Hello,
I installed my linux server for 3 months now. It does almost everything
(dns, web & mail server, firewall ...).
I just encounterd two problems with the firewall: behind this server
there are 2 computers: i got emule on one and msn on the other. The
problem is that I can''t configure well the firewall fore these 2 rules.
I''ve added DNAT rules but it doesn''t seems to work.
For example, here are 2 that I added for msn:
(NB: server IP: 192.168.0.1
.2 and .3 are for the 2 other computers)
ACCEPT loc net tcp 1863
ACCEPT net loc:192.168.0.3 tcp - 1863
Can someone help me ?
Thanks
Matt
You have added your DNAT rules incorrectly. Check out: http://www.shorewall.net/Documentation.htm#NAT and I think you''ll find your mistake fairly quickly. On Mon, 21 Feb 2005 22:31:53 +0100, Matthieu Appenzeller <matt@appenzeller.info.tm> wrote:> Hello, > > I installed my linux server for 3 months now. It does almost everything > (dns, web & mail server, firewall ...). > I just encounterd two problems with the firewall: behind this server > there are 2 computers: i got emule on one and msn on the other. The > problem is that I can''t configure well the firewall fore these 2 rules. > > I''ve added DNAT rules but it doesn''t seems to work. > > For example, here are 2 that I added for msn: > (NB: server IP: 192.168.0.1 > .2 and .3 are for the 2 other computers) > > ACCEPT loc net tcp 1863 > ACCEPT net loc:192.168.0.3 tcp - 1863 > > Can someone help me ? > > Thanks > > Matt > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Matthieu Appenzeller wrote:> I just encounterd two problems with the firewall: behind this server > there are 2 computers: i got emule on one and msn on the other. The > problem is that I can''t configure well the firewall fore these 2 rules. >Both of these have been exhaustively discussed on this list and on the Newbies list while it was in operation. Go to: http://lists.shorewall.net/#Search And enter first "emule" then "msn" as search arguments. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello,
I installed my linux server for 3 months now. It does almost everything
(dns, web & mail server, firewall ...).
I just encounterd two problems with the firewall: behind this server
there are 2 computers: i got emule on one and msn on the other. The
problem is that I can''t configure well the firewall fore these 2 rules.
I''ve added DNAT rules but it doesn''t seems to work.
For example, here are 2 that I added for msn:
(NB: server IP: 192.168.0.1
.2 and .3 are for the 2 other computers)
ACCEPT loc net tcp 1863
ACCEPT net loc:192.168.0.3 tcp - 1863
Can someone help me ?
Thanks
Matt
Matthieu Appenzeller wrote:> Hello, > > > I installed my linux server for 3 months now. It does almost everything > (dns, web & mail server, firewall ...). > I just encounterd two problems with the firewall: behind this server > there are 2 computers: i got emule on one and msn on the other. The > problem is that I can''t configure well the firewall fore these 2 rules. > > I''ve added DNAT rules but it doesn''t seems to work. > > For example, here are 2 that I added for msn: > (NB: server IP: 192.168.0.1 > .2 and .3 are for the 2 other computers) > > ACCEPT loc net tcp 1863 > ACCEPT net loc:192.168.0.3 tcp - 1863 > > > Can someone help me ? > > Thanks >1) those aren''t NAT rules, they''re traffic passing rules. 2) there are two answers to all questions: a) RTFM, http://www.shorewall.net/FAQ.htm b) tcpdump (or ethereal if you''re using an X server). I''ll betcha that if your ''net'' interface is eth0, tcpdump -i eth0 -n tcp port 1863 will show your RFC1918 address going onto the Internet, where it is rightly thrown away. -- Jack at Monkeynoodle dot Org: It''s a Scientific Venture... Riding the Emergency Third Rail Power Trip since 1996!
