[zorp] Why client can see ip address of dummy interface
A Johns
andrew.johns at gmail.com
Wed Jul 11 01:15:34 CEST 2007
Li,
More questions than answers, but we'll get to the cause of this...
Does zorp have a 192.168.88.x address assigned to either of it's interface?
Does it have 2 interfaces or more? Can you provide a tcpdump trace of the
sequence leading up to the below and include any ARP requests also?
# tcpdump | grep 172.16.44.10
16:10:57.975579 802.1Q vlan#3 P0 172.16.44.10.60080 > 192.168.88.166.2883: P
0:32(32) ack 1 win 11680 (DF)
16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1
win 11680 (DF)
16:10:57.975831 192.168.88.166.2883 > 172.16.44.10.60080: R
3812615646:3812615646(0) win 0
16:10:57.975860 802.1Q vlan#3 P0 192.168.88.166.2883 > 172.16.44.10.60080: R
3812615646:38126156
ie: was there a 3-way TCP handshake between client and server (or zorp)
before the above? What ARP requests/replies were sent/received by the
client/zorp/server, if any? And can you include 'netstat -rn' (routing
table) info too please - I'm not sure how these devices are communicating
directly unless you have multiple networks (ie 192.168.88.0/24 and
172.16.44.0/24) attached to the same network segment?
I agree that you should not be able to see the client IP - did it work
before in the past or is this the first time you've done this?
I see you have VLANs configured also - are these 3 devices the only devices
on the network or is it much more complicated than the original ascii
diagram? Can you provide a more detailed diagram showing any other
switches/firewalls/gateways on your network?
--
Regards
AJ
NetSafety - Internet Security Made Easy
On 7/10/07, Zhou Li <zhou.li at ca-jc.com> wrote:
>
> Yes, Johns, It work in bridge mode. //ZhouLi
>
> ----- Original Message -----
> *From:* A Johns <andrew.johns at gmail.com>
> *To:* Zorp users mailing list <zorp at lists.balabit.hu>
> *Sent:* Tuesday, July 10, 2007 14:56
> *Subject:* Re: [zorp] Why client can see ip address of dummy interface
>
> Hi ZhouLi,
>
> See below
>
> On 7/9/07, Zhou Li <zhou.li at ca-jc.com> wrote:
> >
> > I test Zorp 3.0.14b + 2.0.6 cttproxy for kernel 2.6.17 and It work
> > fine for me, but I found client can
> > see ip address of dummy interface that I can't understand.
> >
> > client(192.168.88.166) <--> zorp(dummy ip 172.16.44.10) <--> server(192.168.88.10
> > )
> >
> > # iptables -t tproxy -I PREROUTING -p tcp --dport 80 -j TPROXY --on-ip
> > 172.16.44.10 --on-port 60080
> >
> > instances.conf:
> > http -T -v 1 -s core.error:0 -p /usr/local/etc/zorp/http.py -B
> > 172.16.44.10
> >
> > http.py:
> > .
> > .
> > .
> > def zorp():
> > Service("http", MyHttp, router=TransparentRouter(forge_addr=TRUE,
> > forge_port=Z_PORT_EXACT))
> > Listener(SockAddrInet(172.16.44.10, 60080), "http", transparent=TRUE,
> > mark_tproxy=TRUE)
> >
> > when I make a new http request from client to server and tcpdump will
> > display the information below
> >
> > tcpdump on client
> > # tcpdump | grep 172.16.44.10
> > 16:10:57.975579 802.1Q vlan#3 P0 172.16.44.10.60080 >
> > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF)
> > 16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack
> > 1 win 11680 (DF)
> > 16:10:57.975831 192.168.88.166.2883 > 172.16.44.10.60080: R
> > 3812615646:3812615646(0) win 0
> > 16:10:57.975860 802.1Q vlan#3 P0 192.168.88.166.2883 >
> > 172.16.44.10.60080: R 3812615646:38126156
> >
> > tcpdump on server
> > # tcpdump | grep 172.16.44.10
> > 16:10:57.538207 arp who-has 192.168.88.10 tell 172.16.44.10
> >
> > my question is how to avoid client see dummy ip address?
> >
> > ZhouLi
> >
>
>
> Does TProxy work in bridge mode - you appear to have the same network
> address/mask on both zorp interfaces - is this correct? Or is this on a
> VMWare system?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/zorp/attachments/20070711/3c2b9a0c/attachment.htm
More information about the zorp
mailing list