Shorewall 3.4.2
I have assigned suspended users on my network a private IP address in
the 192.168.50.0/24 range. My Cisco router is configured to forward
that range to a linux web server running shorewall 3.4.2
I want to redirect all those users to a web page at a specific ip
address hosted on that server.
In rules I have:
REDIRECT net:192.168.50.0/24 all net:64.202.230.254
It runs through the check without error, but when I restart it bombs with:
[root@ns1 shorewall]# service shorewall restart
Restarting shorewall: iptables v1.3.5: unknown protocol
`net:64.202.230.254'' specified
Try `iptables -h'' or ''iptables --help'' for more
information.
ERROR: Command "/sbin/iptables -t nat -A net_dnat -p
net:64.202.230.254 -s 192.168.50.0/24 -d 0.0.0.0/0 -j REDIRECT --to-port
pri" Failed
/sbin/shorewall: line 500: 13832 Terminated
$SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
[FAILED]
Any help would be appreciated. And yes, I know I should update
shorewall first, but I have a reason not to for now.
Marco
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there''s a perfect scanner to get the job done! With the NEW
KODAK i700
Series Scanner you''ll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com
I''ve "upgraded" to 3.4.7 with the same results Marco C. Coelho wrote:> Shorewall 3.4.2 > > I have assigned suspended users on my network a private IP address in > the 192.168.50.0/24 range. My Cisco router is configured to forward > that range to a linux web server running shorewall 3.4.2 > > I want to redirect all those users to a web page at a specific ip > address hosted on that server. > In rules I have: > > REDIRECT net:192.168.50.0/24 all net:64.202.230.254 > > It runs through the check without error, but when I restart it bombs with: > > [root@ns1 shorewall]# service shorewall restart > > Restarting shorewall: iptables v1.3.5: unknown protocol > `net:64.202.230.254'' specified > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Command "/sbin/iptables -t nat -A net_dnat -p > net:64.202.230.254 -s 192.168.50.0/24 -d 0.0.0.0/0 -j REDIRECT --to-port > pri" Failed > /sbin/shorewall: line 500: 13832 Terminated > $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart > [FAILED] > > Any help would be appreciated. And yes, I know I should update > shorewall first, but I have a reason not to for now. > > Marco > > > > ------------------------------------------------------------------------------ > The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your > production scanning environment may not be a perfect world - but thanks to > Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 > Series Scanner you''ll get full speed at 300 dpi even with all image > processing features enabled. http://p.sf.net/sfu/kodak-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
Marco C. Coelho wrote:> Shorewall 3.4.2 > > I have assigned suspended users on my network a private IP address in > the 192.168.50.0/24 range. My Cisco router is configured to forward > that range to a linux web server running shorewall 3.4.2 > > I want to redirect all those users to a web page at a specific ip > address hosted on that server. > In rules I have: > > REDIRECT net:192.168.50.0/24 all net:64.202.230.254 > > It runs through the check without error, but when I restart it bombs with: > > [root@ns1 shorewall]# service shorewall restart > > Restarting shorewall: iptables v1.3.5: unknown protocol > `net:64.202.230.254'' specifiedMarco, it seems you haven''t read any basic troubleshooting information about shorewall. It''s telling you that "net:64.202.230.254" is a bad protocol, and if you read the documentation for the shorewall rules file, you''ll find that the 4th field is meant to be a protocol identifier such as tcp or udp. I suggest reading through the quick start guide and some examples of REDIRECT rules to try to find the functionality you''re looking for. Paul ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
