Hi everyone, just installed the latest version and I want to do something really tough, but cannot grasp the samples fully (yet). Let me explain pls. interfaces: net ippp0 - routefilter,norfc1918,blacklist,routeback lan eth0 192.168.0.255 dhcp zones: net NET Internet lan LAN LAN in General adm ADM Admin Users nor NORM Normal Users policy: adm all ACCEPT all adm CONTINUE lan net DROP nor net DROP net all DROP info all all REJECT info hosts: adm eth0:192.168.0.1,eth0:192.168.0.2 adm eth0:192.168.0.30,eth0:192.168.0.31 nor eth0:192.168.0.100,eth0:192.168.0.101 rules: ... ACCEPT nor net tcp 25 - ACCEPT nor net tcp 110 - ACCEPT nor net tcp 143 - REJECT lan net tcp 80 - ... REDIRECT nor 8080 tcp 80 - !192.168.0.254 REDIRECT adm 3128 tcp 80 - !192.168.0.254 So what I am trying to solve, is to create several groups of hosts/users and have different rules apply to them. I tried something like the above, but could not get it working. One admin test machine was always restricted. Hope anyone can help and point me to right direction. Thanks a lot for any help. NDEE
On Mon, 2003-06-16 at 12:22, NDEE wrote:> So what I am trying to solve, is to create several groups of hosts/users > and have different rules apply to them. I tried something like the > above, but could not get it working. One admin test machine was always > restricted. > > Hope anyone can help and point me to right direction. >The order of your zones in /etc/shorewall/zones is important. Usually, you place sub-zones before the zone that they are contained in. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 2003-06-16 at 12:32, Tom Eastep wrote:> On Mon, 2003-06-16 at 12:22, NDEE wrote: > > > So what I am trying to solve, is to create several groups of hosts/users > > and have different rules apply to them. I tried something like the > > above, but could not get it working. One admin test machine was always > > restricted. > > > > Hope anyone can help and point me to right direction. > > > > The order of your zones in /etc/shorewall/zones is important. Usually, > you place sub-zones before the zone that they are contained in. >Perhaps http://www.shorewall.net/whitelisting_under_shorewall.htm will help. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 2003-06-16 at 14:24, NDEE wrote:> Hi Tom, > > thanks a lot. Both your hints look promising and I will test it on the > next weekend. > > Is the way of defining host OK in the hosts file? Does shorewall > concatenate all appearances for one zone?Yes.> > BTW, > > let me ask you one weired thing as well. > > I have a box with eth0 (net) with public IP, eth1(lan) and eth2(lan1). > eth0 has a virtual interface eth0:0 with private IP 192.168.0.1. Now I > want to redirect a request on NET on e.g. port 8200 to port 4000 on a > box connected at eth0:0 - 192.168.0.250(there is a hub between) How to > manage such thing? >On the Shorewall site under "Documentation Index", look at the FIRST ENTRY!!!!! -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net