Hi shorewall community ! Recentely, I did apt-get upgrade on my Debian sid box and get installed shorewall 2.0.0-4 package. I''ve been warned about /etc/shorewall/common not longer supported. Reading http://www.shorewall.net/User_defined_Actions.html does not help me too much, especially, example mentioned at bottom of this document seems to me does not work. I mean run_iptables commands mentioned in /etc/shorewall/DropBcasts Here is piece of significant rules from my common files which i need to be integrated in 2.0 version: ---------------------------------------------------------------------------------- CUT HERE --------------------------------------------------------------------------------------------------------------- ############################################################################# # Queues ############################################################################# run_iptables -A FORWARD -s 212.86..xx.xx -i eth0 -o eth3 -j QUEUE run_iptables -A FORWARD -d 212.86.xx.xx -o eth0 -i eth3 -j QUEUE # Calypso restrict run_iptables -A OUTPUT -s 212.86.100.zz -o eth3 -j QUEUE run_iptables -A INPUT -d 212.86.100.zz -i eth3 -j QUEUE ############################################################################# # SNAT for another outgoing IP ############################################################################# # for ssh run_iptables -t nat -I POSTROUTING -s 212.86.xx.xx -p tcp --dport 22 -j SNAT --to-source 212.86.yy.yy # for telnet run_iptables -t nat -I POSTROUTING -s 212.86.xx.xx -p tcp --dport 23 -j SNAT --to-source 212.86.yy.yy ---------------------------------------------------------------------------------- CUT HERE --------------------------------------------------------------------------------------------------------------- Seems to me first part of my file (QUEUE''s target) I can integrate in /etc/shorewall/rules, but how actually I can do SNAT''ing with new shorewall config files ? Guys ! I really need you help, please give me some guides how to make it work under latest version of shorewall ! Thank you very much ! -- With kind regards, Vyacheslav
Vyacheslav E. Sidin wrote:> Hi shorewall community ! > Recentely, I did apt-get upgrade on my Debian sid box and get installed > shorewall 2.0.0-4 package. > I''ve been warned about /etc/shorewall/common not longer supported. > Reading http://www.shorewall.net/User_defined_Actions.html does not help me too much, especially, example mentioned at bottom of this document seems to me > does not work. I mean run_iptables commands mentioned in /etc/shorewall/DropBcasts > > Here is piece of significant rules from my common files which i need to be integrated in 2.0 version: > > ---------------------------------------------------------------------------------- CUT HERE --------------------------------------------------------------------------------------------------------------- > > ############################################################################# > # Queues > ############################################################################# > run_iptables -A FORWARD -s 212.86..xx.xx -i eth0 -o eth3 -j QUEUE > run_iptables -A FORWARD -d 212.86.xx.xx -o eth0 -i eth3 -j QUEUE > > # Calypso restrict > run_iptables -A OUTPUT -s 212.86.100.zz -o eth3 -j QUEUE > run_iptables -A INPUT -d 212.86.100.zz -i eth3 -j QUEUE > > ############################################################################# > # SNAT for another outgoing IP > ############################################################################# > > # for ssh > run_iptables -t nat -I POSTROUTING -s 212.86.xx.xx -p tcp --dport 22 -j SNAT --to-source 212.86.yy.yy > > # for telnet > run_iptables -t nat -I POSTROUTING -s 212.86.xx.xx -p tcp --dport 23 -j SNAT --to-source 212.86.yy.yy > > ---------------------------------------------------------------------------------- CUT HERE --------------------------------------------------------------------------------------------------------------- > > Seems to me first part of my file (QUEUE''s target) I can integrate in /etc/shorewall/rules, but how actually I can do SNAT''ing with new shorewall config files ? > > Guys ! I really need you help, please give me some guides how to make it work under latest version of shorewall !As you say, you should be able to code the QUEUE rules directly in the rules file. without knowing what zones eth0 and eth3 are connected to though, we can''t possibly help you with that. The SNAT rules should go in /etc/shorewall/start (where all of these rules should have been in the first place). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom ! Thank you very much for quick response. Here info about zones: eth0 - 212.86.xx.aa - slavz (my work computer connected there) eth3 - 212.86.100.zz - net (this is WiFi card for internet access) As I can see /etc/shorewall/start executed when all rules were inserted into firewall. Is there exist any config file/way for process run_iptables commands between/before actions/rules ? Can you please tell me if it possible to somehow execute custom run_iptables scripts in action files ? Things mentioned at bottom of http://www.shorewall.net/User_defined_Actions.html does not work me :( /etc/shorewall/DropBcasts does not executed for me) Thank you very much. -- With kind regards, Vyacheslav On Friday 09 April 2004 18:56, Tom Eastep wrote:> Vyacheslav E. Sidin wrote: > > Hi shorewall community ! > > Recentely, I did apt-get upgrade on my Debian sid box and get installed > > shorewall 2.0.0-4 package. > > I''ve been warned about /etc/shorewall/common not longer supported. > > Reading http://www.shorewall.net/User_defined_Actions.html does not help me too much, especially, example mentioned at bottom of this document seems to me > > does not work. I mean run_iptables commands mentioned in /etc/shorewall/DropBcasts > > > > Here is piece of significant rules from my common files which i need to be integrated in 2.0 version: > > > > ---------------------------------------------------------------------------------- CUT HERE --------------------------------------------------------------------------------------------------------------- > > > > ############################################################################# > > # Queues > > ############################################################################# > > run_iptables -A FORWARD -s 212.86..xx.xx -i eth0 -o eth3 -j QUEUE > > run_iptables -A FORWARD -d 212.86.xx.xx -o eth0 -i eth3 -j QUEUE > > > > # Calypso restrict > > run_iptables -A OUTPUT -s 212.86.100.zz -o eth3 -j QUEUE > > run_iptables -A INPUT -d 212.86.100.zz -i eth3 -j QUEUE > > > > ############################################################################# > > # SNAT for another outgoing IP > > ############################################################################# > > > > # for ssh > > run_iptables -t nat -I POSTROUTING -s 212.86.xx.xx -p tcp --dport 22 -j SNAT --to-source 212.86.yy.yy > > > > # for telnet > > run_iptables -t nat -I POSTROUTING -s 212.86.xx.xx -p tcp --dport 23 -j SNAT --to-source 212.86.yy.yy > > > > ---------------------------------------------------------------------------------- CUT HERE --------------------------------------------------------------------------------------------------------------- > > > > Seems to me first part of my file (QUEUE''s target) I can integrate in /etc/shorewall/rules, but how actually I can do SNAT''ing with new shorewall config files ? > > > > Guys ! I really need you help, please give me some guides how to make it work under latest version of shorewall ! > > As you say, you should be able to code the QUEUE rules directly in the > rules file. without knowing what zones eth0 and eth3 are connected to > though, we can''t possibly help you with that. > > The SNAT rules should go in /etc/shorewall/start (where all of these > rules should have been in the first place). > > -Tom-- With best wishes, Vyacheslav +(380)-67-7049233
Vyacheslav E. Sidin wrote:> Hi Tom ! > Thank you very much for quick response. > Here info about zones: > > eth0 - 212.86.xx.aa - slavz (my work computer connected there) > eth3 - 212.86.100.zz - net (this is WiFi card for internet access) > > As I can see /etc/shorewall/start executed when all rules were inserted into firewall. Is there exist any config file/way for process run_iptables commands > between/before actions/rules ?Place your rules in /etc/shorewall/FORWARD.> Can you please tell me if it possible to somehow execute custom run_iptables scripts in action files ?Action files are *NOT* simple extension scripts that get executed at startup time. They rather define rules that get invoked when a packet is passed to the action via the rules file. Things mentioned at bottom of> http://www.shorewall.net/User_defined_Actions.html does not work me :( /etc/shorewall/DropBcasts does not executed for me) >Actions only get executed when invoked from your rules file. They are *NOT* scripts that get run at startup time. They only support rules dealing with the Netfilter ''filter'' table. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Vyacheslav E. Sidin wrote: > >> Hi Tom ! >> Thank you very much for quick response. >> Here info about zones: >> >> eth0 - 212.86.xx.aa - slavz (my work computer connected there) >> eth3 - 212.86.100.zz - net (this is WiFi card for internet access) >> >> As I can see /etc/shorewall/start executed when all rules were >> inserted into firewall. Is there exist any config file/way for process >> run_iptables commands between/before actions/rules ? > > > Place your rules in /etc/shorewall/FORWARD. >Or in /etc/shorewall/INPUT if that''s where you want to insert the rules. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Vyacheslav E. Sidin wrote:> Hi Tom ! > Thank you very much for quick response. > Here info about zones: > > eth0 - 212.86.xx.aa - slavz (my work computer connected there) > eth3 - 212.86.100.zz - net (this is WiFi card for internet access)>>>run_iptables -A FORWARD -s 212.86..xx.xx -i eth0 -o eth3 -j QUEUE >>>run_iptables -A FORWARD -d 212.86.xx.xx -o eth0 -i eth3 -j QUEUE >>> QUEUE slavz:212.86..xx.xx net all QUEUE net slavz:212.86..xx.xx all >>># Calypso restrict >>>run_iptables -A OUTPUT -s 212.86.100.zz -o eth3 -j QUEUE >>>run_iptables -A INPUT -d 212.86.100.zz -i eth3 -j QUEUE QUEUE fw:212.100.zz net all QUEUE net fw:212.100.zz all -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom! Thank you very much for you responses. Does it mean that /etc/shorewall/FORWARD is extension script for FORWARD chain ? the same rule for INPUT/OUTPUT/POSTROUTING/PREROUTING chains ? Is this scripts executed before insertions all other rules to mentioned chain ? About custom actions and example in http://www.shorewall.net/User_defined_Actions.html .... /etc/shorewall/DropBcasts - looks like extension script, when