[zorp] Bad argument `50080'
Balazs Scheidler
zorp@lists.balabit.hu
Thu, 15 Apr 2004 09:48:31 +0200
--=-ci575zjbSwsHj6HKekUD
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 8bit
2004-04-14, sze keltezéssel 21:19-kor Phil Moors ezt írta:
> Okay, I changed the entries in iptables.conf.in to use the --on-port. Running iptabes-gen
> exits silently and leaves an iptables.conf.new file. Running iptables-test now shows:
>
> iptables-restore v1.2.9: Unknown arg `--on-port'
> Error occurred at line: 15
> Try `iptables-restore -h' or 'iptables-restore --help' for more information.
>
> The iptables.conf.in was taken right from the Zorp tutorial. Is the documentation in
> the tutorial applicable to iptables or is it ipchains based? I'm running a 2.4 kernel
Assuming you have the tutorial from zorp 2.0, I attach a diff which
contains a couple of fixes.
> .
>
> Alternatively, I ran iptables -F and iptabels -X and grabbed the 2nd article from Linux Journal about Zorp. I attempted to type in the commands from listing one in the article and got these results:
>
> [root@fw1 etc]# iptables -t tproxy -P PREROUTING ACCEPT
> [root@fw1 etc]# iptables -t tproxy -A PREROUTING -i eth0 -j PRintra
> iptables v1.2.9: Couldn't load target `PRintra':/lib/iptables/libipt_PRintra.so: cannot open shared object file: No such file or directory
PRintra is a user-defined chain, you have to create it by entering
iptables -t tproxy -N PRintra (or use iptables-restore to load your
configuration)
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
--=-ci575zjbSwsHj6HKekUD
Content-Disposition: attachment; filename=zorp-tutorial-update.txt
Content-Type: text/x-patch; name=zorp-tutorial-update.txt; charset=iso-8859-2
Content-Transfer-Encoding: 7bit
Index: zorp-tutorial.txt
===================================================================
RCS file: /var/cvs/zorp/zorp-core/doc/zorp-tutorial.txt,v
retrieving revision 1.2.4.3
retrieving revision 1.8
diff -u -r1.2.4.3 -r1.8
--- zorp-tutorial.txt 1 Apr 2004 14:22:41 -0000 1.2.4.3
+++ zorp-tutorial.txt 13 Feb 2004 19:58:34 -0000 1.8
@@ -1,7 +1,7 @@
Zorp Tutorial
-Version 1.0.1
-26th October, 2003
+Version 1.0.2
+8th January, 2004
1. Introduction
@@ -269,7 +269,7 @@
Of course the remaining packets of the TCP session after the initial SYN
must also be allowed by the packet filter.
-5.2. Configuring network interfaces
+5.3. Configuring network interfaces
As I stated earlier a Zorp based firewall fulfills the role of an IP router
from its neighbour perspective. This means that all its interfaces must be
@@ -290,7 +290,7 @@
(http://www.balabit.hu/en/downloads/tproxy/README.txt)
-5.3. Configuring the packet filter
+5.4. Configuring the packet filter
To configure the packet filter we first need to establish a couple of rules
we will be adhering to, as the packet filter ruleset can become quite
@@ -309,7 +309,7 @@
where simple packet filtering is done, and the tproxy table where we
are redirecting sessions to our proxies.
-5.3.1. Storing the ruleset
+5.4.1. Storing the ruleset
Some people like storing their ruleset as a shell script which invokes the
necessary iptables commands. As I don't like mixing executable code and data
@@ -362,7 +362,11 @@
You will get two rules the first with 1.2.3.4 substituted, the second
with 1.2.3.5 substituted.
