The Official Unofficial Zorp project
 
Overview| Examples| Bugs| FAQ | White papers | Download | Help wanted | SourceForge Project page | Filltable utility  
 
 
SourceForge.net: SF.net Project News: Zorp unofficial
  • zorp 2.0.9-6 has been released
  • iptables-utils zorp-unoff version has been released
  • New whitepaper, even more FAQs
  • Zorp whitepapers released, new FAQs
  • New tproxy versions
  • New Zorp version: get the DN
  • The best bughunter
  • Bughunting contest extended
  • Valentine day bughunting contest!
  • Site updates: FAQ, design
  • SourceForge.net: Project File Releases: Zorp unofficial
  • zorp 2.0.9-6 released (Mon, 01 Nov 2004 21:49:58 GMT)
  • zorp 2.0.9-6 released (Mon, 01 Nov 2004 21:40:56 GMT)
  • iptables-utils 1.21-1 released (Mon, 01 Nov 2004 21:19:42 GMT)
  • zorp 2.0.9-1 released (Sat, 12 Jun 2004 00:00:00 GMT)
  • zorplibll 2.0.26.24-1 released (Sat, 12 Jun 2004 00:00:00 GMT)
  • zorp zorp_2.0.8-1 released (Thu, 11 Dec 2003 00:00:00 GMT)
  • zorp zorp_2.0.7-2 released (Wed, 03 Dec 2003 00:00:00 GMT)
  • zorp zorp_2.0.7-1 released (Tue, 11 Nov 2003 00:00:00 GMT)
  • zorplibll zorplibll_2.0.26.23-1 released (Mon, 10 Nov 2003 00:00:00 GMT)
  • Next Previous Contents

    4. Iptables, tproxy, kernel, network setup

    4.1 Can I use Zorp version 2.x with kernel version 2.2.x ?

    Yes

    4.2 What is this tproxy thing? Do I need it?

    The tproxy patch reintroduces some features of the IP stack of linux kernel version 2.2, which were dropped in 2.4, and useful if you want to do transparent proxying. In some limited cases the REDIRECT target of the nat table is enogh, but if you do more than very basic transparent proxying, you will probably need tproxy.

    4.3 How to set up the dummy interface?

    when I try to start Zorp, it still fails, but it writes the following (among other things) to /var/log/messages:


            "Binding to dummy interface failed, please create one and
            pass --autobind-ip parameter; autobind=''192.168.1.1'' "
            
    

    autobind ip should not be routable and nost a connected private network, like 1.2.3.4/32 what we usually choose:


    auto dummy0
    iface dummy0 inet static
            address 1.2.3.4
            netmask 255.255.255.255
    

    and in the instances.conf we use --autobind-ip 1.2.3.4

    4.4 How to keep the port numbers with tproxy?

    Tproxy requires the '--on-port' parameter. But I use it with a port range, and want to keep the port numbers.

    Use '--on-port 0'.

    4.5 What is the difference between REDIRECT and TPROXY?

    • Different tables, so the NATted and proxied rules are cleanly separated.
    • TPROXY marks _all_ packets of the connection (not just the first), so the -m tproxy option matches. This makes easy to accept it in the filter table with one rule. With REDIRECT, you need to duplicate every rule in the filter table.
    • With UDP, tproxy behaves very differently. It NATs the first packet, and drops the conntrack state, because it is handled by Zorp.

    4.6 Does Zorp 2.x work with linux kernel 2.2.x?

    Yes. It works with linux 2.2.x, 2.4.x with and without tproxy patch, and with Solaris ipfilter. It should also work with linux 2.6.x.

    4.7 How I figure out the original destination address in C?

    If you are using TCP sockets, use the facilities provided by Netfilter, that is, the SO_ORIGINAL_DST sockopt. For example:


    struct sockaddr_in sin;
    socklen_t sinlen = sizeof(sin);
    
    if (getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, , ) != 0) {
            /* handle error */
    } else {
            /* success, address is in sin */
    }
    

    TProxy's original address sockopt is useful for UDP sockets, where every packet may have different original destination addresses. In this case, you have to be able to receive all information atomically, with one system call. So, you have to enable receiving of original address information with a setsockopt(), and then use recvmsg() to receive the message. Then, the necessary information should be in the auxiliary information block of the msghdr structure. But you need this only for UDP, the TCP case is much more simple.

    4.8 Is there documentation anywhere for iptables.conf.in? There's no man-page or anything else I can find in Zorp GPL.

    Also, how does the average Zorp GPL user obtain iptables-utils? I got my deb-package from a Zorp Pro CD, but I've noticed that the Zorp GPL literature (Zorp Tutorial, etc.) refers to it too.

    It seems only its predecessor has its own webpage (ipchains-utils), iptables-utils is available from balabit's debian repository.

    4.9 What is the difference between %d and %s in python formatted strings?

    %d needs a number in any case. If the argument given is not a number, it throws an exception. %s needs a string. If you give it a number, it will be happy with that either.

    4.10 What is the right way to use a virtual ip address (alias) bound to an outside interface and forward traffic to a host in the private network?

    I can get the Plug to work with the eth3 address, but not with the eth3:1 address.

    I tried setting up an InetZone with the ip address bound to eth3:1, but the packets disappear after hitting the tproxy rule in the INPUT chain. I can see them move through PREROUTING and then to the PRxxx chain, but they never get back to INPUT.

    You don't have to "tproxy-ing" a traffic like that. You should just put an ACCEPT rule on the right place, then you can put your listener on the desired IP (on the IP of eth3:1 in this case). However, you can "tproxy-ing" this traffic, but the packet will appear on the primary IP of the interface, so the listener should listen on that IP. Or you can use the '--on-ip' parameter of the TPROXY target.


    Next Previous Contents