SOORY I THOUGHT MY MESSAGE HASN''T BEEN SENT YESTERDAY I GOT SOME MAIL TROUBLES SORRY Matthieu Appenzeller a écrit :> Hello, > > > I installed my linux server for 3 months now. It does almost > everything (dns, web & mail server, firewall ...). > I just encounterd two problems with the firewall: behind this server > there are 2 computers: i got emule on one and msn on the other. The > problem is that I can''t configure well the firewall fore these 2 rules. > > I''ve added DNAT rules but it doesn''t seems to work. > > For example, here are 2 that I added for msn: > (NB: server IP: 192.168.0.1 > .2 and .3 are for the 2 other computers) > > ACCEPT loc net tcp 1863 > ACCEPT net loc:192.168.0.3 tcp - 1863 > > > Can someone help me ? > > Thanks > > > Matt > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > _____________________________________________________________________ > > Envie de discuter gratuitement avec vos amis ? > Téléchargez Yahoo! Messenger http://yahoo.ifrance.com >
Hi, In my policy I allow local machines to the internet loc net accept now I would like to block one specific machine, say 192.168.1.1 to go to the net except for some ports, e.g. 80, 443. How can I specify that rule? I tried the following in rules: DROP:ULOG loc:192.168.1.1 net tcp !80,443 or DROP:ULOG loc:192.168.1.1 net tcp !80,!443 or DROP:ULOG loc:192.168.1.1 net tcp !(80,443) but I got error, probably it does not like the syntax ERROR: Command "/sbin/iptables -A loc2net -p tcp -m multiport -s 192.168.1.1--dports ! 80,443 -j ULOG --ulog-prefix "Shorewall:loc2net:DROP:"" Failed For negative of single port, it is OK as in DROP:ULOG loc:192.168.1.1 net tcp !80 but for multiple ports, I do not know how to Can anybody help? Thank you.
> Hi, > > In my policy I allow local machines to the internet > > loc net accept > > now I would like to block one specific machine, say 192.168.1.1 to go tothe> net except for some ports, e.g. 80, 443. How can I specify that rule? I > tried the following in rules: > > DROP:ULOG loc:192.168.1.1 net tcp !80,443 > > or > > DROP:ULOG loc:192.168.1.1 net tcp !80,!443 > > or > > DROP:ULOG loc:192.168.1.1 net tcp !(80,443) > > > but I got error, probably it does not like the syntax > > ERROR: Command "/sbin/iptables -A loc2net -p tcp -m multiport -s > 192.168.1.1--dports ! 80,443 -j ULOG --ulog-prefix > "Shorewall:loc2net:DROP:"" Failed > > For negative of single port, it is OK as in > > DROP:ULOG loc:192.168.1.1 net tcp !80 > > but for multiple ports, I do not know how to > > > Can anybody help? > > Thank you. >Can you confirm you have "Multi-port Match" available? Here is a quick test: "/sbin/shorewall check | more" you should see: [root@testing jerry]# /sbin/shorewall check | more Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available << this one here Extended Multi-port Match: Not available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Not available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available ROUTE Target: Not available Extended MARK Target: Not available CONNMARK Target: Available Connmark Match: Available Verifying Configuration... Jerry
Jerry, thank you for your reply. Here is the output from my firewall /root> shorewall check | more Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available <<------- Extended Multi-port Match: Not available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Not available Physdev Match: Available IP range Match: Not available Recent Match: Not available Owner Match: Not available Verifying Configuration... Determining Zones... I am running Shorewall on LEAF router, kernel 2.4.30 (Linux firewall 2.4.30 #1 Wed Apr 20 20:15:08 CEST 2005 i686 unknown)> Can you confirm you have "Multi-port Match" available? > Here is a quick test: "/sbin/shorewall check | more" > you should see: > > [root@testing jerry]# /sbin/shorewall check | more > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available << this one here----- Original Message ----- From: "Jerry Vonau" <jvonau@shaw.ca> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Monday, June 20, 2005 12:12 PM Subject: Re: [Shorewall-users] Block on specific local IP to the net> > >> Hi, >> >> In my policy I allow local machines to the internet >> >> loc net accept >> >> now I would like to block one specific machine, say 192.168.1.1 to go to > the >> net except for some ports, e.g. 80, 443. How can I specify that rule? I >> tried the following in rules: >> >> DROP:ULOG loc:192.168.1.1 net tcp !80,443 >> >> or >> >> DROP:ULOG loc:192.168.1.1 net tcp !80,!443 >> >> or >> >> DROP:ULOG loc:192.168.1.1 net tcp !(80,443) >> >> >> but I got error, probably it does not like the syntax >> >> ERROR: Command "/sbin/iptables -A loc2net -p tcp -m multiport -s >> 192.168.1.1--dports ! 80,443 -j ULOG --ulog-prefix >> "Shorewall:loc2net:DROP:"" Failed >> >> For negative of single port, it is OK as in >> >> DROP:ULOG loc:192.168.1.1 net tcp !80 >> >> but for multiple ports, I do not know how to >> >> >> Can anybody help? >> >> Thank you. >> > > Can you confirm you have "Multi-port Match" available? > Here is a quick test: "/sbin/shorewall check | more" > you should see: > > [root@testing jerry]# /sbin/shorewall check | more > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available << this one here > Extended Multi-port Match: Not available > Connection Tracking Match: Available > Packet Type Match: Available > Policy Match: Not available > Physdev Match: Available > IP range Match: Available > Recent Match: Available > Owner Match: Available > Ipset Match: Not available > ROUTE Target: Not available > Extended MARK Target: Not available > CONNMARK Target: Available > Connmark Match: Available > Verifying Configuration... > > Jerry > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Also I use multiport for other rule OK, e.g. DNAT net loc:$DMZSRV tcp 25,110,80 So probably the negative command (!) makes difference. ----- Original Message ----- From: "M Lu" <mlu919@hotmail.com> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Monday, June 20, 2005 12:58 PM Subject: Re: [Shorewall-users] Block on specific local IP to the net> Jerry, thank you for your reply. > > Here is the output from my firewall > > /root> shorewall check | more > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available <<------- > Extended Multi-port Match: Not available > Connection Tracking Match: Available > Packet Type Match: Available > Policy Match: Not available > Physdev Match: Available > IP range Match: Not available > Recent Match: Not available > Owner Match: Not available > Verifying Configuration... > Determining Zones... > > > I am running Shorewall on LEAF router, kernel 2.4.30 (Linux firewall > 2.4.30 #1 Wed Apr 20 20:15:08 CEST 2005 i686 unknown) > > > > > >> Can you confirm you have "Multi-port Match" available? >> Here is a quick test: "/sbin/shorewall check | more" >> you should see: >> >> [root@testing jerry]# /sbin/shorewall check | more >> Loading /usr/share/shorewall/functions... >> Processing /etc/shorewall/params ... >> Processing /etc/shorewall/shorewall.conf... >> Loading Modules... >> Shorewall has detected the following iptables/netfilter capabilities: >> NAT: Available >> Packet Mangling: Available >> Multi-port Match: Available << this one here > > > > ----- Original Message ----- > From: "Jerry Vonau" <jvonau@shaw.ca> > To: "Mailing List for Shorewall Users" > <shorewall-users@lists.shorewall.net> > Sent: Monday, June 20, 2005 12:12 PM > Subject: Re: [Shorewall-users] Block on specific local IP to the net > > >> >> >>> Hi, >>> >>> In my policy I allow local machines to the internet >>> >>> loc net accept >>> >>> now I would like to block one specific machine, say 192.168.1.1 to go to >> the >>> net except for some ports, e.g. 80, 443. How can I specify that rule? I >>> tried the following in rules: >>> >>> DROP:ULOG loc:192.168.1.1 net tcp !80,443 >>> >>> or >>> >>> DROP:ULOG loc:192.168.1.1 net tcp !80,!443 >>> >>> or >>> >>> DROP:ULOG loc:192.168.1.1 net tcp !