thr3ads.net - Shorewall users - [Shorewall-users] Restricted Access to Internet [Jan 2003]

If this information is useful, please help other people find it:
Share via:

Miranda Gomez Miguel Angel

2003-Jan-22 11:41 UTC

[Shorewall-users] Restricted Access to Internet

Hi list,
I am a happy user of shorewall, i have followed the instructions 
in the shorewall''s web site relative to the squid transparent 
proxy configuration,all works ok, but i have been instructed to let
adicional specified ports (aplications) to be snated (allowed to run)
together to the web browsing service,i mean if i snat the network 
(i have a static ip from my isp), all aplications(kazaa, msn messenger,etc)
can run, without snat the users only can browse the internet, the other
aplications don''t work,how can i also permit i.e. smtp (port 25), 
pop (port 110) ,etc?? all others  aplications should be dropped.
Sorry for my english, may be a picture would help:
 
        -------------
        | Internet  |
        -------------  
             |
             |
        -------------
        | shorewall |
        -------------  
             |
             |  /\ Destination port 80   = allowed (through squid) 
             |  || Destination port 25   = allowed     
             |  || Destination port 21   = allowed
             |  || Destination port 1214 = dropped 
             |     (or any other aplications not explicit allowed)
             |        
 -----------------------------
     |                |   
  -------          -------
  | pc1 |          | pc2 |
  -------          -------

thanks in advance
Miguel Miranda

Tom Eastep

2003-Jan-22 11:48 UTC

head link

[Shorewall-users] Restricted Access to Internet

--On Wednesday, January 22, 2003 1:38 PM -0600 Miranda Gomez Miguel Angel 
<mmiranda@americatel.com.sv> wrote:
> Hi list,
> I am a happy user of shorewall, i have followed the instructions
> in the shorewall''s web site relative to the squid transparent
> proxy configuration,all works ok, but i have been instructed to let
> adicional specified ports (aplications) to be snated (allowed to run)
> together to the web browsing service,i mean if i snat the network
> (i have a static ip from my isp), all aplications(kazaa, msn
> messenger,etc) can run, without snat the users only can browse the
> internet, the other aplications don''t work,how can i also permit
i.e.
> smtp (port 25),  pop (port 110) ,etc?? all others  aplications should be
> dropped. Sorry for my english, may be a picture would help:
>
>         -------------
>         | Internet  |
>         -------------
>              |
>              |
>         -------------
>         | shorewall |
>         -------------
>              |
>              |  /\ Destination port 80   = allowed (through squid)
>              |  || Destination port 25   = allowed
>              |  || Destination port 21   = allowed
>              |  || Destination port 1214 = dropped
>              |     (or any other aplications not explicit allowed)
>              |
>  -----------------------------
>      |                |
>   -------          -------
>   | pc1 |          | pc2 |
>   -------          -------
>
It sounds like you want to change the policy for loc->net to REJECT (in 
other words, simply comment out the policy "loc net ACCEPT").

Then, in /etc/shorewall/rules, you want something like:

ACCEPT	loc	net	udp	domain
ACCEPT	loc	net	tcp	domain,https,smtp,ftp,pop3
ACCEPT	loc	net	icmp	echo-request

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
AIM: teastep  \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net

Apparently Analagous Threads

Search for more apparently analagous threads

Shorewall users - Jan 2003 - Restricted Access to Internet

[Shorewall-users] Restricted Access to Internet

[Shorewall-users] Restricted Access to Internet

Apparently Analagous Threads