[zorp] Bad argument `50080'

Thu, 15 Apr 2004 09:48:31 +0200

--=-ci575zjbSwsHj6HKekUD
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 8bit

2004-04-14, sze keltezéssel 21:19-kor Phil Moors ezt írta:
> Okay, I changed the entries in iptables.conf.in to use the --on-port. Running iptabes-gen 
> exits silently and leaves an iptables.conf.new file. Running iptables-test now shows:
> 
> iptables-restore v1.2.9: Unknown arg `--on-port'
> Error occurred at line: 15
> Try `iptables-restore -h' or 'iptables-restore --help' for more information.
> 
> The iptables.conf.in was taken right from the Zorp tutorial. Is the documentation in 
> the tutorial applicable to iptables or is it ipchains based? I'm running a 2.4 kernel

Assuming you have the tutorial from zorp 2.0, I attach a diff which
contains a couple of fixes.

> .
> 
> Alternatively, I ran iptables -F and iptabels -X and grabbed the 2nd article from Linux Journal about Zorp. I attempted to type in the commands from listing one in the article and got these results:
> 
> [root@fw1 etc]# iptables -t tproxy -P PREROUTING ACCEPT
> [root@fw1 etc]# iptables -t tproxy -A PREROUTING -i eth0 -j PRintra
> iptables v1.2.9: Couldn't load target `PRintra':/lib/iptables/libipt_PRintra.so: cannot open shared object file: No such file or directory

PRintra is a user-defined chain, you have to create it by entering 

iptables -t tproxy -N PRintra (or use iptables-restore to load your
configuration)

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1


--=-ci575zjbSwsHj6HKekUD
Content-Disposition: attachment; filename=zorp-tutorial-update.txt
Content-Type: text/x-patch; name=zorp-tutorial-update.txt; charset=iso-8859-2
Content-Transfer-Encoding: 7bit

Index: zorp-tutorial.txt
===================================================================
RCS file: /var/cvs/zorp/zorp-core/doc/zorp-tutorial.txt,v
retrieving revision 1.2.4.3
retrieving revision 1.8
diff -u -r1.2.4.3 -r1.8

--- zorp-tutorial.txt	1 Apr 2004 14:22:41 -0000	1.2.4.3
+++ zorp-tutorial.txt	13 Feb 2004 19:58:34 -0000	1.8
@@ -1,7 +1,7 @@
 
 Zorp Tutorial
-Version 1.0.1
-26th October, 2003
+Version 1.0.2
+8th January, 2004
 
 1. Introduction
 
@@ -269,7 +269,7 @@
 Of course the remaining packets of the TCP session after the initial SYN
 must also be allowed by the packet filter.
 
-5.2. Configuring network interfaces
+5.3. Configuring network interfaces
 
 As I stated earlier a Zorp based firewall fulfills the role of an IP router
 from its neighbour perspective. This means that all its interfaces must be
@@ -290,7 +290,7 @@
 
 (http://www.balabit.hu/en/downloads/tproxy/README.txt)
 
-5.3. Configuring the packet filter
+5.4. Configuring the packet filter
 
 To configure the packet filter we first need to establish a couple of rules
 we will be adhering to, as the packet filter ruleset can become quite
@@ -309,7 +309,7 @@
 where simple packet filtering is done, and the tproxy table where we
 are redirecting sessions to our proxies.
 
-5.3.1. Storing the ruleset
+5.4.1. Storing the ruleset
 
 Some people like storing their ruleset as a shell script which invokes the
 necessary iptables commands. As I don't like mixing executable code and data
@@ -362,7 +362,11 @@
 You will get two rules the first with 1.2.3.4 substituted, the second
 with 1.2.3.5 substituted.
 