(80,443) >>> >>> >>> but I got error, probably it does not like the syntax >>> >>> ERROR: Command "/sbin/iptables -A loc2net -p tcp -m multiport -s >>> 192.168.1.1--dports ! 80,443 -j ULOG --ulog-prefix >>> "Shorewall:loc2net:DROP:"" Failed >>> >>> For negative of single port, it is OK as in >>> >>> DROP:ULOG loc:192.168.1.1 net tcp !80 >>> >>> but for multiple ports, I do not know how to >>> >>> >>> Can anybody help? >>> >>> Thank you. >>> >> >> Can you confirm you have "Multi-port Match" available? >> Here is a quick test: "/sbin/shorewall check | more" >> you should see: >> >> [root@testing jerry]# /sbin/shorewall check | more >> Loading /usr/share/shorewall/functions... >> Processing /etc/shorewall/params ... >> Processing /etc/shorewall/shorewall.conf... >> Loading Modules... >> Shorewall has detected the following iptables/netfilter capabilities: >> NAT: Available >> Packet Mangling: Available >> Multi-port Match: Available << this one here >> Extended Multi-port Match: Not available >> Connection Tracking Match: Available >> Packet Type Match: Available >> Policy Match: Not available >> Physdev Match: Available >> IP range Match: Available >> Recent Match: Available >> Owner Match: Available >> Ipset Match: Not available >> ROUTE Target: Not available >> Extended MARK Target: Not available >> CONNMARK Target: Available >> Connmark Match: Available >> Verifying Configuration... >> >> Jerry >> >> >> >> >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm >> > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
I''ve played around abit using raw iptables commands, it appears that you can''t use multi-port with a not. Can someone else confirm this? To get the same effect try: ACCEPT loc:192.168.1.1 net tcp 443 DROP:ULOG loc:192.168.1.1 net tcp !80 Jerry> Jerry, thank you for your reply. > > Here is the output from my firewall > > /root> shorewall check | more > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available <<------- > Extended Multi-port Match: Not available > Connection Tracking Match: Available > Packet Type Match: Available > Policy Match: Not available > Physdev Match: Available > IP range Match: Not available > Recent Match: Not available > Owner Match: Not available > Verifying Configuration... > Determining Zones... > > > I am running Shorewall on LEAF router, kernel 2.4.30 (Linux firewall2.4.30> #1 Wed Apr 20 20:15:08 CEST 2005 i686 unknown) > > > > > > > Can you confirm you have "Multi-port Match" available? > > Here is a quick test: "/sbin/shorewall check | more" > > you should see: > > > > [root@testing jerry]# /sbin/shorewall check | more > > Loading /usr/share/shorewall/functions... > > Processing /etc/shorewall/params ... > > Processing /etc/shorewall/shorewall.conf... > > Loading Modules... > > Shorewall has detected the following iptables/netfilter capabilities: > > NAT: Available > > Packet Mangling: Available > > Multi-port Match: Available << this one here > > > > ----- Original Message ----- > From: "Jerry Vonau" <jvonau@shaw.ca> > To: "Mailing List for Shorewall Users"<shorewall-users@lists.shorewall.net>> Sent: Monday, June 20, 2005 12:12 PM > Subject: Re: [Shorewall-users] Block on specific local IP to the net > > > > > > > >> Hi, > >> > >> In my policy I allow local machines to the internet > >> > >> loc net accept > >> > >> now I would like to block one specific machine, say 192.168.1.1 to goto> > the > >> net except for some ports, e.g. 80, 443. How can I specify that rule?I> >> tried the following in rules: > >> > >> DROP:ULOG loc:192.168.1.1 net tcp !80,443 > >> > >> or > >> > >> DROP:ULOG loc:192.168.1.1 net tcp !80,!443 > >> > >> or > >> > >> DROP:ULOG loc:192.168.1.1 net tcp !