Marco C. Coelho wrote:> I''ve "upgraded" to 3.4.7 with the same results > > Marco C. Coelho wrote: >> Shorewall 3.4.2 >> >> I have assigned suspended users on my network a private IP address in >> the 192.168.50.0/24 range. My Cisco router is configured to forward >> that range to a linux web server running shorewall 3.4.2 >> >> I want to redirect all those users to a web page at a specific ip >> address hosted on that server. >> In rules I have: >> >> REDIRECT net:192.168.50.0/24 all net:64.202.230.254That is wrong on two levels: a) From an IPv4 standpoint, IT WON''T WORK. - 192.168.50.4 sends a SYN packet addressed to 206.124.146.177 - The firewall rewrites the destination IP address to 64.202.230.254 and forwards the packet. - 64.202.230.254 gets the SYN and returns a SYN/ACK. The source IP address in the response is 64.202.230.254. The destination IP address is whatever the source IP address was in the SYN. - If the destination is 192.168.50.4, the packet can''t be routed - If it an address on the Cisco, then the Cisco won''t know what to do with it since it won''t match any connection which that router knows about. b) From a Shorewall standpoint: - REDIRECT is used to capture packets and send them TO THE FIREWALL ITSELF. DNAT is used to forward the packet to another system. - The syntax of your rule is incorrect for both REDIRECT and DNAT; given that you are running Shorewall 3, that results in an invalid command being given to iptables.>> >> It runs through the check without errorYou *really* should consider an upgrade to Shorewall 4 and Shorewall-perl. It catches almost all configuration errors during ''check'' and ''compile''. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
Ok lets start from the top. I have multiple pppoe servers terminating connections. Users are normally issued public ip addresses. When I suspend a user, they get a private 192.168.50.0/24 ip address. I want to redirect any IPs in the 192.168.50.0/24 to a web page on a server that has a simple SUSPENDED message. having temporarily abandoned shorewall due to the problem I was having, I presently have this in IPTABLES: iptables -t nat -A PREROUTING -p tcp -s 192.168.50.0/24 -d 0.0.0.0/0 -j REDIRECT --to 64.202.230.254:80 Marco ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
On Tue, 2009-05-12 at 16:29 -0500, Marco C. Coelho wrote:> > I want to redirect any IPs in the 192.168.50.0/24 to a web page on a > server that has a simple SUSPENDED message.So you are assuming all Internet traffic is web traffic? What a sadly myopic view of the Internet. :-(> iptables -t nat -A PREROUTING -p tcp -s 192.168.50.0/24 -d 0.0.0.0/0 -j > REDIRECT --to 64.202.230.254:80So when I try to ftp (or any other tcp protocol) I get an HTTP response back? Maybe this is how "captured portals" work. But it''s yucky all the same. b. ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
Brian J. Murrell wrote:> On Tue, 2009-05-12 at 16:29 -0500, Marco C. Coelho wrote: >> I want to redirect any IPs in the 192.168.50.0/24 to a web page on a >> server that has a simple SUSPENDED message. > > So you are assuming all Internet traffic is web traffic? What a sadly > myopic view of the Internet. :-( > >> iptables -t nat -A PREROUTING -p tcp -s 192.168.50.0/24 -d 0.0.0.0/0 -j >> REDIRECT --to 64.202.230.254:80 > > So when I try to ftp (or any other tcp protocol) I get an HTTP response > back? > > Maybe this is how "captured portals" work. But it''s yucky all the same. > > b.Redirecting un-paying customer to web page where he is reminded of that fact is standard procedure to not allowing them access to internet but not to lose the entirely. What I do is to redirect only http traffic, but to just block all other services.> > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your > production scanning environment may not be a perfect world - but thanks to > Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 > Series Scanner you''ll get full speed at 300 dpi even with all image > processing features enabled. http://p.sf.net/sfu/kodak-com > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
