Tom Eastep
2002-May-14 18:15 UTC
[Shorewall-devel] [Shorewall-users] Redirect loc::80 to fw::3128 not work (fwd)
I''m beginning to believe that the use of the last column in the rules file to designate redirection/forwarding is too subtle for many users. For 1.3, I think I''ll do something like the following: Current rule: ACCEPT net loc:192.168.1.3 tcp 80 - all New rule: FORWARD net loc:192.168.1.3 tcp 80 Current rule: ACCEPT net fw::3128 tcp 80 - all New rule: REDIRECT net 3128 tcp 80 Comments? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net ---------- Forwarded message ---------- Date: Tue, 14 May 2002 19:06:48 +0200 From: Dario Lesca <d.lesca@ivrea.osra.it> To: Shorewall Firewall <shorewall-users@shorewall.net> Subject: [Shorewall-users] Redirect loc::80 to fw::3128 not work The rule: ACCEPT loc $FW::3128 tcp www doesn''t work propertly, the http access does not redirect to squid but directly exit. what''s wrong? Thanks ------- Dario Lesca (d.lesca@ivrea.osra.it) -------------------------------------- @@@@@@@ this is my shorewall-1.2.13 config: #[/etc/shorewall/common.def]----------------------------------------------- run_iptables -A common -p icmp -j icmpdef run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT run_iptables -A common -p udp --dport 137:139 -j REJECT run_iptables -A common -p udp --dport 445 -j REJECT run_iptables -A common -p tcp --dport 135 -j reject run_iptables -A common -p udp --dport 1900 -j DROP run_iptables -A common -d 255.255.255.255 -j DROP run_iptables -A common -d 224.0.0.0/4 -j DROP #[/etc/shorewall/interfaces]----------------------------------------------- net eth0 detect noping,norfc1918 loc eth1 detect routestopped #[/etc/shorewall/masq]----------------------------------------------- eth0 10.1.65.0/24 #[/etc/shorewall/policy]----------------------------------------------- loc net ACCEPT net all DROP info all all REJECT info #[/etc/shorewall/rules]----------------------------------------------- ACCEPT loc $FW::3128 tcp www ACCEPT loc $FW tcp ssh ACCEPT net $FW tcp ssh,auth ACCEPT $FW net udp ntp #[/etc/shorewall/shorewall.conf]-------------------------------------------- --- FW=fw SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall ALLOWRELATED="yes" MODULESDIR="" LOGRATE="1/minute" LOGBURST="5" LOGUNCLEAN=info LOGFILE="/var/log/messages" NAT_ENABLED="Yes" MANGLE_ENABLED="Yes" IP_FORWARDING="On" ADD_IP_ALIASES="Yes" ADD_SNAT_ALIASES="No" TC_ENABLED="No" BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVELCLAMPMSS="Yes" ROUTE_FILTER="Yes" NAT_BEFORE_RULES="Yes" #[/etc/shorewall/start]----------------------------------------------- run_iptables -I OUTPUT 2 -m state -p icmp --state INVALID -j DROP #[/etc/shorewall/zones]----------------------------------------------- net Net Internet Blixer loc Local Rete Locale Ivrea dmz DMZ Demilitarized zone @@@@@@@ this is a portions of debug of shorewall script ... + iptables -A loc2fw -m state --state ESTABLISHED,RELATED -j ACCEPT + eval loc2fw_exists=Yes ++ loc2fw_exists=Yes + ''['' www = none -o www = None -o '''' = none -o '''' = None -o '''' = none -o '''' = No ne -o '''' = none -o '''' = None '']'' ++ separate_list - ++ echo - ++ sed ''s/,/ /g'' ++ separate_list - ++ echo - ++ sed ''s/,/ /g'' ++ separate_list www ++ echo www ++ sed ''s/,/ /g'' ++ separate_list - ++ echo - ++ sed ''s/,/ /g'' + add_a_rule + cli+ ''['' -n - '']'' + dest_interface+ ''['' -n - '']'' + serv+ sports+ dports+ state=-m state --state NEW + proto=tcp + addr+ servport=3128 + ''['' -n www '']'' + ''['' xwww ''!='' x- '']'' + dports=--dport www + ''['' -n - '']'' + ''['' x- ''!='' x- '']'' + proto=-p tcp + ''['' ACCEPT = REJECT '']'' + ''['' -z ''-p tcp'' -a -z '''' -a -z '''' -a -z 3128 '']'' + ''['' -n 3128 '']'' + ''['' -n '''' -a '''' ''!='' '''' '']'' + serv+ ''['' -n '''' '']'' + run_iptables -A loc2fw -p tcp -m state --state NEW --dport www -j ACCEPT ++ echo -A loc2fw -p tcp -m state --state NEW --dport www -j ACCEPT ++ sed ''s/!/! /g'' + iptables -A loc2fw -p tcp -m state --state NEW --dport www -j ACCEPT + echo '' Rule "ACCEPT loc fw::3128 tcp www" added.'' Rule "ACCEPT loc fw::3128 tcp www" added. + read target clients servers protocol ports cports address _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
Paul Gear
2002-May-14 22:19 UTC
[Shorewall-devel] [Shorewall-users] Redirect loc::80 to fw::3128 not work (fwd)
Tom Eastep wrote:> I''m beginning to believe that the use of the last column in the rules file > to designate redirection/forwarding is too subtle for many users. For 1.3, > I think I''ll do something like the following: > > Current rule: > > ACCEPT net loc:192.168.1.3 tcp 80 - all > > New rule: > > FORWARD net loc:192.168.1.3 tcp 80 > > Current rule: > > ACCEPT net fw::3128 tcp 80 - all > > New rule: > > REDIRECT net 3128 tcp 80 > > Comments?I think that syntax will make a lot more sense for newbies (and me! :-). Are FORWARD and REDIRECT real iptables -j targets in this case? If not, you may want to make them lower case so they are not confused. Paul http://paulgear.webhop.net
Tom Eastep
2002-May-14 22:51 UTC
[Shorewall-devel] [Shorewall-users] Redirect loc::80 to fw::3128 not work (fwd)
On Wed, 15 May 2002, Paul Gear wrote:> Are FORWARD and REDIRECT real iptables -j targets in this case? If not, > you may want to make them lower case so they are not confused.REDIRECT is a real target (in the nat table) -- FORWARD is not. I could use DNAT rather than FORWARD to make it a real target but I think FORWARD more descriptive. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Paul Gear
2002-May-15 07:51 UTC
[Shorewall-devel] [Shorewall-users] Redirect loc::80 to fw::3128not work (fwd)
Tom Eastep wrote:> On Wed, 15 May 2002, Paul Gear wrote: > > > Are FORWARD and REDIRECT real iptables -j targets in this case? If not, > > you may want to make them lower case so they are not confused. > > REDIRECT is a real target (in the nat table) -- FORWARD is not. I could > use DNAT rather than FORWARD to make it a real target but I think FORWARD > more descriptive.I think that because FORWARD is the name of a real table, things could get confusing. Paul http://paulgear.webhop.net