Hi list,
I need to block all the traffic to an ip, still leaving the forward in
ACCEPT mode, so I modified the rules file like:
REJECT loc net:1.1.1.1 all
but I continue to have access to that address (1.1.1.1).
Seen the rules create, I see that my reject are never matched, also if I
try a "telnet 1.1.1.1 80"
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
5099 267K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 reject all -- * * 0.0.0.0/0 1.1.1.1
(I but a log rule at top and I see that it''s matched and on the log:
IN=eth1 OUT=eth0 SRC=192.168.1.103 DST=1.1.1.1 LEN=60 TOS=0x10 PREC=0x00
TTL=63 ID=3081 DF PROTO=TCP SPT=55889 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Now?
Thanks
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
On 1/26/11 4:24 AM, Michele Petrazzo - Unipex wrote:> Hi list, > I need to block all the traffic to an ip, still leaving the forward in > ACCEPT mode, so I modified the rules file like: > > REJECT loc net:1.1.1.1 all > > but I continue to have access to that address (1.1.1.1). > Seen the rules create, I see that my reject are never matched, also if I > try a "telnet 1.1.1.1 80" > > Chain loc2net (1 references) > pkts bytes target prot opt in out source > destination > 5099 267K ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 ctstate RELATED,ESTABLISHED > 0 0 reject all -- * * 0.0.0.0/0 1.1.1.1 > > (I but a log rule at top and I see that it''s matched and on the log: > > IN=eth1 OUT=eth0 SRC=192.168.1.103 DST=1.1.1.1 LEN=60 TOS=0x10 PREC=0x00 > TTL=63 ID=3081 DF PROTO=TCP SPT=55889 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > Now?Are you using a proxy like Squid? If so, that is bypassing the rule. Otherwise, please collect the output of ''shorewall dump'' and submit it along with the information requested at http://www.shorewall.net/support.htm#Guidelines. Thank you, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
On 1/26/11 12:51 PM, Tom Eastep wrote:> > Are you using a proxy like Squid? If so, that is bypassing the rule. > Otherwise, please collect the output of ''shorewall dump'' and submit it > along with the information requested at > http://www.shorewall.net/support.htm#Guidelines.Of course, you could also have ACCEPT, DNAT or REJECT rules above your REJECT rule in /etc/shorewall/rules. From the shorewall-rules man page: "For any particular (source,dest) pair of zones, the rules are evaluated in the order in which they appear in this file and the first terminating match is the one that determines the disposition of the request. All rules are terminating except LOG and COUNT rules." -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
On 1/26/11 4:53 PM, Tom Eastep wrote:> On 1/26/11 12:51 PM, Tom Eastep wrote: > >> >> Are you using a proxy like Squid? If so, that is bypassing the rule. >> Otherwise, please collect the output of ''shorewall dump'' and submit it >> along with the information requested at >> http://www.shorewall.net/support.htm#Guidelines. > > Of course, you could also have ACCEPT, DNAT or REJECT rules above yourI meant to type REDIRECT rather than REJECT. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d