Is this even doable with shorewall? After a packet natches a DROP rule like DROP net:10.0.0.0/8 fw all if the connection came in on port 80, redirect it to port 81 let it through else Drop it like normal endif If so how? My guess would be to create a macro in /usr/share/shorewall and modify actions.Drop to use it. I''ve tried a couple of things with REDIRECT and DNAT, but no luck yet. Thanks -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com ------------------------------------------------------------------------------
On 12/9/10 7:53 PM, Nathan Gibbs wrote:> Is this even doable with shorewall? > > After a packet natches a DROP rule like > DROP net:10.0.0.0/8 fw all > > if the connection came in on port 80, > redirect it to port 81 > let it through > else > Drop it like normal > endifNo. Why don''t you just put the REDIRECT rule before the DROP rule? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
* Tom Eastep wrote:> On 12/9/10 7:53 PM, Nathan Gibbs wrote: >> Is this even doable with shorewall? >> >> After a packet natches a DROP rule like >> DROP net:10.0.0.0/8 fw all >> >> if the connection came in on port 80, >> redirect it to port 81 >> let it through >> else >> Drop it like normal >> endif > > No.Shoot. I should have looked at the iptables output and man page before asking. DROP is DROP and it DROPs, thats why its called DROP. :-)> > Why don''t you just put the REDIRECT rule before the DROP rule? >So I could put that into a macro and call that instead of DROP on my rules. Am I thinking in the right direction? Could I get what I want that way? Thanks. -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com ------------------------------------------------------------------------------
* Nathan Gibbs wrote:> * Tom Eastep wrote: > >> Why don''t you just put the REDIRECT rule before the DROP rule? >> > > So I could put that into a macro and call that instead of DROP on my rules. >My rules would look like this DropFinal net:10.0.0.0/8 fw all # Bogon My /usr/share/shorewall/macro.DropFinal File is currently. REDIRECT - 81 tcp 80 DROP - fw all Shorewall still won''t fly. I know I''m missing something simple here. :-) What is it? Thanks. -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com ------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev
* Nathan Gibbs wrote:> * Nathan Gibbs wrote: >> * Tom Eastep wrote: >> >>> Why don''t you just put the REDIRECT rule before the DROP rule? >>> >> So I could put that into a macro and call that instead of DROP on my rules. >> > > My rules would look like this > > DropFinal net:10.0.0.0/8 fw all # Bogon > > My /usr/share/shorewall/macro.DropFinal File is currently. > > REDIRECT - 81 tcp 80 > DROP - fw all > > Shorewall still won''t fly. > > I know I''m missing something simple here. > :-)OK, I "think" I''ve got it. Rules need to look like this DropFinal net:10.0.0.0/8 - - # Bogon My /usr/share/shorewall/macro.DropFinal File is currently. REDIRECT- - 81 tcp 80 DROP - fw all I have an ACCEPT net fw tcp 81 Rule before the DropFinal rules so I think I can get away with a REDIRECT- instead of just REDIRECT Thanks, and let me know if I am still missing something. :-) -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com ------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev
On 12/10/10 9:08 AM, Nathan Gibbs wrote:> * Nathan Gibbs wrote: > > > Thanks, and let me know if I am still missing something.Looks like you''ve got it. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev
* Tom Eastep wrote:> On 12/10/10 9:08 AM, Nathan Gibbs wrote: >> * Nathan Gibbs wrote: >> >> >> Thanks, and let me know if I am still missing something. > > Looks like you''ve got it. > > -Tom >Thanks, one last question. Can the current shorewall release do this as an action instead of a macro? I tried using it with 14000+ rules on a shorewall 3.0.x installation. Short version, it swung around and bit me. :-) -- But there''s no sense crying over every mistake. You just keep on trying till you run out of cake. And the Science gets done. And you make an income. For the people who are still alive. ------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev
On 12/10/10 5:02 PM, Nathan Gibbs wrote:> * Tom Eastep wrote: >> On 12/10/10 9:08 AM, Nathan Gibbs wrote: >>> * Nathan Gibbs wrote: >>> >>> >>> Thanks, and let me know if I am still missing something. >> >> Looks like you''ve got it. >> >> -Tom >> > > Thanks, one last question. > Can the current shorewall release do this as an action instead of a macro? > I tried using it with 14000+ rules on a shorewall 3.0.x installation. > Short version, it swung around and bit me. > :-)Shorewall-shell was unmaintainable - that''s why I developed Shorewall-perl in 4.0 and why Shorewall-shell was discontinued at the earliest opportunity (4.4). That having been said, I don''t personally test 14000+ rule configuration. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev
* Tom Eastep wrote:> On 12/10/10 5:02 PM, Nathan Gibbs wrote: > > Shorewall-shell was unmaintainable - that''s why I developed > Shorewall-perl in 4.0 and why Shorewall-shell was discontinued at the > earliest opportunity (4.4). >Good choice. From our viewpoint, if it ain''t broke, don''t fix it. We ran a mix of Shorewall 1x and 3x on our firewalls from 2005-2007. Standardized on 3.x in 2008, so that we could have a common configuration. We had to downgrade from 3.4 to 3.0.6 due to issues with our massive ruleset. Anyhow, can the current shorewall release do what I need as an action instead of a macro? If it can, upgrading our shorewalls gets a higher priority.> That having been said, I don''t personally test 14000+ rule configuration. >Users, they always make software do things the developer never thought of, or intended. :-) -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com ------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev
