thr3ads.net - Shorewall devel - [Shorewall-devel] [Shorewall-users] Redirect loc::80 to fw::3128 not work (fwd) [May 2002]

If this information is useful, please help other people find it:
Share via:

Tom Eastep

2002-May-14 18:15 UTC

[Shorewall-devel] [Shorewall-users] Redirect loc::80 to fw::3128 not work (fwd)

I''m beginning to believe that the use of the last column in the rules
file
to designate redirection/forwarding is too subtle for many users. For 1.3, 
I think I''ll do something like the following:

Current rule:

	ACCEPT net loc:192.168.1.3 tcp 80 - all

New rule:

	FORWARD net loc:192.168.1.3 tcp 80

Current rule:

	ACCEPT net fw::3128 tcp 80 - all

New rule:

	REDIRECT net 3128 tcp 80

Comments?
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

---------- Forwarded message ----------
Date: Tue, 14 May 2002 19:06:48 +0200
From: Dario Lesca <d.lesca@ivrea.osra.it>
To: Shorewall Firewall <shorewall-users@shorewall.net>
Subject: [Shorewall-users] Redirect loc::80 to fw::3128 not work

The rule:

    ACCEPT          loc       $FW::3128     tcp     www

doesn''t work propertly, the http access does not redirect
to squid but directly exit.

what''s wrong?

Thanks

-------
Dario Lesca (d.lesca@ivrea.osra.it)

--------------------------------------
@@@@@@@ this is my shorewall-1.2.13 config:

#[/etc/shorewall/common.def]-----------------------------------------------
run_iptables -A common -p icmp -j icmpdef
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A common -p udp --dport 137:139     -j REJECT
run_iptables -A common -p udp --dport 445         -j REJECT
run_iptables -A common -p tcp --dport 135         -j reject
run_iptables -A common -p udp --dport 1900        -j DROP
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4     -j DROP

#[/etc/shorewall/interfaces]-----------------------------------------------
net     eth0            detect          noping,norfc1918
loc     eth1            detect          routestopped

#[/etc/shorewall/masq]-----------------------------------------------
eth0            10.1.65.0/24

#[/etc/shorewall/policy]-----------------------------------------------
loc             net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

#[/etc/shorewall/rules]-----------------------------------------------
ACCEPT          loc       $FW::3128     tcp     www
ACCEPT          loc       $FW           tcp     ssh
ACCEPT          net       $FW           tcp     ssh,auth
ACCEPT          $FW       net           udp     ntp

#[/etc/shorewall/shorewall.conf]--------------------------------------------
---
FW=fw
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
ALLOWRELATED="yes"
MODULESDIR=""
LOGRATE="1/minute"
LOGBURST="5"
LOGUNCLEAN=info
LOGFILE="/var/log/messages"
NAT_ENABLED="Yes"
MANGLE_ENABLED="Yes"
IP_FORWARDING="On"
ADD_IP_ALIASES="Yes"
ADD_SNAT_ALIASES="No"
TC_ENABLED="No"
BLACKLIST_DISPOSITION=DROP
BLACKLIST_LOGLEVELCLAMPMSS="Yes"
ROUTE_FILTER="Yes"
NAT_BEFORE_RULES="Yes"

#[/etc/shorewall/start]-----------------------------------------------
run_iptables -I OUTPUT 2 -m state -p icmp --state INVALID -j DROP

#[/etc/shorewall/zones]-----------------------------------------------
net     Net             Internet Blixer
loc     Local           Rete Locale Ivrea
dmz     DMZ             Demilitarized zone


@@@@@@@ this is a portions of debug of shorewall script ...

