[zorp] Bad argument `50080'

Phil Moors zorp@lists.balabit.hu
Wed, 14 Apr 2004 15:19:16 -0400 

Okay, I changed the entries in iptables.conf.in to use the --on-port. =
Running iptabes-gen exits silently and leaves an iptables.conf.new file. =
Running iptables-test now shows:

iptables-restore v1.2.9: Unknown arg `--on-port'
Error occurred at line: 15
Try `iptables-restore -h' or 'iptables-restore --help' for more information=
.

The iptables.conf.in was taken right from the Zorp tutorial. Is the =
documentation in the tutorial applicable to iptables or is it ipchains =
based? I'm running a 2.4 kernel.

Alternatively, I ran iptables -F and iptabels -X and grabbed the 2nd =
article from Linux Journal about Zorp. I attempted to type in the commands =
from listing one in the article and got these results:

[root@fw1 etc]# iptables -t tproxy -P PREROUTING ACCEPT
[root@fw1 etc]# iptables -t tproxy -A PREROUTING -i eth0 -j PRintra
iptables v1.2.9: Couldn't load target `PRintra':/lib/iptables/libipt_PRintr=
a.so: cannot open shared object file: No such file or directory

The above looks very strange. What am I missing?

Thanks,
Phil

//
// Copyright (c) 2000-2001 BalaBit IT Ltd.
// All rights reserved.
// $Id: iptables.conf.in,v 1.5 2003/01/17 09:37:51 bazsi Exp $
//
// Sample iptables.conf.in file, dropping _ALL_ traffic by default. You
// have to change this, if you want to do something useful (otherwise
// you could have cut your wire)
//
*tproxy
:PREROUTING ACCEPT
:OUTPUT ACCEPT
:PRintra -
:PRinter -
:PRdmz -
-A PREROUTING -i IFintra -j PRintra
-A PREROUTING -i IFinter -j PRinter
-A PREROUTING -i IFdmz -j PRdmz
// PRintra chain
-A PRintra -p tcp --dport 80 -j TPROXY --on-port 50080
-A PRintra -p tcp --dport 443 -j TPROXY --on-port 50443
-A PRintra -p tcp --dport 21 -j TPROXY --on-port 50021
//PRinter chain
-A PRinter -p tcp --dport 80 -j TPROXY --on-port 50080
// PRdmz chain
// no services permitted
COMMIT
*filter
:INPUT DENY
:FORWARD DENY
:OUTPUT ACCEPT
:noise -
:spoof -
:spoofdrop DROP
:LOintra
:LOinter
:LOdmz
-A INPUT -j noise
-A INPUT -j spoof
// permit all traffic initiated by transparent proxies
-A INPUT -m tproxy -j ACCEPT
//
// permit all TCP traffic inititated by local processes, or allowed by the
// rules below. We don't trust the state match for UDP traffic, they will =
be
// handled by individual rules below.
//
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
// permit all loopback traffic
-A INPUT -i lo -j ACCEPT
-A INPUT -i IFintra -j LOintra
-A INPUT -i IFinter -j LOinter
-A INPUT -i IFdmz -j LOdmz
-A INPUT -j DROP
-A FORWARD -j LOG --log-prefix "FORWARD DROP: "
-A FORWARD -j DROP
// LOintra
-A LOintra -p dp --dport 53 -j ACCEPT
-A LOintra -p udp --dport 123 -j ACCEPT
-A LOintra -p tcp --syn --dport 25 -j ACCEPT
-A LOintra -j LOG --log-prefix "LOintra DROP: "
-A LOIntra -j DROP
// LOinter
// permit DNS replies, bind is configured to send out packets from this
// port. We could also use the state match in our INPUT chain.
-A LOinter -p udp -s DNS_SERVERS --dport 53000 -j ACCEPT
-A LOinter -p udp -s NTP_SERVERS --dport 123 -j ACCEPT
-A LOinter -p tcp --syn --dport 25 -j ACCEPT
-A LOinter -j LOG --log-prefix "LOinter DROP: "
-A LOinter -j DROP
//
// noise chain. Should drop all packets which need not be logged,
// otherwise it should return to the main ruleset.
//
-A noise -p udp --dport 137:139 -j DROP
-A noise -j RETURN
//
// spoof chain. Should drop  all packets with spoofed source address
// otherwise it should return to the main ruleset.
//
-A spoof -i lo -j RETURN
-A spoof ! -i lo -s 127.0.0.0/8 -j spoofdrop
-A spoof -i IFintra ! -s NETintra -j spoofdrop
-A spoof ! -i IFintra -s NETintra -j spoofdrop
-A spoof -i IFdmz ! -s NETdmz -j spoofdrop
-A spoof ! -i IFdmz -s NETdmz -j spoofdrop
-A spoof -j RETURN
//
-A spoofdrop -j LOG --log-prefix "Spoofed packet: "
-A spoofdrop -j DROP
COMMIT


>>> illes@c3.hu 04/13/04 03:12PM >>>
On Tue, Apr 13, 2004 at 02:35:51PM -0400, Phil Moors wrote:
> Zorp GPL
>=20
> Is this from the iptables user space utility?=20
>=20
> I used the FC1 iptables-1.2.9-1.0src.rpm and added the patch to the spec =
and SOURCES
> and rebuilt the package. There were no errors on applying the patch =
during the build.
>=20
> I get this when starting iptables:
>=20
> Applying iptables firewall rules: Bad argument `50080'
> Error occurred at line: 15
> Try `iptables-restore -h' or 'iptables-restore --help' for more =
information.
>                                                            [FAILED]
>=20
> Line 15 in iptables.conf.new:
> -A PRintra -p tcp --dport 80 -j TPROXY 50080
You should write=20
-A PRintra -p tcp --dport 80 -j TPROXY --on-port 50080

> Also, after running zorpctl start intra, ps aux shows:
>=20
> root      8373  0.0  1.0  4536 1024 pts/0    S    14:31   0:00 /bin/bash =
/usr/local/sbin/zorpctl start intra
> root      8374  4.7  4.4 139296 4148 pts/0   S    14:31   0:00 /usr/local=
/lib/zorp/zorp --as intra -v3 -p /usr/local/etc/zorp/policy
>=20
> Does the above look right for starting one listener (two entries)?
The best way is to look at logs for any errors! (Look at your syslog
configuration!)=20

Marton
--=20
Key fingerprint =3D 5CB4 3F40 9F39 9B70 8179  D8B6 7DEA D9C4 D1D8 8C0A
_______________________________________________
zorp mailing list
zorp@lists.balabit.hu=20
http://lists.balabit.hu/mailman/listinfo/zorp




The information contained in this communication is confidential
and privileged proprietary information intended only for the
individual or entity to whom it is addressed.  Any unauthorized
use, distribution, copying or disclosure of this communication is
strictly prohibited.  If you have received this communication in
error; please contact the sender immediately.  If you believe this
communication is inappropriate or offensive, please contact the
sender's human resources department.  It is our policy that
e-mails are intended for and should be used for business purposes only.