Marco C. Coelho wrote:> Ok lets start from the top. > > I have multiple pppoe servers terminating connections. Users are > normally issued public ip addresses. > When I suspend a user, they get a private 192.168.50.0/24 ip address.Given that your REDIRECT rule had ''net'' in the SOURCE column, we naturally assumed that 192.168.40.0/24 is OUTSIDE your firewall, not inside. You give us incomplete information, you get wrong and/or incomplete answers.> > I want to redirect any IPs in the 192.168.50.0/24 to a web page on a > server that has a simple SUSPENDED message. > > having temporarily abandoned shorewall due to the problem I was having, > I presently have this in IPTABLES: > > iptables -t nat -A PREROUTING -p tcp -s 192.168.50.0/24 -d 0.0.0.0/0 -j > REDIRECT --to 64.202.230.254:80That is just: DNAT- y:192.168.40.0/24 z:64.202.230.254:80 tcp Where y = Zone containing 192.168.40.0/24 z = Zone containing 64.202.230.254 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
Tom Eastep wrote:> Marco C. Coelho wrote: >> Ok lets start from the top. >> >> I have multiple pppoe servers terminating connections. Users are >> normally issued public ip addresses. >> When I suspend a user, they get a private 192.168.50.0/24 ip address. > > Given that your REDIRECT rule had ''net'' in the SOURCE column, we > naturally assumed that 192.168.40.0/24 is OUTSIDE your firewall, not > inside. You give us incomplete information, you get wrong and/or > incomplete answers. > >> I want to redirect any IPs in the 192.168.50.0/24 to a web page on a >> server that has a simple SUSPENDED message. >> >> having temporarily abandoned shorewall due to the problem I was having, >> I presently have this in IPTABLES: >> >> iptables -t nat -A PREROUTING -p tcp -s 192.168.50.0/24 -d 0.0.0.0/0 -j >> REDIRECT --to 64.202.230.254:80 > > That is just: > > DNAT- y:192.168.40.0/24 z:64.202.230.254:80 tcp > > Where > > y = Zone containing 192.168.40.0/24 > z = Zone containing 64.202.230.254And please note that should you ever upgrade to Shorewall-perl 4.2, you should omit the ''z'' (e.g., ":64.202.230.254:80") to avoid a compilation warning. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
Yucky is my middle name! Brian J. Murrell wrote:> On Tue, 2009-05-12 at 16:29 -0500, Marco C. Coelho wrote: > >> I want to redirect any IPs in the 192.168.50.0/24 to a web page on a >> server that has a simple SUSPENDED message. >> > > So you are assuming all Internet traffic is web traffic? What a sadly > myopic view of the Internet. :-( > > >> iptables -t nat -A PREROUTING -p tcp -s 192.168.50.0/24 -d 0.0.0.0/0 -j >> REDIRECT --to 64.202.230.254:80 >> > > So when I try to ftp (or any other tcp protocol) I get an HTTP response > back? > > Maybe this is how "captured portals" work. But it''s yucky all the same. > > b. > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your > production scanning environment may not be a perfect world - but thanks to > Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 > Series Scanner you''ll get full speed at 300 dpi even with all image > processing features enabled. http://p.sf.net/sfu/kodak-com > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
I''ve tried Toms suggestion below without success. Perhaps a diagram of
this system would help.
___________________________________
| eth0
eth1 |
-----------64.202.224.0/24--------| net interface on pppoe server / loc
interface |--------------no ip address (pppoe only)-----
| |
___________________________________
To simplify things, I changed loaded apache on each pppoe server and set
the home page as the user suspended page.
so in this case I could redirect to either 127.0.0.1, or 64.202.224.X
The way the pppoe server works is: PPPOE daemon uses radius
authenticate terminates the pppoe session. At this point the session is
handed of to the standard kernel mode pppd
When I use:
DNAT- y:192.168.50.0/24 z:64.202.224.254:80 tcp
I do not get the suspend web page. When I trace route from the connect
system, I get host unreachable from my boarder router (which I should
never see).
This box is running zebra and ospf, as is the boarder router, could it
be that they are overriding?
Any thoughts would be greatly appreciated.
slightly beaten down....
Marco
>>> Ok lets start from the top.
>>>
>>> I have multiple pppoe servers terminating connections. Users are
>>> normally issued public ip addresses.
