eric.taillon@mks.net
2002-Apr-26 14:09 UTC
[Shorewall-users] port forward from local net to local machine
Hi! I have a Linux shorewall firewall that is the default gw of the network. I want to redirect all localy originating traffic to port 80 into another machine on port 8002 into the local network. This machine is a WIN2000 machine running a commercial software (proxy, content filtering) that only runs into Windows... :-( I tried something like this but this doesn''t seem to work: local network: 192.168.0.0/24 IP of proxy: 192.168.0.2 IP of firewall: 192.168.0.1 ACCEPT loc:!192.168.0.2 loc:192.168.0.2:8002 tcp http - all Can anyone help me? Thanks!!
Tom Eastep
2002-Apr-26 14:15 UTC
[Shorewall-users] port forward from local net to local machine
On Fri, 26 Apr 2002, eric.taillon@mks.net wrote:> Hi! > > I have a Linux shorewall firewall that is the default gw of the network. > I want to redirect all localy originating traffic to port 80 into another > machine on port 8002 into the local network. > This machine is a WIN2000 machine running a commercial software (proxy, > content filtering) that only runs into Windows... :-( > > I tried something like this but this doesn''t seem to work: > > local network: 192.168.0.0/24 > IP of proxy: 192.168.0.2 > IP of firewall: 192.168.0.1 > > ACCEPT loc:!192.168.0.2 loc:192.168.0.2:8002 tcp http - > all > > > Can anyone help me? >Is it a requirement that the identity of the client be maintained between the client and the proxy (that is, do you want to know WHO is requesting this content that you are going to be censoring)? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
eric.taillon@mks.net
2002-Apr-26 14:32 UTC
[Shorewall-users] port forward from local net to local machine
Hum!!! This mean that on the proxy side all connection will look like they were coming from the firewall? I think the software is using a user/password identification model so it''s probably not important. Actually I have not tested this part. I''m just testing if the port redirection is working doing a telnet to port 80. I''m supposed to get html headers and actually the telnet doesn''t even connect. Any idea? To: "eric.taillon@mks.net" <eric.taillon@mks.net> cc: "shorewall-users@shorewall.net" <shorewall-users@shorewall.net> Subject: Re: [Shorewall-users] port forward from local net to local machine From:Tom Eastep <teastep@shorewall.net> @shorewall.net on 26/04/2002 07:15 AM MST On Fri, 26 Apr 2002, eric.taillon@mks.net wrote:> Hi! > > I have a Linux shorewall firewall that is the default gw of the network. > I want to redirect all localy originating traffic to port 80 into another > machine on port 8002 into the local network. > This machine is a WIN2000 machine running a commercial software (proxy, > content filtering) that only runs into Windows... :-( > > I tried something like this but this doesn''t seem to work: > > local network: 192.168.0.0/24 > IP of proxy: 192.168.0.2 > IP of firewall: 192.168.0.1 > > ACCEPT loc:!192.168.0.2 loc:192.168.0.2:8002 tcp http - > all > > > Can anyone help me? >Is it a requirement that the identity of the client be maintained between the client and the proxy (that is, do you want to know WHO is requesting this content that you are going to be censoring)? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
Tom Eastep
2002-Apr-26 14:32 UTC
[Shorewall-users] port forward from local net to local machine
On Fri, 26 Apr 2002, eric.taillon@mks.net wrote:> > Hum!!! > > This mean that on the proxy side all connection will look like they were > coming from the firewall? > I think the software is using a user/password identification model so it''s > probably not important. > > Actually I have not tested this part. > I''m just testing if the port redirection is working doing a telnet to port > 80. > I''m supposed to get html headers and actually the telnet doesn''t even > connect. > > Any idea? >Sure -- this is the problem described in FAQ #2. I''m just wondering if the same solution works for proxies. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Is there a way within shorewall to only allow certina users to obtain internet access via ipaddress. For example, if I have 5 computers, but I only want 3 to access the interent, but I still want them to be able to access all the other computers. --- Aaron Axelsen AIM: AAAK2 Email: axelseaa@amadmax.com URL: www.amadmax.com "It said, ""Insert disk #3,"" but only two will fit!" "One picture is worth 128K words."
