[zorp] iptables configuration for zorp alg

Balazs Scheidler zorp@lists.balabit.hu
Tue, 22 Feb 2005 17:38:07 +0100 

On Tue, 2005-02-22 at 13:35 +0100, Tillmann Werner wrote:
> Hi,
> 
> I am new to this list and zorp as well. I am just playing around with zorp
> in a user mode linux environment and need some help with iptables
> configuration.
> 
> There is one http zorp proxy configured right now. The system and zorp is
> running fine, but I get some loops when trying to connect to a web server
> through the zorp machine.
> 
> I need to redirect connections coming in on my internal interface on, say,
> port 80/tcp to zorp (i.e. port 50080/tcp) and tproxy them to servers in the
> internet, reachabel via an external interface. Redirection works, tproxying
> as well, but iptables seems to redirect the connection established by zorp
> back to the proxy.
> 
> Is there any configuration example or documentation for such a setup? I know
> the tutorial on the zorp gpl web page, but could not get any help for my
> problems out of it, maybe because of lack of detailed iptables knowledge.
> 
> I currently have no access to my configuration, but I can post details
> later, if needed.

I think Zorp has not correctly detected your transparent proxying
implementation, thus does not detect the actual transparent destination
of your client, uses the listener address instead (e.g. the address the
IP stack "thinks" your destination was), and then reconnects itself.

You should check the output of your "System dependant init" log message
at Zorp startup, where you should see "sysdep_tproxy=2" or
sysdep_tproxy=tproxy12, depending on your Zorp version. (3.0.3 or later
reports the latter one, earlier Zorp versions reported it numerically)

If you see sysdep_tproxy=1 or linux22 then Zorp did not detect your
tproxy correctly, maybe you don't have the autobind interface configured
correctly. Zorp also reminds you about this, with a logmessage like
"Error autobinding socket..."

If you post the startup logs (by running /usr/lib/zorp/zorp -v8 -l -T) I
might help you identify other problems as well.

-- 
Bazsi