-5.3.2. Naming the chains
+iptables-utils is available from:
+
+http://apt.balabit.com/zorp-gpl-os/pool/i/iptables-utils/
+
+5.4.2. Naming the chains
 
 In addition to the standard chains provided by iptables (INPUT, OUTPUT
 etc) we will create separate chains for each security zone. Each security
@@ -378,7 +382,7 @@
 proxies we won't need NAT nor mangle rules. (of course we can add further
 finetuning to our rulebase, like limiting the number of SYNs etc)
 
-5.3.3. Jumping to our chains
+5.4.3. Jumping to our chains
 
 We have two set of chains for each security zone, LOxxx chains are
 processed in the filter table, INPUT chain. PRxxx chains are processed in
@@ -457,11 +461,11 @@
 -A PREROUTING -i IFinter -j PRinter
 -A PREROUTING -i IFdmz   -j PRdmz
 // PRintra chain
--A PRintra -p tcp --dport 80 -j TPROXY 50080
--A PRintra -p tcp --dport 443 -j TPROXY 50443
--A PRintra -p tcp --dport 21 -j TPROXY 50021
+-A PRintra -p tcp --dport 80 -j TPROXY --on-port 50080
+-A PRintra -p tcp --dport 443 -j TPROXY --on-port 50443
+-A PRintra -p tcp --dport 21 -j TPROXY --on-port 50021
 // PRinter chain
--A PRinter -p tcp --dport 80 -j TPROXY 50080
+-A PRinter -p tcp --dport 80 -j TPROXY --on-port 50080
 // PRdmz chain
 // no services permitted
 COMMIT
@@ -471,7 +475,7 @@
 :OUTPUT ACCEPT
 :noise -
 :spoof -
-:spoofdrop DROP
+:spoofdrop -
 :LOintra -
 :LOinter -
 :LOdmz -
@@ -535,11 +539,11 @@
 -A spoofdrop -j DROP
 COMMIT
 
-5.4. Configuring Zorp
+5.5. Configuring Zorp
 
 This section focuses on Zorp configuration.
 
-5.4.1. Zorp & Python
+5.5.1. Zorp & Python
 
 The configuration of Zorp is Python based, in fact the configuration file is
 a Python module in itself. This does not mean however that the administrator
@@ -589,7 +593,7 @@
       }
     return HTTP_REQ_REJECT;
 
-5.4.2. Zorp components
+5.5.2. Zorp components
 
 To start configuring Zorp you will need to know the following Zorp components:
 
@@ -622,7 +626,7 @@
   associated with services and their task is to establish the server side
   connections of proxies.
   
-5.4.3. The simplest Zorp configuration
+5.5.3. The simplest Zorp configuration
 
 Zorp uses two files to store its configuration. The file named
 'instances.conf' contains the list of Zorp instances to be run. Its content
@@ -684,15 +688,20 @@
 You will need the following instances.conf(5) file to start your zorp
 instances using zorpctl:
 
-intra -v3 -p /etc/zorp/policy.py
-inter -v3 -p /etc/zorp/policy.py
-dmz -v3 -p /etc/zorp/policy.py
+intra -v3 -p /etc/zorp/policy.py --autobind-ip 192.168.0.1
+inter -v3 -p /etc/zorp/policy.py --autobind-ip 192.168.0.1
+dmz -v3 -p /etc/zorp/policy.py --autobind-ip 192.168.0.1
 
 The 'instances.conf' file specifies zorp startup parameters to use when the
 given instance is started. Consult zorp(8) manpage or run
 '/usr/lib/zorp/zorp --help' for more details.
 
-5.4.4. Adding our services
+One important point to make is the 'autobind-ip' argument in the example
+above, TPROXY requires a local, non-routeable IP address to make
+transparency possible. See section 5.4 and the TPROXY README file for more
+details.
+
+5.5.4. Adding our services
 
 Although our Zorp process is running by entering the configuration in the
 previous section, it would do nothing really useful. To do anything useful
@@ -794,7 +803,7 @@
   know the destination zone as - unlike other services - it has a fixed,
   predefined destination: it connects to the webserver in the DMZ.
 
-5.4.5. Customizing proxies
+5.5.5. Customizing proxies
 
 In the previous section we implemented a firewall policy in about 30 lines.
 Although our example was quite simple there are real world firewalls with

--=-ci575zjbSwsHj6HKekUD--


