TRUE))
Dispatcher(bindto=DBIface(protocol=ZD_PROTO_TCP, iface=iface_inter, ip=ip_inter, port=22), service="out_dmz_ssh", transparent=FALSE, threaded=FALSE, backlog=255)
##############################
# instances.conf
##############################
in2out_http --log-tags --verbose 2 -p /etc/zorp/policy.py
out2dmz_ssh --log-tags --verbose 2 -p /etc/zorp/policy.py
##############################
# iptables.conf
##############################
*mangle
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PRio -
-A PREROUTING -i eth1 -s 172.16.0.0/16 -j PRio
-A PRio -p tcp --dport 80 -j TPROXY --on-port 50080 --tproxy-mark 0x1/0x1 --on-ip 172.16.0.254
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LOssh -
:LOintra -
:LOdmz -
:LOinter -
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p tcp --dport 22 -j LOssh
-A INPUT -p tcp --sport 22 -j LOssh
-A LOssh -j LOG --log-prefix "Entering_input_ssh: "
-A LOssh -j RETURN
-A INPUT -i eth1 -s 172.16.0.0/16 -j LOintra
-A LOintra -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth2 -s 192.168.0.0/24 -j LOdmz
-A LOdmz -j LOG --log-prefix "Entering_LOdmz: "
-A LOdmz -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -s 0.0.0.0/0 -j LOinter
-A LOinter -j LOG --log-prefix "Entering_LOinter: "
-A LOinter -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j LOG --log-prefix "DROP_INPUT: "
-A INPUT -j DROP
-A LOintra -j ACCEPT
-A LOdmz -j LOG --log-prefix "DROP_LOdmz: "
-A LOdmz -j DROP
-A LOinter -j LOG --log-prefix "DROP_LOinter: "
-A LOinter -j DROP
COMMIT
##############################
# indito script
##############################
#!/bin/bash
set -o nounset
iptables="/sbin/iptables"
ip="/sbin/ip"
echo 1 > /proc/sys/net/ipv4/ip_forward
${ip} route add local 0.0.0.0/0 dev lo table 100
${ip} rule add fwmark 1 lookup 100
${ip} route flush cache
${iptables} -t mangle -N DIVERT
${iptables} -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
${iptables} -t mangle -A DIVERT -j MARK --set-mark 1
${iptables} -t mangle -A DIVERT -j ACCEPT
iptables-restore < /etc/zorp/iptables.conf
zorpctl start
##############################
# syslog
##############################
May 31 20:01:19 fal kernel: [28131.652257] Entering_input_ssh: IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=42174 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
May 31 20:01:19 fal kernel: [28131.652271] Entering_LOinter: IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=42174 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
May 31 20:01:19 fal kernel: [28131.671309] Entering_input_ssh: IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=42175 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
May 31 20:01:19 fal kernel: [28131.671322] Entering_LOinter: IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=42175 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
May 31 20:01:19 fal zorp/out2dmz_ssh[14499]: plug(2): (group): S: AF_INET(fal_ip.5.6.7.8:22) C: AF_INET(client_ip.1.2.3.4:37285)
May 31 20:01:19 fal kernel: [28131.820858] Entering_input_ssh: IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=52 TOS=0x00 PREC=0x00 TTL=58 ID=42176 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=913 RES=0x00 ACK URGP=0
May 31 20:01:19 fal kernel: [28131.820871] Entering_LOinter: IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=52 TOS=0x00 PREC=0x00 TTL=58 ID=42176 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=913 RES=0x00 ACK URGP=0
May 31 20:01:19 fal kernel: [28131.852090] Entering_input_ssh: IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=69 TOS=0x00 PREC=0x00 TTL=58 ID=42177 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=913 RES=0x00 ACK PSH URGP=0
May 31 20:01:19 fal kernel: [28131.852104] Entering_LOinter: IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=69 TOS=0x00 PREC=0x00 TTL=58 ID=42177 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=913 RES=0x00 ACK PSH URGP=0
May 31 20:01:19 fal kernel: [28131.860767] Entering_input_ssh: IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=64 TOS=0x00 PREC=0x00 TTL=58 ID=42178 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=913 RES=0x00 ACK URGP=0
May 31 20:01:19 fal kernel: [28131.860781] Entering_LOinter: IN=eth0 OUT= MAC=mac_addr SRC=client_ip.1.2.3.4 DST=fal_ip.5.6.7.8 LEN=64 TOS=0x00 PREC=0x00 TTL=58 ID=42178 DF PROTO=TCP SPT=37285 DPT=22 WINDOW=913 RES=0x00 ACK URGP=0
May 31 20:01:49 fal zorp/out2dmz_ssh[14499]: core.error(2): (svc/out_dmz_ssh:1/plug): Connection to remote end failed; local='AF_INET(client_ip.1.2.3.4:46711)', remote='AF_INET(dmz_ip.a.b.c.d:22)', error='connection timed out'
##############################
# tcpdump
##############################
20:01:19.212812 IP client_ip.1.2.3.4.37285 > fal_ip.5.6.7.8.ssh: Flags [S], seq 1306370996, win 14600, options [mss 1392,sackOK,TS val 8652554 ecr 0,nop,wscale 4], length 0