On 12/11/10 7:17 AM, Nathan Gibbs wrote:> * Tom Eastep wrote:> > Anyhow, can the current shorewall release do what I need as an action instead > of a macro? > If it can, upgrading our shorewalls gets a higher priority.I don''t know because I don''t know why it didn''t work with your current version. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev
On 12/11/10 7:17 AM, Nathan Gibbs wrote:> Anyhow, can the current shorewall release do what I need as an action instead > of a macro? > If it can, upgrading our shorewalls gets a higher priority.Please disregard my last post. No -- the current version does not support REDIRECT rules in an Action. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev
* Tom Eastep wrote:> On 12/11/10 7:17 AM, Nathan Gibbs wrote: > >> Anyhow, can the current shorewall release do what I need as an action instead >> of a macro? >> If it can, upgrading our shorewalls gets a higher priority. > > Please disregard my last post. No -- the current version does not > support REDIRECT rules in an Action. > > -Tom > >I''m still thinking about this, and "might" have a solution. First a couple of questions. 1. In iptables, does the nat table get processed before the filter table? 2. Could I call a chain in the nat table from the filter table? Thanks. -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com ------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev
On 12/13/10 6:58 AM, Nathan Gibbs wrote:> * Tom Eastep wrote: >> On 12/11/10 7:17 AM, Nathan Gibbs wrote: >> >>> Anyhow, can the current shorewall release do what I need as an action instead >>> of a macro? >>> If it can, upgrading our shorewalls gets a higher priority. >> >> Please disregard my last post. No -- the current version does not >> support REDIRECT rules in an Action. >> >> > I''m still thinking about this, and "might" have a solution. > > First a couple of questions. > 1. In iptables, does the nat table get processed before the filter table?Yes -- please see http://www.shorewall.net/Documentation_Index.html> > 2. Could I call a chain in the nat table from the filter table?No. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev
On 12/13/10 7:49 AM, Tom Eastep wrote:> On 12/13/10 6:58 AM, Nathan Gibbs wrote: >> * Tom Eastep wrote: >>> On 12/11/10 7:17 AM, Nathan Gibbs wrote: >>> >>>> Anyhow, can the current shorewall release do what I need as an action instead >>>> of a macro? >>>> If it can, upgrading our shorewalls gets a higher priority. >>> >>> Please disregard my last post. No -- the current version does not >>> support REDIRECT rules in an Action. >>> >>> >> I''m still thinking about this, and "might" have a solution. >> >> First a couple of questions. >> 1. In iptables, does the nat table get processed before the filter table? > > Yes -- please see http://www.shorewall.net/Documentation_Index.html >> >> 2. Could I call a chain in the nat table from the filter table? > > No.As an aside, Shorewall 4.4.16 *will* support DNAT and REDIRECT in actions. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d
* Tom Eastep wrote:> On 12/13/10 6:58 AM, Nathan Gibbs wrote: >>> >>> >> I''m still thinking about this, and "might" have a solution. >> >> First a couple of questions. >> 1. In iptables, does the nat table get processed before the filter table? > > Yes -- please see http://www.shorewall.net/Documentation_Index.html >> 2. Could I call a chain in the nat table from the filter table? > > No. >Ok, thanks Tom. Those were the answers I thought I''d get, but I wanted to make sure before making a complete fool of myself. Here is how my shorewall macro would do it now. 14000+ address specific REDIRECT rules in the nat table. 14000+ address specific DROP rules in the filter table. Here is how I "think" it could be done in iptables. In the nat ables. A chain that just does the REDIRECT than a DROP. Will I need a port specific ACCEPT between the REDIRECT and DROP? 14000+ address specific rules that call this chain in nat PRROUTING. In the filter table. I wouldn''t need anything to deal with this, because all the action would have already happened in the nat table. Now, if this would work, how do I explain it to shorewall? Of course if it won''t work, please tell me why. :-) -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com ------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d
* Tom Eastep wrote:> On 12/13/10 7:49 AM, Tom Eastep wrote: >> On 12/13/10 6:58 AM, Nathan Gibbs wrote: >>> >>> First a couple of questions. >>> 1. In iptables, does the nat table get processed before the filter table? >> Yes -- please see http://www.shorewall.net/Documentation_Index.htmlYhanks I must have missed this http://www.shorewall.net/NetfilterOverview.html when looking through there the other day.>>> 2. Could I call a chain in the nat table from the filter table? >> No. > > As an aside, Shorewall 4.4.16 *will* support DNAT and REDIRECT in actions. >Tom Eastep already was my hero. Now he is more so. Our Shorewall upgrade priority is now set to "DO IT YESTERDAY" :-) -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com ------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d