Shorewall users - Aug 2003 - blacklisted hosts still being ''REDIRECT''ed

I''m using PortSentry to block hosts similar to the documents in the
contrib area.

I really wanted to see the original incoming requests so I''d know what
port the remote host attempted to connect to since portsentry only sees
everything coming from port 49999. I did this by simply changing the REDIRECT
rules to REDIRECT:info and in portsentry.temp.block I made this somewhat kludgy
yet very effective change to show me the original port (for anyone interested):

BAD_PORT=`tail -20 /var/log/messages | grep $BAD_IP | grep REDIRECT | tail -n 1
| sed s/DF\ // | awk ''{print $18}'' | sed s/DPT=//`

However, the reason for this message is, I keep seeing REDIRECT messages in my
logs from hosts that are blacklisted.

For instance:

Aug 27 22:17:09 mybitch kernel: Shorewall:net_dnat:REDIRECT:IN=eth1 OUT=
MAC=52:54:40:22:16:2c:00:03:6c:4b:34:70:08:00 SRC=218.15.192.64 DST=myextip
LEN=314 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=31101 DPT=1026 LEN=294

cat /var/log/messages | grep 218.15.192.64 | grep REDIRECT | wc -l
    114

So 114 REDIRECTS, yet cat /var/lib/shorewall/save | grep 218.15.192.64 shows:

DROP       all  --  218.15.192.64        0.0.0.0/0

The host was blacklisted on 8/23/2003.

Which leads to my questions..

Why is this blacklisted host still being processed through the redirect rule? Is
there something I can change in my setup to process the blacklist before the
redirect rule?

Thanks.

On Thu, 28 Aug 2003 itdamager@cox.net wrote:
> The host was blacklisted on 8/23/2003.
>
> Which leads to my questions..
>
> Why is this blacklisted host still being processed through the redirect
> rule? Is there something I can change in my setup to process the
> blacklist before the redirect rule?
If I remember correctly a blacklisted address will be dropped without
going through any additional checks.  Just curoius, did you enable
"blacklist" on the interface?

Ed

-- 
SARS - The only virus not spread by Outlook
http://www.shorewall.net/  for all your firewall needs

>Just curoius, did you enable "blacklist" on the interface?
Yes, blacklist is enabled, among other options.

interfaces:
net     eth1            detect
dhcp,routefilter,norfc1918,tcpflags,logunclean,blacklist
loc     eth0            detect          dhcp

On Thu, 2003-08-28 at 00:34, itdamager@cox.net wrote:
> Which leads to my questions..
> 
> Why is this blacklisted host still being processed through the redirect
rule?
Because the REDIRECT rule in the ''nat'' table is processed
before the
blacklisting rules in the ''filter'' table.

And please post in plain text and configure your mailer to fold long lines. 

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Thu, 2003-08-28 at 07:25, Tom Eastep wrote:
> On Thu, 2003-08-28 at 00:34, itdamager@cox.net wrote:
> 
> > Which leads to my questions..
> > 
> > Why is this blacklisted host still being processed through the
redirect rule?
> 
> Because the REDIRECT rule in the ''nat'' table is processed
before the
> blacklisting rules in the ''filter'' table.
And recent versions of Shorewall log REDIRECT and NAT rules out of the
''nat'' table.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> > > Why is this blacklisted host still being processed through
> the redirect rule?
> >
> > Because the REDIRECT rule in the ''nat'' table is
processed before the
> > blacklisting rules in the ''filter'' table.
>
> And recent versions of Shorewall log REDIRECT and NAT rules out of the
> ''nat'' table.
>
> -Tom
Tom, forgive my ignorance (and my bad mailer), but to me it would make sense
that blacklisted hosts would be completely ignored and never traverse any
rules, nat or otherwise. Can you explain to me why this isn''t the case?
Is
there something I can do in my configuration to make blacklist always come
first?

Thanks

On Thu, 2003-08-28 at 12:56, IT Damager wrote:
> Tom, forgive my ignorance (and my bad mailer), but to me it would make
sense
> that blacklisted hosts would be completely ignored and never traverse any
> rules, nat or otherwise. Can you explain to me why this isn''t the
case?
Shorewall supports a BLACKLIST_DISPOSITION variable which can be set to
"REJECT". The REJECT target is only available in the INPUT and FORWARD
chains of the ''filter'' table (ref. "man iptables"). 

In order to not have to implement a different ruleset structure for
BLACKLIST_DISPOSITION=DROP and BLACKLIST_DISPOSITION=REJECT, I chose to
implement all blacklisting in the ''filter'' table which is
traversed
AFTER both the ''mangle'' table and the ''nat''
table. As I explained in my
previous post, REDIRECT and DNAT rules add rules to the ''nat''
table and
recent versions of Shorewall also log these rules out of that table.
> Is
> there something I can do in my configuration to make blacklist always come
> first?
> 
Do your own implementation of blacklisting using an extension script
(probably /etc/shorewall/start) and enforce your form of blacklisting in
the PREROUTING chain of the ''mangle'' table. The only choice
for a
disposition would be to DROP the packets.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net