(80,443) > >> > >> > >> but I got error, probably it does not like the syntax > >> > >> ERROR: Command "/sbin/iptables -A loc2net -p tcp -m multiport -s > >> 192.168.1.1--dports ! 80,443 -j ULOG --ulog-prefix > >> "Shorewall:loc2net:DROP:"" Failed > >> > >> For negative of single port, it is OK as in > >> > >> DROP:ULOG loc:192.168.1.1 net tcp !80 > >> > >> but for multiple ports, I do not know how to > >> > >> > >> Can anybody help? > >> > >> Thank you. > >> > > > > Can you confirm you have "Multi-port Match" available? > > Here is a quick test: "/sbin/shorewall check | more" > > you should see: > > > > [root@testing jerry]# /sbin/shorewall check | more > > Loading /usr/share/shorewall/functions... > > Processing /etc/shorewall/params ... > > Processing /etc/shorewall/shorewall.conf... > > Loading Modules... > > Shorewall has detected the following iptables/netfilter capabilities: > > NAT: Available > > Packet Mangling: Available > > Multi-port Match: Available << this one here > > Extended Multi-port Match: Not available > > Connection Tracking Match: Available > > Packet Type Match: Available > > Policy Match: Not available > > Physdev Match: Available > > IP range Match: Available > > Recent Match: Available > > Owner Match: Available > > Ipset Match: Not available > > ROUTE Target: Not available > > Extended MARK Target: Not available > > CONNMARK Target: Available > > Connmark Match: Available > > Verifying Configuration... > > > > Jerry
Simply use 2 rules: ACCEPT loc:192.168.1.1 net tcp 80,443 DROP:ULOG loc:192.168.1.1 net tcp /ben Am 20.06.2005 19:20, M Lu schrieb:> Also I use multiport for other rule OK, e.g. > > DNAT net loc:$DMZSRV tcp 25,110,80 > > So probably the negative command (!) makes difference. > > > > ----- Original Message ----- From: "M Lu" <mlu919@hotmail.com> > To: "Mailing List for Shorewall Users" > <shorewall-users@lists.shorewall.net> > Sent: Monday, June 20, 2005 12:58 PM > Subject: Re: [Shorewall-users] Block on specific local IP to the net > > >> Jerry, thank you for your reply. >> >> Here is the output from my firewall >> >> /root> shorewall check | more >> Loading /usr/share/shorewall/functions... >> Processing /etc/shorewall/params ... >> Processing /etc/shorewall/shorewall.conf... >> Shorewall has detected the following iptables/netfilter capabilities: >> NAT: Available >> Packet Mangling: Available >> Multi-port Match: Available <<------- >> Extended Multi-port Match: Not available >> Connection Tracking Match: Available >> Packet Type Match: Available >> Policy Match: Not available >> Physdev Match: Available >> IP range Match: Not available >> Recent Match: Not available >> Owner Match: Not available >> Verifying Configuration... >> Determining Zones... >> >> >> I am running Shorewall on LEAF router, kernel 2.4.30 (Linux firewall >> 2.4.30 #1 Wed Apr 20 20:15:08 CEST 2005 i686 unknown) >> >> >> >> >> >>> Can you confirm you have "Multi-port Match" available? >>> Here is a quick test: "/sbin/shorewall check | more" >>> you should see: >>> >>> [root@testing jerry]# /sbin/shorewall check | more >>> Loading /usr/share/shorewall/functions... >>> Processing /etc/shorewall/params ... >>> Processing /etc/shorewall/shorewall.conf... >>> Loading Modules... >>> Shorewall has detected the following iptables/netfilter capabilities: >>> NAT: Available >>> Packet Mangling: Available >>> Multi-port Match: Available << this one here >> >> >> >> >> ----- Original Message ----- From: "Jerry Vonau" <jvonau@shaw.ca> >> To: "Mailing List for Shorewall Users" >> <shorewall-users@lists.shorewall.net> >> Sent: Monday, June 20, 2005 12:12 PM >> Subject: Re: [Shorewall-users] Block on specific local IP to the net >> >> >>> >>> >>>> Hi, >>>> >>>> In my policy I allow local machines to the internet >>>> >>>> loc net accept >>>> >>>> now I would like to block one specific machine, say 192.168.1.1 to >>>> go to >>> >>> the >>> >>>> net except for some ports, e.g. 80, 443. How can I specify that >>>> rule? I >>>> tried the following in rules: >>>> >>>> DROP:ULOG loc:192.168.1.1 net tcp !80,443 >>>> >>>> or >>>> >>>> DROP:ULOG loc:192.168.1.1 net tcp !80,!443 >>>> >>>> or >>>> >>>> DROP:ULOG loc:192.168.1.1 net tcp !