Overview| Examples| Bugs| FAQ | White papers | Download | Help wanted | SourceForge Project page | Filltable utility | ||
Next
Previous
Contents
4. Iptables, tproxy, kernel, network setup4.1 Can I use Zorp version 2.x with kernel version 2.2.x ?Yes 4.2 What is this tproxy thing? Do I need it?The tproxy patch reintroduces some features of the IP stack of linux kernel version 2.2, which were dropped in 2.4, and useful if you want to do transparent proxying. In some limited cases the REDIRECT target of the nat table is enogh, but if you do more than very basic transparent proxying, you will probably need tproxy. 4.3 How to set up the dummy interface?when I try to start Zorp, it still fails, but it writes the following (among other things) to /var/log/messages: "Binding to dummy interface failed, please create one and pass --autobind-ip parameter; autobind=''192.168.1.1'' " autobind ip should not be routable and nost a connected private network, like 1.2.3.4/32 what we usually choose: auto dummy0 iface dummy0 inet static address 1.2.3.4 netmask 255.255.255.255 and in the instances.conf we use --autobind-ip 1.2.3.4 4.4 How to keep the port numbers with tproxy?Tproxy requires the '--on-port' parameter. But I use it with a port range, and want to keep the port numbers. Use '--on-port 0'. 4.5 What is the difference between REDIRECT and TPROXY?
4.6 Does Zorp 2.x work with linux kernel 2.2.x?Yes. It works with linux 2.2.x, 2.4.x with and without tproxy patch, and with Solaris ipfilter. It should also work with linux 2.6.x. 4.7 How I figure out the original destination address in C?If you are using TCP sockets, use the facilities provided by Netfilter, that is, the SO_ORIGINAL_DST sockopt. For example: struct sockaddr_in sin; socklen_t sinlen = sizeof(sin); if (getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, , ) != 0) { /* handle error */ } else { /* success, address is in sin */ } TProxy's original address sockopt is useful for UDP sockets, where every packet may have different original destination addresses. In this case, you have to be able to receive all information atomically, with one system call. So, you have to enable receiving of original address information with a setsockopt(), and then use recvmsg() to receive the message. Then, the necessary information should be in the auxiliary information block of the msghdr structure. But you need this only for UDP, the TCP case is much more simple. 4.8 Is there documentation anywhere for iptables.conf.in? There's no man-page or anything else I can find in Zorp GPL.Also, how does the average Zorp GPL user obtain iptables-utils? I got my deb-package from a Zorp Pro CD, but I've noticed that the Zorp GPL literature (Zorp Tutorial, etc.) refers to it too. It seems only its predecessor has its own webpage (ipchains-utils), iptables-utils is available from balabit's debian repository. 4.9 What is the difference between %d and %s in python formatted strings?%d needs a number in any case. If the argument given is not a number, it throws an exception. %s needs a string. If you give it a number, it will be happy with that either. 4.10 What is the right way to use a virtual ip address (alias) bound to an outside interface and forward traffic to a host in the private network?I can get the Plug to work with the eth3 address, but not with the eth3:1 address. I tried setting up an InetZone with the ip address bound to eth3:1, but the packets disappear after hitting the tproxy rule in the INPUT chain. I can see them move through PREROUTING and then to the PRxxx chain, but they never get back to INPUT. You don't have to "tproxy-ing" a traffic like that. You should just put an ACCEPT rule on the right place, then you can put your listener on the desired IP (on the IP of eth3:1 in this case). However, you can "tproxy-ing" this traffic, but the packet will appear on the primary IP of the interface, so the listener should listen on that IP. Or you can use the '--on-ip' parameter of the TPROXY target. Next Previous Contents |