-5.3.2. Naming the chains
+iptables-utils is available from:
+
+http://apt.balabit.com/zorp-gpl-os/pool/i/iptables-utils/
+
+5.4.2. Naming the chains
In addition to the standard chains provided by iptables (INPUT, OUTPUT
etc) we will create separate chains for each security zone. Each security
@@ -378,7 +382,7 @@
proxies we won't need NAT nor mangle rules. (of course we can add further
finetuning to our rulebase, like limiting the number of SYNs etc)
-5.3.3. Jumping to our chains
+5.4.3. Jumping to our chains
We have two set of chains for each security zone, LOxxx chains are
processed in the filter table, INPUT chain. PRxxx chains are processed in
@@ -457,11 +461,11 @@
-A PREROUTING -i IFinter -j PRinter
-A PREROUTING -i IFdmz -j PRdmz
// PRintra chain
--A PRintra -p tcp --dport 80 -j TPROXY 50080
--A PRintra -p tcp --dport 443 -j TPROXY 50443
--A PRintra -p tcp --dport 21 -j TPROXY 50021
+-A PRintra -p tcp --dport 80 -j TPROXY --on-port 50080
+-A PRintra -p tcp --dport 443 -j TPROXY --on-port 50443
+-A PRintra -p tcp --dport 21 -j TPROXY --on-port 50021
// PRinter chain
--A PRinter -p tcp --dport 80 -j TPROXY 50080
+-A PRinter -p tcp --dport 80 -j TPROXY --on-port 50080
// PRdmz chain
// no services permitted
COMMIT
@@ -471,7 +475,7 @@
:OUTPUT ACCEPT
:noise -
:spoof -
-:spoofdrop DROP
+:spoofdrop -
:LOintra -
:LOinter -
:LOdmz -
@@ -535,11 +539,11 @@
-A spoofdrop -j DROP
COMMIT
-5.4. Configuring Zorp
+5.5. Configuring Zorp
This section focuses on Zorp configuration.
-5.4.1. Zorp & Python
+5.5.1. Zorp & Python
The configuration of Zorp is Python based, in fact the configuration file is
a Python module in itself. This does not mean however that the administrator
@@ -589,7 +593,7 @@
}
return HTTP_REQ_REJECT;
-5.4.2. Zorp components
+5.5.2. Zorp components
To start configuring Zorp you will need to know the following Zorp components:
@@ -622,7 +626,7 @@
associated with services and their task is to establish the server side
connections of proxies.
-5.4.3. The simplest Zorp configuration
+5.5.3. The simplest Zorp configuration
Zorp uses two files to store its configuration. The file named
'instances.conf' contains the list of Zorp instances to be run. Its content
@@ -684,15 +688,20 @@
You will need the following instances.conf(5) file to start your zorp
instances using zorpctl:
-intra -v3 -p /etc/zorp/policy.py
-inter -v3 -p /etc/zorp/policy.py
-dmz -v3 -p /etc/zorp/policy.py
+intra -v3 -p /etc/zorp/policy.py --autobind-ip 192.168.0.1
+inter -v3 -p /etc/zorp/policy.py --autobind-ip 192.168.0.1
+dmz -v3 -p /etc/zorp/policy.py --autobind-ip 192.168.0.1
The 'instances.conf' file specifies zorp startup parameters to use when the
given instance is started. Consult zorp(8) manpage or run
'/usr/lib/zorp/zorp --help' for more details.
-5.4.4. Adding our services
+One important point to make is the 'autobind-ip' argument in the example
+above, TPROXY requires a local, non-routeable IP address to make
+transparency possible. See section 5.4 and the TPROXY README file for more
+details.
+
+5.5.4. Adding our services
Although our Zorp process is running by entering the configuration in the
previous section, it would do nothing really useful. To do anything useful
@@ -794,7 +803,7 @@
know the destination zone as - unlike other services - it has a fixed,
predefined destination: it connects to the webserver in the DMZ.
-5.4.5. Customizing proxies
+5.5.5. Customizing proxies
In the previous section we implemented a firewall policy in about 30 lines.
Although our example was quite simple there are real world firewalls with
--=-ci575zjbSwsHj6HKekUD--