+ iptables -A loc2fw -m state --state ESTABLISHED,RELATED -j ACCEPT
+ eval loc2fw_exists=Yes
++ loc2fw_exists=Yes
+ ''['' www = none -o www = None -o '''' = none
-o '''' = None -o '''' = none -o
''''
= No
ne -o '''' = none -o '''' = None
'']''
++ separate_list -
++ echo -
++ sed ''s/,/ /g''
++ separate_list -
++ echo -
++ sed ''s/,/ /g''
++ separate_list www
++ echo www
++ sed ''s/,/ /g''
++ separate_list -
++ echo -
++ sed ''s/,/ /g''
+ add_a_rule
+ cli+ ''['' -n - '']''
+ dest_interface+ ''['' -n - '']''
+ serv+ sports+ dports+ state=-m state --state NEW
+ proto=tcp
+ addr+ servport=3128
+ ''['' -n www '']''
+ ''['' xwww ''!='' x- '']''
+ dports=--dport www
+ ''['' -n - '']''
+ ''['' x- ''!='' x- '']''
+ proto=-p tcp
+ ''['' ACCEPT = REJECT '']''
+ ''['' -z ''-p tcp'' -a -z ''''
-a -z '''' -a -z 3128 '']''
+ ''['' -n 3128 '']''
+ ''['' -n '''' -a ''''
''!='' '''' '']''
+ serv+ ''['' -n '''' '']''
+ run_iptables -A loc2fw -p tcp -m state --state NEW --dport www -j ACCEPT
++ echo -A loc2fw -p tcp -m state --state NEW --dport www -j ACCEPT
++ sed ''s/!/! /g''
+ iptables -A loc2fw -p tcp -m state --state NEW --dport www -j ACCEPT
+ echo ''   Rule "ACCEPT loc fw::3128 tcp www"
added.''
   Rule "ACCEPT loc fw::3128 tcp www" added.
+ read target clients servers protocol ports cports address


_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users

Paul Gear

2002-May-14 22:19 UTC

head link

[Shorewall-devel] [Shorewall-users] Redirect loc::80 to fw::3128 not work (fwd)

Tom Eastep wrote:
> I''m beginning to believe that the use of the last column in the
rules file
> to designate redirection/forwarding is too subtle for many users. For 1.3,
> I think I''ll do something like the following:
>
> Current rule:
>
>         ACCEPT net loc:192.168.1.3 tcp 80 - all
>
> New rule:
>
>         FORWARD net loc:192.168.1.3 tcp 80
>
> Current rule:
>
>         ACCEPT net fw::3128 tcp 80 - all
>
> New rule:
>
>         REDIRECT net 3128 tcp 80
>
> Comments?
I think that syntax will make a lot more sense for newbies (and me! :-).  Are
FORWARD and REDIRECT real iptables -j targets in this case?  If not, you may
want to make them lower case so they are not confused.

Paul
http://paulgear.webhop.net

Tom Eastep

2002-May-14 22:51 UTC

head link

[Shorewall-devel] [Shorewall-users] Redirect loc::80 to fw::3128 not work (fwd)

On Wed, 15 May 2002, Paul Gear wrote:
> Are FORWARD and REDIRECT real iptables -j targets in this case?  If not,
> you may want to make them lower case so they are not confused.
REDIRECT is a real target (in the nat table) -- FORWARD is not. I could
use DNAT rather than FORWARD to make it a real target but I think FORWARD
more descriptive.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Paul Gear

2002-May-15 07:51 UTC

head link

[Shorewall-devel] [Shorewall-users] Redirect loc::80 to fw::3128not work (fwd)

Tom Eastep wrote:
> On Wed, 15 May 2002, Paul Gear wrote:
>
> > Are FORWARD and REDIRECT real iptables -j targets in this case?  If
not,
> > you may want to make them lower case so they are not confused.
>
> REDIRECT is a real target (in the nat table) -- FORWARD is not. I could
> use DNAT rather than FORWARD to make it a real target but I think FORWARD
> more descriptive.
I think that because FORWARD is the name of a real table, things could get
confusing.

Paul
http://paulgear.webhop.net

Maybe Matching Threads

Search for more apparently analagous threads

Shorewall devel - May 2002 - [Shorewall-users] Redirect loc::80 to fw::3128 not work (fwd)

[Shorewall-devel] [Shorewall-users] Redirect loc::80 to fw::3128 not work (fwd)

[Shorewall-devel] [Shorewall-users] Redirect loc::80 to fw::3128 not work (fwd)

[Shorewall-devel] [Shorewall-users] Redirect loc::80 to fw::3128 not work (fwd)

[Shorewall-devel] [Shorewall-users] Redirect loc::80 to fw::3128not work (fwd)

Maybe Matching Threads