lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 02 Dec 2009 14:33:15 +0900
From:	linuxpark <linuxpark@...il.com>
To:	KOVACS Krisztian <hidden@...abit.hu>
CC:	tproxy@...ts.balabit.hu, netfilter-announce@...ts.netfilter.org,
	netfilter@...ts.netfilter.org, netdev@...r.kernel.org,
	rnd@...m.net, dylee@...m.net
Subject: Re: [tproxy] [HELP] Tproxy server Can't receive any client packet

Hi

i have one more problem and question :-(
i tested tproxy4 in debian linux and succeed in  transparent proxying 
function of the apache proxy server (a tproxy patched)

but when i tested the same apache version in  Cento  OS (5.4) ,

the apache proxy did not operate correctly. listen () function did not 
return when a client tried to connect a web server.
then the apache did not do any action. no response but the usage count 
of filter in the mangle table was increased.

and then.. i found something strange like below. 
there are two listening daemon with same port but the daemons are same 
process


root@waf:~/tproxy4-20091127/httpd-2.2.9-tproxy-v1# netstat -ap | grep http
tcp        0      0 *:squid                     
*:*                         LISTEN      7397/httpd         
tcp        0      0 *:squid                     
*:*                         LISTEN      7397/httpd


i don't know why the apache proxy which succeed in doing tproxy in the 
debian linux did not operate correctly in CentOS (5.4)
but squid proxy succeed in tproxy  in both the debian and the CentOS box

do you have any idea ?  previously thanks ~


[Environment]

- bridged  network

Client <---> [eth2   apache tproxy   eth1]  <---> WebServer
                        +--------    br0  ---------+

- CPU: AMD Phenom(tm) II X4 955 Processor

- OS:
  CentOS release 5.4 (Final)

- Kernel: 
  vannilla 2.6.31

- Kernel config:
  kconfig-2.6.31  [attached]

- apache server:
  apache 2.2.9 +  http-2.2.9-tproxy4.patch [attached]

- iptables:
  1.4.3

- gcc
  4.1.2

*- iptables & ebroute & ip rules*

    ${IPTABLES} -t mangle -F
    ${IPTABLES} -t mangle -X DIVERT
    ${IPTABLES} -t nat -F
   
    #ip rule del fwmark 0x1/0x1 lookup 100
    ip rule del fwmark 1 lookup 100
    ip route del local 0.0.0.0/0 dev lo table 100
    ebtables -t broute -F

    ${IPTABLES} -t mangle -N DIVERT
    ${IPTABLES} -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
    ${IPTABLES} -t mangle -A DIVERT -j MARK --set-mark 1
    ${IPTABLES} -t mangle -A DIVERT -j ACCEPT
    ${IPTABLES} -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY 
--tproxy-mark 0x1/0x1 --on-port ${PORT}

    ip rule add fwmark 1 lookup 100
    ip route add local 0.0.0.0/0 dev lo table 100

    ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto 
tcp --ip-dport 80 -j redirect --redirect-target ACCEPT
    ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp 
--ip-sport 80 -j redirect --redirect-target ACCEPT


    cd /proc/sys/net/bridge/
    for i in *
        do
            echo 0 > $i
        done
        unset i

    sysctl net.ipv4.ip_nonlocal_bind=1
    sysctl net.ipv4.ip_forward=1




 

KOVACS Krisztian 쓴 글:
> Hi,
>
> On Mon, 2009-11-23 at 15:51 +0900, 박제호 wrote:
>   
>> i have a problem in my transparent proxy test,
>> i recently made up the testbed as below to run the tproxy patched
>> apache proxy [mod_proxy],
>> and i applied all iptables and routing rules with referencing the
>> readme file [http://www.balabit.com/downloads/files/tproxy/README.txt,
>> http://www.mjmwired.net/kernel/Documentation/networking/tproxy.txt]
>> the proxy server listening the port 3128 and i checked there were no problem.
>> but  when the client tried to connect the web server,
>> the packets reached to the box and i found the usage counts of filter
>> rules in the mangle table incresed
>> but my tproxy server could not receive any corresponding packet from the socket
>>
>> I want to know why my proxy server can't receive any packet through the socket,
>> Do i need some more DNAT rules ?
>>     
>
> Would you mind testing the setup with an unpatched upstream kernel, that
> has tproxy built-in? (2.6.31, for example)
>
> Also, please download the latest iptables from netfilter.org and try
> using that. (No need for patching, tproxy support is in upstream.)
>
> That would help a lot in identifying the source of the issue. Thanks in
> advance.
>
> Cheers,
> Krisztian
>
>
>   


View attachment "kconfig-2.6.31" of type "text/plain" (95421 bytes)

View attachment "http-2.2.9-tproxy4-patch" of type "text/plain" (12370 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