(80,443) >>>> >>>> >>>> but I got error, probably it does not like the syntax >>>> >>>> ERROR: Command "/sbin/iptables -A loc2net -p tcp -m multiport -s >>>> 192.168.1.1--dports ! 80,443 -j ULOG --ulog-prefix >>>> "Shorewall:loc2net:DROP:"" Failed >>>> >>>> For negative of single port, it is OK as in >>>> >>>> DROP:ULOG loc:192.168.1.1 net tcp !80 >>>> >>>> but for multiple ports, I do not know how to >>>> >>>> >>>> Can anybody help? >>>> >>>> Thank you. >>>> >>> >>> Can you confirm you have "Multi-port Match" available? >>> Here is a quick test: "/sbin/shorewall check | more" >>> you should see: >>> >>> [root@testing jerry]# /sbin/shorewall check | more >>> Loading /usr/share/shorewall/functions... >>> Processing /etc/shorewall/params ... >>> Processing /etc/shorewall/shorewall.conf... >>> Loading Modules... >>> Shorewall has detected the following iptables/netfilter capabilities: >>> NAT: Available >>> Packet Mangling: Available >>> Multi-port Match: Available << this one here >>> Extended Multi-port Match: Not available >>> Connection Tracking Match: Available >>> Packet Type Match: Available >>> Policy Match: Not available >>> Physdev Match: Available >>> IP range Match: Available >>> Recent Match: Available >>> Owner Match: Available >>> Ipset Match: Not available >>> ROUTE Target: Not available >>> Extended MARK Target: Not available >>> CONNMARK Target: Available >>> Connmark Match: Available >>> Verifying Configuration... >>> >>> Jerry >>> >>> >>> >>> >>> _______________________________________________ >>> Shorewall-users mailing list >>> Post: Shorewall-users@lists.shorewall.net >>> Subscribe/Unsubscribe: >>> https://lists.shorewall.net/mailman/listinfo/shorewall-users >>> Support: http://www.shorewall.net/support.htm >>> FAQ: http://www.shorewall.net/FAQ.htm >>> >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm >> > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Thank you Ben and Jerry, I will use the 2 lines you guys suggested. ----- Original Message ----- From: "Ben Greiner" <bgreiner@uni-koeln.de> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Monday, June 20, 2005 2:02 PM Subject: Re: [Shorewall-users] Block on specific local IP to the net> Simply use 2 rules: > > ACCEPT loc:192.168.1.1 net tcp 80,443 > DROP:ULOG loc:192.168.1.1 net tcp > > /ben > > > > Am 20.06.2005 19:20, M Lu schrieb: > >> Also I use multiport for other rule OK, e.g. >> >> DNAT net loc:$DMZSRV tcp 25,110,80 >> >> So probably the negative command (!) makes difference. >> >> >> >> ----- Original Message ----- From: "M Lu" <mlu919@hotmail.com> >> To: "Mailing List for Shorewall Users" >> <shorewall-users@lists.shorewall.net> >> Sent: Monday, June 20, 2005 12:58 PM >> Subject: Re: [Shorewall-users] Block on specific local IP to the net >> >> >>> Jerry, thank you for your reply. >>> >>> Here is the output from my firewall >>> >>> /root> shorewall check | more >>> Loading /usr/share/shorewall/functions... >>> Processing /etc/shorewall/params ... >>> Processing /etc/shorewall/shorewall.conf... >>> Shorewall has detected the following iptables/netfilter capabilities: >>> NAT: Available >>> Packet Mangling: Available >>> Multi-port Match: Available <<------- >>> Extended Multi-port Match: Not available >>> Connection Tracking Match: Available >>> Packet Type Match: Available >>> Policy Match: Not available >>> Physdev Match: Available >>> IP range Match: Not available >>> Recent Match: Not available >>> Owner Match: Not available >>> Verifying Configuration... >>> Determining Zones... >>> >>> >>> I am running Shorewall on LEAF router, kernel 2.4.30 (Linux firewall >>> 2.4.30 #1 Wed Apr 20 20:15:08 CEST 2005 i686 unknown) >>> >>> >>> >>> >>> >>>> Can you confirm you have "Multi-port Match" available? >>>> Here is a quick test: "/sbin/shorewall check | more" >>>> you should see: >>>> >>>> [root@testing jerry]# /sbin/shorewall check | more >>>> Loading /usr/share/shorewall/functions... >>>> Processing /etc/shorewall/params ... >>>> Processing /etc/shorewall/shorewall.conf... >>>> Loading Modules... >>>> Shorewall has detected the following iptables/netfilter capabilities: >>>> NAT: Available >>>> Packet Mangling: Available >>>> Multi-port Match: Available << this one here >>> >>> >>> >>> >>> ----- Original Message ----- From: "Jerry Vonau" <jvonau@shaw.ca> >>> To: "Mailing List for Shorewall Users" >>> <shorewall-users@lists.shorewall.net> >>> Sent: Monday, June 20, 2005 12:12 PM >>> Subject: Re: [Shorewall-users] Block on specific local IP to the net >>> >>> >>>> >>>> >>>>> Hi, >>>>> >>>>> In my policy I allow local machines to the internet >>>>> >>>>> loc net accept >>>>> >>>>> now I would like to block one specific machine, say 192.168.1.1 to go >>>>> to >>>> >>>> the >>>> >>>>> net except for some ports, e.g. 80, 443. How can I specify that rule? >>>>> I >>>>> tried the following in rules: >>>>> >>>>> DROP:ULOG loc:192.168.1.1 net tcp !80,443 >>>>> >>>>> or >>>>> >>>>> DROP:ULOG loc:192.168.1.1 net tcp !80,!443 >>>>> >>>>> or >>>>> >>>>> DROP:ULOG loc:192.168.1.1 net tcp !(80,443) >>>>> >>>>> >>>>> but I got error, probably it does not like the syntax >>>>> >>>>> ERROR: Command "/sbin/iptables -A loc2net -p tcp -m multiport -s >>>>> 192.168.1.1--dports ! 80,443 -j ULOG --ulog-prefix >>>>> "Shorewall:loc2net:DROP:"" Failed >>>>> >>>>> For negative of single port, it is OK as in >>>>> >>>>> DROP:ULOG loc:192.168.1.1 net tcp !80 >>>>> >>>>> but for multiple ports, I do not know how to >>>>> >>>>> >>>>> Can anybody help? >>>>> >>>>> Thank you. >>>>> >>>> >>>> Can you confirm you have "Multi-port Match" available? >>>> Here is a quick test: "/sbin/shorewall check | more" >>>> you should see: >>>> >>>> [root@testing jerry]# /sbin/shorewall check | more >>>> Loading /usr/share/shorewall/functions... >>>> Processing /etc/shorewall/params ... >>>> Processing /etc/shorewall/shorewall.conf... >>>> Loading Modules... >>>> Shorewall has detected the following iptables/netfilter capabilities: >>>> NAT: Available >>>> Packet Mangling: Available >>>> Multi-port Match: Available << this one here >>>> Extended Multi-port Match: Not available >>>> Connection Tracking Match: Available >>>> Packet Type Match: Available >>>> Policy Match: Not available >>>> Physdev Match: Available >>>> IP range Match: Available >>>> Recent Match: Available >>>> Owner Match: Available >>>> Ipset Match: Not available >>>> ROUTE Target: Not available >>>> Extended MARK Target: Not available >>>> CONNMARK Target: Available >>>> Connmark Match: Available >>>> Verifying Configuration... >>>> >>>> Jerry >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Post: Shorewall-users@lists.shorewall.net >>>> Subscribe/Unsubscribe: >>>> https://lists.shorewall.net/mailman/listinfo/shorewall-users >>>> Support: http://www.shorewall.net/support.htm >>>> FAQ: http://www.shorewall.net/FAQ.htm >>>> >>> _______________________________________________ >>> Shorewall-users mailing list >>> Post: Shorewall-users@lists.shorewall.net >>> Subscribe/Unsubscribe: >>> https://lists.shorewall.net/mailman/listinfo/shorewall-users >>> Support: http://www.shorewall.net/support.htm >>> FAQ: http://www.shorewall.net/FAQ.htm >>> >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm >> > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >