[zorp] Why client can see ip address of dummy interface

Zhou Li zhou.li at ca-jc.com
Tue Jul 10 09:05:35 CEST 2007 

Yes, Johns, It work in bridge mode.  //ZhouLi
  ----- Original Message ----- 
  From: A Johns 
  To: Zorp users mailing list 
  Sent: Tuesday, July 10, 2007 14:56
  Subject: Re: [zorp] Why client can see ip address of dummy interface


  Hi ZhouLi,

  See below


  On 7/9/07, Zhou Li <zhou.li at ca-jc.com> wrote:
    I test Zorp 3.0.14b  +  2.0.6 cttproxy for kernel 2.6.17 and It work fine for me, but I found client can
    see ip address of  dummy interface that I can't understand.

    client(192.168.88.166) <--> zorp(dummy ip 172.16.44.10) <--> server( 192.168.88.10)

    # iptables -t tproxy -I PREROUTING -p tcp --dport 80 -j TPROXY --on-ip 172.16.44.10 --on-port 60080

    instances.conf:
    http -T -v 1 -s core.error:0 -p /usr/local/etc/zorp/http.py -B 172.16.44.10

    http.py:
    .
    .
    .
    def zorp():
      Service("http", MyHttp, router=TransparentRouter(forge_addr=TRUE, forge_port=Z_PORT_EXACT))
      Listener(SockAddrInet(172.16.44.10, 60080), "http", transparent=TRUE, mark_tproxy=TRUE)

    when I make a new http request from client to server and tcpdump will display the information below

    tcpdump on client
    # tcpdump | grep 172.16.44.10
    16:10:57.975579 802.1Q vlan#3 P0 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF)
    16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF)
    16:10:57.975831 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:3812615646(0) win 0
    16:10:57.975860 802.1Q vlan#3 P0 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:38126156

    tcpdump on server
    # tcpdump | grep 172.16.44.10
    16:10:57.538207 arp who-has 192.168.88.10 tell 172.16.44.10

    my question is how to avoid client see dummy ip address?

    ZhouLi



  Does TProxy work in bridge mode - you appear to have the same network address/mask on both zorp interfaces - is this correct? Or is this on a VMWare system? 


  --
  Regards
  AJ

  NetSafety - Intenet Security Made Easy


  ____ KILLÓʼþ°²È«Íø¹Ø ÒѾ­É¨ÃèÁËÕâ·âÓʼþ ____



------------------------------------------------------------------------------


  _______________________________________________
  zorp mailing list
  zorp at lists.balabit.hu
  https://lists.balabit.hu/mailman/listinfo/zorp


  ____ KILLSJ<~02H+Mx9X RQ>-I(ChAKUb7bSJ<~ ____



____ KILLÓʼþ°²È«Íø¹Ø ÒѾ­É¨ÃèÁËÕâ·âÓʼþ ____

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/zorp/attachments/20070710/bad5faa3/attachment.html

More information about the zorp mailing list