>>> When I suspend a user, they get a private 192.168.50.0/24 ip
address.
>>>
>>
>>> I want to redirect any IPs in the 192.168.50.0/24 to a web page on
a
>>> server that has a simple SUSPENDED message.
>>>
>>>
>>>
>> That is just:
>>
>> DNAT- y:192.168.40.0/24 z:64.202.230.254:80 tcp
>>
>> Where
>>
>> y = Zone containing 192.168.40.0/24
>> z = Zone containing 64.202.230.254
>>
> ------------------------------------------------------------------------
>
>
>
------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals.
Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, &
iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://www.creativitycat.com
Marco C. Coelho wrote:> I''ve tried Toms suggestion below without success. Perhaps a diagram of > this system would help.Posting a diagram when using a variable pitched font in an HTML-formated email never helps. Like your diagram, they always come out completely unreadable.> > ___________________________________ > | eth0 > eth1 | > -----------64.202.224.0/24--------| net interface on pppoe server / loc > interface |--------------no ip address (pppoe only)----- > > | | > > ___________________________________ > To simplify things, I changed loaded apache on each pppoe server and set > the home page as the user suspended page. > so in this case I could redirect to either 127.0.0.1, or 64.202.224.X > > The way the pppoe server works is: PPPOE daemon uses radius > authenticate terminates the pppoe session. At this point the session is > handed of to the standard kernel mode pppd > > When I use: > > DNAT- y:192.168.50.0/24 z:64.202.224.254:80 tcp > > > I do not get the suspend web page. When I trace route from the connect > system, I get host unreachable from my boarder router (which I should > never see).The DNAT- rule has nothing to do with traceroute. Traceroute uses either UDP or ICMP and your DNAT- rule only redirects TCP.> This box is running zebra and ospf, as is the boarder router, could it > be that they are overriding?So far, the whole picture is no clearer than mud. Please try again with a fixed-pitch font and/or plain text email. Maybe then we can get a picture of your setup. And please give us details -- the output of ''shorewall dump'' collected as described at http://www.shorewall.net/support.htm#Guidelines would be ideal. Forward it as an attachment to upload@shorewall.net, if you don''t want to send it to the entire list. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com
I''ve tried Toms suggestion below without success. Perhaps a diagram of
this system would help.
___________________________________
| eth0
eth1 |
-----------64.202.224.0/24--------| net interface on pppoe server / loc
interface |--------------no ip address (pppoe only)-----
| |
___________________________________
To simplify things, I changed loaded apache on each pppoe server and set
the home page as the user suspended page.
so in this case I could redirect to either 127.0.0.1, or 64.202.224.X
The way the pppoe server works is: PPPOE daemon uses radius
authenticate terminates the pppoe session. At this point the session is
handed of to the standard kernel mode pppd
When I use:
DNAT- y:192.168.50.0/24 z:64.202.224.254:80 tcp
I do not get the suspend web page. When I trace route from the connect
system, I get host unreachable from my boarder router (which I should
never see).
This box is running zebra and ospf, as is the boarder router, could it
be that they are overriding?
Any thoughts would be greatly appreciated.
slightly beaten down....
Marco
>>> Ok lets start from the top.
>>>
>>> I have multiple pppoe servers terminating connections. Users are
>>> normally issued public ip addresses.
>>> When I suspend a user, they get a private 192.168.50.0/24 ip
address.
>>>
>>
>>> I want to redirect any IPs in the 192.168.50.0/24 to a web page on
a
>>> server that has a simple SUSPENDED message.
>>>
>>>
>>>
>> That is just:
>>
>> DNAT- y:192.168.40.0/24 z:64.202.230.254:80 tcp
>>
>> Where
>>
>> y = Zone containing 192.168.40.0/24
>> z = Zone containing 64.202.230.254
>>
> ------------------------------------------------------------------------
>
>
>
------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals.
Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, &
iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://www.creativitycat.com