Hello, on my old system I''m using ipchains. Can anyone help me with converting rule /sbin/ipchains -A forward -j MASQ -s source_addr -d destination_addr 443 -p tcp to shorewall. I know that I can write eth0 source_addr to /etc/shorewall/masq file but I can''t found where I can specify the destination address. The reason for this is to allow one user (computer) access only to the one site. -- Radek Hnilica <Radek at Hnilica dot CZ> when I''m mobile, use <Radek.Hnilica@atlas.cz> ======================================No matter how far down the wrong road you''ve gone, turn back. Turkish proverb
On Tue, 6 Aug 2002, Radek Hnilica wrote:> Hello, > > on my old system I''m using ipchains. Can anyone help me with converting rule > > /sbin/ipchains -A forward -j MASQ -s source_addr -d destination_addr 443 -p tcp > > to shorewall. I know that I can write > eth0 source_addr > to /etc/shorewall/masq file > but I can''t found where I can specify the destination address. > > The reason for this is to allow one user (computer) access only to the > one site. >What extactly are you trying to accomplish? Do you want to restrict the connections that can be made from the local network to the net? If so, change the default policy for loc->net to REJECT then add rules in /etc/shorewall/rules to allow those connections. Don''t try do filtering using the masq file. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Tue, Aug 06, 2002 at 08:00:45AM -0700, Tom Eastep wrote:> > > > The reason for this is to allow one user (computer) access only to the > > one site. > > > > What extactly are you trying to accomplish? Do you want to restrict the > connections that can be made from the local network to the net? If so, > change the default policy for loc->net to REJECT then add rules in > /etc/shorewall/rules to allow those connections. Don''t try do filtering > using the masq file.Thanks. While waiting for answer I was thinking about rules file. I''m experimenting with it now. I put line ACCEPT loc:10.16.68.2 net:206.124.146.177 tcp 80 into rules, and REJECT loc->net trafic in policy loc net REJECT It looks like it does things I need. Thanks for help. -- Radek Hnilica <Radek at Hnilica dot CZ> when I''m mobile, use <Radek.Hnilica@atlas.cz> ======================================No matter how far down the wrong road you''ve gone, turn back. Turkish proverb
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net>> ..... Don''t try do filtering > using the masq file.why not? I have only 10/15 ip that can access to internet in SNAT, so I have put: eth0 10.1.65.61 x.x.x.212 eth0 10.1.65.70 x.x.x.214 .... .......... ......... eth0 10.1.65.3 x.x.x.220 eth0 10.1.65.80 x.x.x.220 eth0 10.1.65.204 x.x.x.220 in to masq file. How to do this in an other way? Many Thanks ------- Dario Lesca (d.lesca@ivrea.osra.it)
On Tue, Aug 06, 2002 at 05:37:50PM +0200, Dario Lesca wrote:> ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > > > ..... Don''t try do filtering > > using the masq file. > > why not? > > I have only 10/15 ip that can access to internet in SNAT, > so I have put: > > eth0 10.1.65.61 x.x.x.212 > eth0 10.1.65.70 x.x.x.214 > .... .......... ......... > eth0 10.1.65.3 x.x.x.220 > eth0 10.1.65.80 x.x.x.220 > eth0 10.1.65.204 x.x.x.220 > > in to masq file.I simple don''t underestand. Reading commentary in masq file, the third field will be used as a source address in out sended packet. What have this to do with masquerade restriction? I simple allow masquerade for all. A can allow it only for alowed users, but this is second wall. The first wall is in rules file, where reside rules like: ---> cut <--- # Adamek: Komercni Banka ACCEPT loc:10.x.x.x net:195.47.102.10,194.228.113.10 tcp 443 # Ungrova: www.celdat.cz ACCEPT loc:10.x.x.x net:194.212.208.12 tcp 80,443 ---> cut <--- It''s more descriptive and restrictive. One, may be stupid, question without prior thinking. Can I use variables like ALLOWED_SERVERS=195.47.102.10,194.228.113.10 in some files, for instance rules ACCEPT loc:10.x.x.x net:$ALLOWED_SERVERS tcp 443 In more complicated configurations it may be very helpfully. -- Radek Hnilica <Radek at Hnilica dot CZ> when I''m mobile, use <Radek.Hnilica@atlas.cz> ======================================No matter how far down the wrong road you''ve gone, turn back. Turkish proverb
On Tue, 6 Aug 2002, Dario Lesca wrote:> ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > > > ..... Don''t try do filtering > > using the masq file. > > why not? > > I have only 10/15 ip that can access to internet in SNAT, > so I have put: > > eth0 10.1.65.61 x.x.x.212 > eth0 10.1.65.70 x.x.x.214 > .... .......... ......... > eth0 10.1.65.3 x.x.x.220 > eth0 10.1.65.80 x.x.x.220 > eth0 10.1.65.204 x.x.x.220 > > in to masq file. > > How to do this in an other way? >See my previous post... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Tue, 6 Aug 2002, Radek Hnilica wrote:> > It''s more descriptive and restrictive. > > > One, may be stupid, question without prior thinking. > Can I use variables like > ALLOWED_SERVERS=195.47.102.10,194.228.113.10 > in some files, for instance rules > ACCEPT loc:10.x.x.x net:$ALLOWED_SERVERS tcp 443 > > In more complicated configurations it may be very helpfully. >Yes -- that''s what the /etc/shorewall/params file is for. Set your variables there then use them in the other files. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net>> See my previous post...-----Old config: policy: loc net ACCEPT masq: eth0 10.1.65.61 x.x.x.212 ------New config: policy: loc net REJECT rules: ACCEPT loc:10.1.65.61 net:x.x.x.214 ACCEPT loc:10.1.65.3,10.1.65.77 net:x.x.x.220 Question: The syntax "net:x.x.x.214" do a SNAT for all service (port) like old rule in masq file? Thanks ------- Dario Lesca (d.lesca@ivrea.osra.it)
On Tue, 6 Aug 2002, Dario Lesca wrote:> ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > > > See my previous post... > > -----Old config: > policy: > loc net ACCEPT > masq: > eth0 10.1.65.61 x.x.x.212 > > ------New config: > policy: > loc net REJECT > rules: > ACCEPT loc:10.1.65.61 net:x.x.x.214 > ACCEPT loc:10.1.65.3,10.1.65.77 net:x.x.x.220 > > Question: The syntax "net:x.x.x.214" do a SNAT for all service (port) like > old rule in masq file? >Hmmm - given that you want to specify SNAT for each of the hosts that are permitted internet access, what you were doing in your old config was ok. It has the odd property that anyone in your local network can TRY to access the internet and the firewall will allow those attempts -- the internet backbone routers will simply discard the requests. If you want to reject these requests at the firewall: New config: masq = same as old masq. New Policy: loc net REJECT [ <log level> ] New rules: ACCEPT loc:10.1.65.61,10.1.65.3,... net -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net