Hello, I have the ''loc'' zone masqueraded for internet access. in the rules file there''s a rule like DROP loc:192.168.0.1 net all that should cut the internet access for the specified IP address (I still want it to be able to access the dmz) the above rule is placed below the transparent proxy redirect rule. well, this rule doesn''t work, so I''m guessing that''s because I already masqueraded that address; right ? I know I can deny masquerading for a specific address in the masq file, but I was just wondering if there''s a way I can use the rules file, as this would be much readable. Thanks, Marius
Self follow-up: Marius Stan wrote:> Hello, >[pretty much crap here]> Thanks, > Marius >I managed to block all traffic _except_ http; here are the relevant rules: DROP:info loc:192.168.0.1 net all REDIRECT:info loc 3128 tcp www Why doesn''t the first rule drop http traffic as well ? Marius
On Tuesday 02 March 2004 02:30 am, Marius Stan wrote:> Self follow-up: > > Marius Stan wrote: > > Hello, > > [pretty much crap here] > > > Thanks, > > Marius > > I managed to block all traffic _except_ http; here are the relevant rules: > > DROP:info loc:192.168.0.1 net all > REDIRECT:info loc 3128 tcp www >Because the second rule generates two netfilter rules -- one to REDIRECT the request and one to ACCEPT the redirected request. The REDIRECT rule is executed before your DROP rule. You need: DROP:info loc:192.168.0.1 net all DROP:info loc:192.168.0.1 $FW:3128 tcp www REDIRECT:info loc 3128 tcp www or: DROP:info loc:192.168.0.1 net all REDIRECT:info loc:!192.168.0.1 3128 tcp www If you look at the diagram at http://shorewall.net/NetfilterOverview.html this should become clearer to you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Monday 08 March 2004 12:14 am, Marius Stan wrote:> Tom Eastep wrote:> > > >You need: > > > >DROP:info loc:192.168.0.1 net all > >DROP:info loc:192.168.0.1 $FW:3128 tcp www > >REDIRECT:info loc 3128 tcp www > > Sorry for the delay. > Actually these rules did it for me: > > DROP:info loc:192.168.0.1 net all > DROP:info loc:192.168.0.1 fw tcp 3128 > REDIRECT loc 3128 tcp wwwYes -- my second rule was clearly wrong; sorry.> Thanks, Tom.You''re welcome. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net