Shorewall users - May 2006 - Bridge and chains

Hello I have a doubt about this.

 

How can i mangle packets going tru a bridge i need to put two rules and let
all the trafic go tru.

 

The rules should look like this on a normal firewall

 

 

iptables -t mangle -F

iptables -t nat -F

iptables -t mangle -A PREROUTING -i eth0 -p tcp --syn -j QUEUE

iptables -t nat -A POSTROUTING -s 10.252.17.0/24  -o eth1 -j MASQUERADE

iptables -t nat -A PREROUTING -s 10.252.17.0/24 -p tcp -j REDIRECT --to-port
5000

 

but i have no idea on how to set this up using shorewall

 

the set up above is while using a linux box as a router but in this case it
is working as a bridge

 

Im running shorewall version 3.1.9

 

Thanks

Fernando Rodriguez wrote:
> 
> the set up above is while using a linux box as a router but in this case it
> is working as a bridge
The rules that you post make no sense on a bridge.
> 
> Im running shorewall version 3.1.9
> 
I strongly recommend that you upgrade to 3.2.0 Beta 7.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Thats exacly what i was saying the rules i posted are for a linux box
working as a router, what i wanted to ask was how can i setup those kind of
rules and set them on on a bridge so i can redirect the tcp connections to
port 5000.


Or is there a way to set up a shorewall equipment that can forward all
traffic from one interface to another transparently where i can mangle the
packets so it can act as it was a bridge with mangle and nat capabilities.


This is what im trying to do

Internet===Primary Router===SHOREWALL===SATELLITE HUB=== SATELLITE ==CLIENT
                            PEP runing 
                           on port 5000

Thanks

-----Mensaje original-----
De: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] En nombre de Tom Eastep
Enviado el: Miércoles, 17 de Mayo de 2006 11:57 a.m.
Para: shorewall-users@lists.sourceforge.net
Asunto: Re: [Shorewall-users] Bridge and chains

Fernando Rodriguez wrote:
> 
> the set up above is while using a linux box as a router but in this case
it
> is working as a bridge
The rules that you post make no sense on a bridge.
> 
> Im running shorewall version 3.1.9
> 
I strongly recommend that you upgrade to 3.2.0 Beta 7.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Fernando Rodriguez wrote:
> Thats exacly what i was saying the rules i posted are for a linux box
> working as a router, what i wanted to ask was how can i setup those kind of
> rules and set them on on a bridge so i can redirect the tcp connections to
> port 5000.
> 
> 
> Or is there a way to set up a shorewall equipment that can forward all
> traffic from one interface to another transparently where i can mangle the
> packets so it can act as it was a bridge with mangle and nat capabilities.
My point is that if you do those things, then the Shorewall box is no
longer a bridge -- it''s a router/proxy.
> 
> 
> This is what im trying to do
> 
> Internet===Primary Router===SHOREWALL===SATELLITE HUB=== SATELLITE ==>
CLIENT
>                             PEP runing 
>                            on port 5000
What is ''PEP''?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Without regard to whether any of it will work or not, here''s my take on
each rule:

Fernando Rodriguez wrote:
>  
> 
> iptables -t mangle -F
Shorewall does that automatically during [re]start
> 
> iptables -t nat -F
Shorewall does that automatically during [re]start
> 
> iptables -t mangle -A PREROUTING -i eth0 -p tcp --syn -j QUEUE
> 
There is no way to generate that rule in Shorewall -- you would have to
use an extension script.

> iptables -t nat -A POSTROUTING -s 10.252.17.0/24  -o eth1 -j MASQUERADE
You can generate THAT rule in Shorewall with a simple entry in
/etc/shorewall/masq:

eth1	10.252.17.0/24

But you cannot generate the appropriate rule if eth1 is a port on a bridge.
> 
> iptables -t nat -A PREROUTING -s 10.252.17.0/24 -p tcp -j REDIRECT
--to-port
> 5000
> 
You can use a REDIRECT- rule to do that but, again, I have no idea
whether it will work on a bridge.

REDIRECT-	z:10.252.17.0/24	5000	tcp

where ''z'' is the zone associate with 10.252.17.0/24.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

PEP Is a Performance Enhancing Proxy it is used to mangle the packets and
syn to accelerate the conection in long delay link networks such as
satellite that have a roundtrip of 600 or more ms the pep will recieve the
connections for a specific host or network and act as if it was the host and
sending the data to the host with a diferent TCP Hybla so the rtt is not
lost from the long delay packets.


It is also used for wireless links

http://www.danielinux.net/projects/pepsal.pdf

There is the information of what im trying to implement.

The rules should look like this

iptables -A PREROUTING -t mangle -s 172.10.0.0/24 -p tcp -flags syn -j QUEUE
iptables -A PREROUTING -t mangle -d 172.10.0.0/24 -p tcp -flags syn -j QUEUE
iptables -A PREROUTING -t nat -s 172.10.0.0/24 -p tcp -j REDIRECT –to-port
5000
iptables -A PREROUTING -t nat -d 172.10.0.0/24 -p tcp -j REDIRECT –to-port
5000

where pepsal is waiting for he connections on port 5000


I was trying to give a solution to this using a bridge because its hard to
keepup the routing on a satellite network.

But if what i am asking is impossible i will net to do it as a routing proxy
using shorewall.

I think i will need to set up routing to walid and invalid sets of ip
adresses in the shorewall but also i cant limit the ports because its a
satellite network and i cant limit the users on the ports or aplicattions
they use. Thats why i was thinking as a bridge.

Thank I also upgraded to 3.2 beta 7 as you recomended.

-----Mensaje original-----
De: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] En nombre de Tom Eastep
Enviado el: Miércoles, 17 de Mayo de 2006 12:46 p.m.
Para: shorewall-users@lists.sourceforge.net
Asunto: Re: [Shorewall-users] Bridge and chains

Fernando Rodriguez wrote:
> Thats exacly what i was saying the rules i posted are for a linux box
> working as a router, what i wanted to ask was how can i setup those kind
of
> rules and set them on on a bridge so i can redirect the tcp connections to
> port 5000.
> 
> 
> Or is there a way to set up a shorewall equipment that can forward all
> traffic from one interface to another transparently where i can mangle the
> packets so it can act as it was a bridge with mangle and nat capabilities.
My point is that if you do those things, then the Shorewall box is no
longer a bridge -- it''s a router/proxy.
> 
> 
> This is what im trying to do
> 
> Internet===Primary Router===SHOREWALL===SATELLITE HUB=== SATELLITE ==>
CLIENT
>                             PEP runing 
>                            on port 5000
What is ''PEP''?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Fernando Rodriguez wrote:
> 
> I was trying to give a solution to this using a bridge because its hard to
> keepup the routing on a satellite network.
> 
> But if what i am asking is impossible i will net to do it as a routing
proxy
> using shorewall.
> 
What I suggest that you do is first determine if it is possible to set
up PEP on a Linux bridge and how to do it. Once you have that
information, we can determine the best way to do it with Shorewall.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key