20:01:19.213211 IP fal_ip.5.6.7.8.ssh > client_ip.1.2.3.4.37285: Flags [S.], seq 213728138, ack 1306370997, win 14480, options [mss 1460,sackOK,TS val 6974069 ecr 8652554,nop,wscale 6], length 0
20:01:19.231921 IP client_ip.1.2.3.4.37285 > fal_ip.5.6.7.8.ssh: Flags [S], seq 1306370996, win 14600, options [mss 1392,sackOK,TS val 8652654 ecr 0,nop,wscale 4], length 0
20:01:19.231977 IP fal_ip.5.6.7.8.ssh > client_ip.1.2.3.4.37285: Flags [S.], seq 213728138, ack 1306370997, win 14480, options [mss 1460,sackOK,TS val 6974074 ecr 8652554,nop,wscale 6], length 0
20:01:19.381813 IP client_ip.1.2.3.4.37285 > fal_ip.5.6.7.8.ssh: Flags [.], ack 1, win 913, options [nop,nop,TS val 8652679 ecr 6974069], length 0
20:01:19.382877 IP client_ip.1.2.3.4.46711 > dmz_ip.a.b.c.d.ssh: Flags [S], seq 2592204305, win 14600, options [mss 1460,sackOK,TS val 6974111 ecr 0,nop,wscale 6], length 0
20:01:19.383057 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905137 ecr 6974111,nop,wscale 4], length 0
20:01:19.383069 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905137 ecr 6974111,nop,wscale 4], length 0
20:01:19.413117 IP client_ip.1.2.3.4.37285 > fal_ip.5.6.7.8.ssh: Flags [P.], seq 1:18, ack 1, win 913, options [nop,nop,TS val 8652679 ecr 6974069], length 17
20:01:19.413175 IP fal_ip.5.6.7.8.ssh > client_ip.1.2.3.4.37285: Flags [.], ack 18, win 227, options [nop,nop,TS val 6974119 ecr 8652679], length 0
20:01:19.421814 IP client_ip.1.2.3.4.37285 > fal_ip.5.6.7.8.ssh: Flags [.], ack 1, win 913, options [nop,nop,TS val 8652679 ecr 6974074,nop,nop,sack 1 {0:1}], length 0
20:01:20.379890 IP client_ip.1.2.3.4.46711 > dmz_ip.a.b.c.d.ssh: Flags [S], seq 2592204305, win 14600, options [mss 1460,sackOK,TS val 6974361 ecr 0,nop,wscale 6], length 0
20:01:20.380065 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905386 ecr 6974111,nop,wscale 4], length 0
20:01:20.380081 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905386 ecr 6974111,nop,wscale 4], length 0
20:01:20.782112 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905487 ecr 6974111,nop,wscale 4], length 0
20:01:20.782127 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905487 ecr 6974111,nop,wscale 4], length 0
20:01:22.383892 IP client_ip.1.2.3.4.46711 > dmz_ip.a.b.c.d.ssh: Flags [S], seq 2592204305, win 14600, options [mss 1460,sackOK,TS val 6974862 ecr 0,nop,wscale 6], length 0
20:01:22.383995 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905887 ecr 6974111,nop,wscale 4], length 0
20:01:22.384012 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905887 ecr 6974111,nop,wscale 4], length 0
20:01:22.782099 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905987 ecr 6974111,nop,wscale 4], length 0
20:01:22.782114 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294905987 ecr 6974111,nop,wscale 4], length 0
20:01:26.391889 IP client_ip.1.2.3.4.46711 > dmz_ip.a.b.c.d.ssh: Flags [S], seq 2592204305, win 14600, options [mss 1460,sackOK,TS val 6975864 ecr 0,nop,wscale 6], length 0
20:01:26.392062 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294906889 ecr 6974111,nop,wscale 4], length 0
20:01:26.392079 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294906889 ecr 6974111,nop,wscale 4], length 0
20:01:26.782139 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294906987 ecr 6974111,nop,wscale 4], length 0
20:01:26.782155 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294906987 ecr 6974111,nop,wscale 4], length 0
20:01:34.407890 IP client_ip.1.2.3.4.46711 > dmz_ip.a.b.c.d.ssh: Flags [S], seq 2592204305, win 14600, options [mss 1460,sackOK,TS val 6977868 ecr 0,nop,wscale 6], length 0
20:01:34.408031 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294908893 ecr 6974111,nop,wscale 4], length 0
20:01:34.408049 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294908893 ecr 6974111,nop,wscale 4], length 0
20:01:34.782138 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294908987 ecr 6974111,nop,wscale 4], length 0
20:01:34.782153 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294908987 ecr 6974111,nop,wscale 4], length 0
20:01:49.412919 IP fal_ip.5.6.7.8.ssh > client_ip.1.2.3.4.37285: Flags [F.], seq 1, ack 18, win 227, options [nop,nop,TS val 6981619 ecr 8652679], length 0
20:01:49.412935 IP fal_ip.5.6.7.8.ssh > client_ip.1.2.3.4.37285: Flags [R.], seq 2, ack 18, win 227, options [nop,nop,TS val 6981619 ecr 8652679], length 0
20:01:50.782246 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294912987 ecr 6974111,nop,wscale 4], length 0
20:01:50.782263 IP dmz_ip.a.b.c.d.ssh > client_ip.1.2.3.4.46711: Flags [S.], seq 2096573511, ack 2592204306, win 14480, options [mss 1460,sackOK,TS val 4294912987 ecr 6974111,nop,wscale 4], length 0
További információk a(z) zorp-hu levelezőlistáról