Hi Is it possible to exclude all communication destined to a specific port from a generally applied masquerade? I would need this to make sure the central syslog server (which listens on 514 in a private subnet) can determine which of the systems inside a different private, masqueraded subnet, originated the log entry. I tried eth1 eth0!:514 inside the masq file, which seemed to be the logical syntax. But neither that, nor eth1 eth0!192.168.1.0/24:514 worked (they both produced errors). BTW: Shorewall is up and running in the configuration outlined three weeks ago. Some minor issues remain, of which this is one. Thanks! .-.-.-.-.-.-.-.-.- Titus Green How can you see a red light with green eyes? .-.-.-.-.-.-.-.-.- =================================================Powered by SQWebmail
On Mon, 2003-07-28 at 12:36, Titus Green wrote:> Hi > > Is it possible to exclude all communication destined to a specific port from > a generally applied masquerade? I would need this to make sure the central > syslog server (which listens on 514 in a private subnet) can determine which > of the systems inside a different private, masqueraded subnet, originated > the log entry. > > I tried > eth1 eth0!:514 > inside the masq file, which seemed to be the logical syntax. But neither > that, nor > eth1 eth0!192.168.1.0/24:514 > worked (they both produced errors).If you don''t find a particular syntax documented, then you may as well not bother to try it; if it''s not in the documentation then it''s not in the product. The only way to accomplish what you want is through an extension script. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Or via a run_iptables command in start script. works... Tom Eastep <teastep@shorewall.net> Sent by: shorewall-users-bounces@lists.shorewall.net 28/07/2003 17:10 To Titus Green <tgreen@mail.nexline.ch> cc Subject Re: [Shorewall-users] port exclusions in masq? On Mon, 2003-07-28 at 12:36, Titus Green wrote:> Hi > > Is it possible to exclude all communication destined to a specific portfrom> a generally applied masquerade? I would need this to make sure thecentral> syslog server (which listens on 514 in a private subnet) can determinewhich> of the systems inside a different private, masqueraded subnet,originated> the log entry. > > I tried > eth1 eth0!:514 > inside the masq file, which seemed to be the logical syntax. But neither> that, nor > eth1 eth0!192.168.1.0/24:514 > worked (they both produced errors).If you don''t find a particular syntax documented, then you may as well not bother to try it; if it''s not in the documentation then it''s not in the product. The only way to accomplish what you want is through an extension script. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Mon, 2003-07-28 at 14:49, Eduardo Ferreira wrote:> Or via a run_iptables command in start script. works...The ''start'' script *is an extension script*! -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep schrieb:> On Mon, 2003-07-28 at 12:36, Titus Green wrote: >> Is it possible to exclude all communication destined to a specific port from >> a generally applied masquerade? I would need this to make sure the central >> syslog server (which listens on 514 in a private subnet) can determine which >> of the systems inside a different private, masqueraded subnet, originated >> the log entry. > If you don''t find a particular syntax documented, then you may as well > not bother to try it; if it''s not in the documentation then it''s not in > the product. > > The only way to accomplish what you want is through an extension script.I made a serious effort but I did not succeed. The problem is that the syslog entry is an exclusion, and therefore needs to be inserted on top of the eth0_masq table. I tried these statements: ensurenatchain eth0_masq ensurenatchain eth0_syslog run_iptables -t nat -A eth0_masq -p udp --dport 514 -j eth0_syslog run_iptables -t nat -A eth0_syslog -j ACCEPT The problem is: having these in the init script is too early. As the firewall code executes an "iptables -X" somewhere in the middle, my newly created chain "eth0_syslog" gets lost, furthermore the firewall script is not aware that the "eth0_masq" chain - which does not exist at the time "init" is executed - has been deleted intermittantly, and quits with an error. Having these statements in the start script is too late, as by that time the masq chain is setup, and the exception is worthless, as it is executed after the general MASQ statement and would never catch any packet. What I would need is an exit to an extension script somewhere between the "iptables -X" (inside function deleteallchains) and the masq setup (inside function setup_masq). To help myself, I put the above statements into a file "premasq" and introduced another exit hook as run_user_exit premasq just before the last while loop inside setup_masq(). This works. Please tell me if I''m nuts here - but then I would kindly ask you to provide a better solution - or if I might suggest this as an extension to shorewall - top be included in the next version? -- Titus Green =================================================Powered by SQWebmail
On Sat, 2003-08-02 at 04:17, Titus Green wrote:> > > Please tell me if I''m nuts here - but then I would kindly ask you to provide > a better solution - or if I might suggest this as an extension to shorewall > - top be included in the next version? >To insert a rule into a chain at a particular point in a nat chain: run_iptables -t nat -I [ <rule number> ] .... If you don''t specify a rule number, the rule is place at the front of the chain (which is where you want it). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 2003-08-02 at 06:48, Tom Eastep wrote:> On Sat, 2003-08-02 at 04:17, Titus Green wrote: > > > > > > > Please tell me if I''m nuts here - but then I would kindly ask you to provide > > a better solution - or if I might suggest this as an extension to shorewall > > - top be included in the next version? > > > > To insert a rule into a chain at a particular point in a nat chain: > > run_iptables -t nat -I [ <rule number> ] .... > > If you don''t specify a rule number, the rule is place at the front of > the chain (which is where you want it). >Oh -- and since you want to exclude the port from the following general MASQ rule, the target of your rule should be RETURN. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 2003-08-02 at 06:50, Tom Eastep wrote:> On Sat, 2003-08-02 at 06:48, Tom Eastep wrote: > > On Sat, 2003-08-02 at 04:17, Titus Green wrote: > > > > > > > > > > > Please tell me if I''m nuts here - but then I would kindly ask you to provide > > > a better solution - or if I might suggest this as an extension to shorewall > > > - top be included in the next version? > > > > > > > To insert a rule into a chain at a particular point in a nat chain: > > > > run_iptables -t nat -I [ <rule number> ] ....Damn -- I''m trying to type too fast on my way out the door here. S/B run_iptables -t nat -I <chain> [ <rule number> ] ... -j RETURN -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep schrieb:> On Sat, 2003-08-02 at 06:48, Tom Eastep wrote: >> On Sat, 2003-08-02 at 04:17, Titus Green wrote: >> > Please tell me if I''m nuts here - but then I would kindly ask you to provide >> > a better solution >> To insert a rule into a chain at a particular point in a nat chain: >> run_iptables -t nat -I [ <rule number> ] .... >> If you don''t specify a rule number, the rule is place at the front of >> the chain (which is where you want it).Of course you are right - not only that I am nuts indeed, though you didn''t say that - but in that of course it helps not only to know shorewall, but to know the iptables command options as well. So that works, then, without having to have an extra user exit.> > Oh -- and since you want to exclude the port from the following general > MASQ rule, the target of your rule should be RETURN.However, I do not agree here - RETURNing just enables the masq again, whereas ACCEPTing just forwards the packet without MASQing. So for the record, I now have the following in the start script: ensurenatchain eth0_masq ensurenatchain eth0_syslog run_iptables -t nat -I eth0_masq -p udp --dport 514 -j eth0_syslog run_iptables -t nat -A eth0_syslog -j ACCEPT Thanks for the hint. -- Titus Green =================================================Powered by SQWebmail
>> >> Oh -- and since you want to exclude the port from the following general >> MASQ rule, the target of your rule should be RETURN.> However, I do not agree here - RETURNing just enables the masq again, > whereas ACCEPTing just forwards the packet without MASQing.If you would get rid of the unnecessary eth0_syslog chain and simply RETURN from eth0_masq it would do exactly what you want -- that''s what I was trying to tell you. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net