On Fri, 26 Apr 2002, Aaron Axelsen wrote:> Is there a way within shorewall to only allow certina users to obtain > internet access via ipaddress. For example, if I have 5 computers, but > I only want 3 to access the interent, but I still want them to be able > to access all the other computers. >Sure -- just separate your local systems into two zones; one with internet access and one without. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Fri, 26 Apr 2002, Tom Eastep wrote:> On Fri, 26 Apr 2002, Aaron Axelsen wrote: > > > Is there a way within shorewall to only allow certina users to obtain > > internet access via ipaddress. For example, if I have 5 computers, but > > I only want 3 to access the interent, but I still want them to be able > > to access all the other computers. > > > > Sure -- just separate your local systems into two zones; one with internet > access and one without. >Or, if there is just a small number of hosts that you want to block: REJECT loc net:<ip1>,<ip2>,... all -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Fri, 26 Apr 2002, Tom Eastep wrote:> On Fri, 26 Apr 2002, Tom Eastep wrote: > > > On Fri, 26 Apr 2002, Aaron Axelsen wrote: > > > > > Is there a way within shorewall to only allow certina users to obtain > > > internet access via ipaddress. For example, if I have 5 computers, but > > > I only want 3 to access the interent, but I still want them to be able > > > to access all the other computers. > > > > > > > Sure -- just separate your local systems into two zones; one with internet > > access and one without. > > > > Or, if there is just a small number of hosts that you want to block: > > REJECT loc net:<ip1>,<ip2>,... all >Duh -- should be: REJECT loc:<ip1>,<ip2>,... net all -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
eric.taillon@mks.net
2002-Apr-26 16:07 UTC
[Shorewall-users] port forward from local net to local machine
I found how to do but the only problem is that all connection seems to come from the firewall itself. In our setup, we don''t care about the ip of the source because we are using user/password authentification. It''s not exactly like FAQ #2 but this one gave me a hint... Thanks Tom! Here is what I did to make it work: local network: 192.168.0.0/24 IP of proxy: 192.168.0.2 IP of firewall: 192.168.0.1 ACCEPT loc:!192.168.0.2 loc:192.168.0.2:8002 tcp http - all:192.168.0.1 Thanks! To: "eric.taillon@mks.net" <eric.taillon@mks.net> cc: Shorewall Users <shorewall-users@shorewall.net> Subject: Re: [Shorewall-users] port forward from local net to local machine From:Tom Eastep <teastep@shorewall.net> @shorewall.net on 26/04/2002 07:32 AM MST On Fri, 26 Apr 2002, eric.taillon@mks.net wrote:> > Hum!!! > > This mean that on the proxy side all connection will look like they were > coming from the firewall? > I think the software is using a user/password identification model soit''s> probably not important. > > Actually I have not tested this part. > I''m just testing if the port redirection is working doing a telnet toport> 80. > I''m supposed to get html headers and actually the telnet doesn''t even > connect. > > Any idea? >Sure -- this is the problem described in FAQ #2. I''m just wondering if the same solution works for proxies. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
Tom Eastep
2002-Apr-26 21:12 UTC
[Shorewall-users] port forward from local net to local machine
On Fri, 26 Apr 2002, eric.taillon@mks.net wrote:> > I found how to do but the only problem is that all connection seems to come > from the firewall itself. > In our setup, we don''t care about the ip of the source because we are > using user/password authentification. > > It''s not exactly like FAQ #2 but this one gave me a hint... Thanks Tom! ><puts on teacher''s hat> Sure -- the reason that you couldn''t connect is EXACTLY the same as the reason that connections fail in the FAQ #2 case even if the two problems look quite different. A connection request from a client (say 192.168.1.2) addressed to some IP (call it 1.2.3.4) is sent to the firewall. The firewall rewrites the destination address (let''s assume it changes it to 192.168.1.5) and sends the request back to that server on the local net. That server constructs a reply and sends it straight back to 192.168.1.2. But 192.168.1.2 isn''t expecting a reply from 192.168.1.5 (she sent her request to 1.2.3.4) so the reply is tossed. Using SNAT (as you are doing below) causes the firewall to rewrite both the source and destination addresses in the initial request. This in turn forces the reply back through the firewall where the source address can be changed to 1.2.3.4 and the destination address changed to 192.168.1.2 before the reply is sent on to the client. </puts on teacher''s hat>> Here is what I did to make it work: > > local network: 192.168.0.0/24 > IP of proxy: 192.168.0.2 > IP of firewall: 192.168.0.1 > > ACCEPT loc:!192.168.0.2 loc:192.168.0.2:8002 tcp http - > all:192.168.0.1 >That''s a nice way to do that! I think I should update the FAQ to use that solution on FAQ #2. -Tom Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net