it executed ? Thank you very much! -- With kind regards, Vyacheslav On Friday 09 April 2004 20:45, Tom Eastep wrote:> Vyacheslav E. Sidin wrote: > > Hi Tom ! > > Thank you very much for quick response. > > Here info about zones: > > > > eth0 - 212.86.xx.aa - slavz (my work computer connected there) > > eth3 - 212.86.100.zz - net (this is WiFi card for internet access) > > > > As I can see /etc/shorewall/start executed when all rules were inserted into firewall. Is there exist any config file/way for process run_iptables commands > > between/before actions/rules ? > > Place your rules in /etc/shorewall/FORWARD. > > > Can you please tell me if it possible to somehow execute custom run_iptables scripts in action files ? > > Action files are *NOT* simple extension scripts that get executed at > startup time. They rather define rules that get invoked when a packet is > passed to the action via the rules file. > > Things mentioned at bottom of > > http://www.shorewall.net/User_defined_Actions.html does not work me :( /etc/shorewall/DropBcasts does not executed for me) > > > > Actions only get executed when invoked from your rules file. They are > *NOT* scripts that get run at startup time. They only support rules > dealing with the Netfilter ''filter'' table. > > -Tom
Vyacheslav E. Sidin wrote:> Hi Tom! > Thank you very much for you responses. > Does it mean that /etc/shorewall/FORWARD is extension script for FORWARD chain ? > the same rule for INPUT/OUTPUT/POSTROUTING/PREROUTING chains ? Is this scripts executed before > insertions all other rules to mentioned chain ?First of all, there are no POSTROUTING or PREROUTING extension scripts -- there are INPUT, FORWARD and OUTPUT. These scripts are executed just before the common action jump (if any) is inserted into the corresponding chain in the *filter* table.> > About custom actions and example in http://www.shorewall.net/User_defined_Actions.html .... > /etc/shorewall/DropBcasts - looks like extension script, when it executed ? >NO -- An action defines a set of rules that you want to be able to selectively send packets through. If you have an action called A: a) When A appears in the ACTION column of a rule then those packets matching the rule are sent through the filter table chain called A. The contents of A are determined by what /etc/shorewall/A does and what is contained in /etc/shorewall/action.A. /etc/shorewall/A (if it exists) is invoked before the contents of /etc/shorewall/action.A are converted to iptables rules and added to the chain A. b) /etc/shorewall/A *WILL ONLY BE INVOKED IF* - A is defined as a common action (that is, it is associated with REJECT, ACCEPT or DROP policies) in /etc/shorewall/actions; or - A appears in the ACTION column of at least one entry in /etc/shorewall/rules. c) The intent of /etc/shorewall/A is to add (-A) rules to chain A *AND THAT IS ALL*. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>> >> About custom actions and example in >> http://www.shorewall.net/User_defined_Actions.html .... >> /etc/shorewall/DropBcasts - looks like extension script, when it >> executed ? >> > > NO -- An action defines a set of rules that you want to be able to > selectively send packets through. >Actually, /etc/shorewall/DropBcasts is executed just like an extension script but only under certain circumstances as I''ve already described. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom ! Thank you very much for detailed responses. No, I get picture more clear and think that already able to advanced configure my firewall. by the way, thank you for great shorewall application. With best wishes, Vyacheslav On Friday 09 April 2004 21:27, Tom Eastep wrote:> Vyacheslav E. Sidin wrote: > > Hi Tom! > > Thank you very much for you responses. > > Does it mean that /etc/shorewall/FORWARD is extension script for FORWARD chain ? > > the same rule for INPUT/OUTPUT/POSTROUTING/PREROUTING chains ? Is this scripts executed before > > insertions all other rules to mentioned chain ? > > First of all, there are no POSTROUTING or PREROUTING extension scripts > -- there are INPUT, FORWARD and OUTPUT. > > These scripts are executed just before the common action jump (if any) > is inserted into the corresponding chain in the *filter* table. > > > > > About custom actions and example in http://www.shorewall.net/User_defined_Actions.html .... > > /etc/shorewall/DropBcasts - looks like extension script, when it executed ? > > > > NO -- An action defines a set of rules that you want to be able to > selectively send packets through. > > If you have an action called A: > > a) When A appears in the ACTION column of a rule then those packets > matching the rule are sent through the filter table chain called A. The > contents of A are determined by what /etc/shorewall/A does and what is > contained in /etc/shorewall/action.A. /etc/shorewall/A (if it exists) is > invoked before the contents of /etc/shorewall/action.A are converted to > iptables rules and added to the chain A. > > b) /etc/shorewall/A *WILL ONLY BE INVOKED IF* > - A is defined as a common action (that is, it is associated with > REJECT, ACCEPT or DROP policies) in /etc/shorewall/actions; or > - A appears in the ACTION column of at least one entry in > /etc/shorewall/rules. > > c) The intent of /etc/shorewall/A is to add (-A) rules to chain A *AND > THAT IS ALL*. > > -Tom-- With best wishes, Vyacheslav +(380)-67-7049233