Shorewall users - Apr 2004 - need help on migrating to version 2.0

Hi shorewall community !
Recentely, I did apt-get upgrade on my Debian sid box and get installed 
shorewall 2.0.0-4 package.
I''ve been warned about /etc/shorewall/common not longer supported.
Reading http://www.shorewall.net/User_defined_Actions.html  does not help me too
much, especially, example mentioned at bottom of this document seems to me
does not work. I mean run_iptables commands mentioned in
/etc/shorewall/DropBcasts

Here is piece of significant rules from my common files which i need to be
integrated in 2.0 version:

----------------------------------------------------------------------------------
CUT HERE
---------------------------------------------------------------------------------------------------------------

#############################################################################
# Queues
#############################################################################
run_iptables -A FORWARD -s 212.86..xx.xx -i eth0 -o eth3 -j QUEUE
run_iptables -A FORWARD -d 212.86.xx.xx -o eth0 -i eth3 -j QUEUE

# Calypso restrict
run_iptables -A OUTPUT -s 212.86.100.zz -o eth3 -j QUEUE
run_iptables -A INPUT -d 212.86.100.zz -i eth3 -j QUEUE

#############################################################################
# SNAT for another outgoing IP
#############################################################################

# for ssh
run_iptables -t nat -I POSTROUTING -s 212.86.xx.xx -p tcp --dport 22 -j SNAT
--to-source 212.86.yy.yy

# for telnet
run_iptables -t nat -I POSTROUTING -s 212.86.xx.xx -p tcp --dport 23 -j SNAT
--to-source 212.86.yy.yy

----------------------------------------------------------------------------------
CUT HERE
---------------------------------------------------------------------------------------------------------------

Seems to me first part of my file (QUEUE''s target) I can integrate in
/etc/shorewall/rules, but how actually I can do SNAT''ing with new
shorewall config files ?

Guys ! I really need you help, please give me some guides how to make it work
under latest version of shorewall !


Thank you very much !

-- 
With kind regards,
  Vyacheslav

Vyacheslav E. Sidin wrote:
> Hi shorewall community !
> Recentely, I did apt-get upgrade on my Debian sid box and get installed 
> shorewall 2.0.0-4 package.
> I''ve been warned about /etc/shorewall/common not longer supported.
> Reading http://www.shorewall.net/User_defined_Actions.html  does not help
me too much, especially, example mentioned at bottom of this document seems to
me
> does not work. I mean run_iptables commands mentioned in
/etc/shorewall/DropBcasts
> 
> Here is piece of significant rules from my common files which i need to be
integrated in 2.0 version:
> 
>
----------------------------------------------------------------------------------
CUT HERE
---------------------------------------------------------------------------------------------------------------
> 
>
#############################################################################
> # Queues
>
#############################################################################
> run_iptables -A FORWARD -s 212.86..xx.xx -i eth0 -o eth3 -j QUEUE
> run_iptables -A FORWARD -d 212.86.xx.xx -o eth0 -i eth3 -j QUEUE
> 
> # Calypso restrict
> run_iptables -A OUTPUT -s 212.86.100.zz -o eth3 -j QUEUE
> run_iptables -A INPUT -d 212.86.100.zz -i eth3 -j QUEUE
> 
>
#############################################################################
> # SNAT for another outgoing IP
>
#############################################################################
> 
> # for ssh
> run_iptables -t nat -I POSTROUTING -s 212.86.xx.xx -p tcp --dport 22 -j
SNAT --to-source 212.86.yy.yy
> 
> # for telnet
> run_iptables -t nat -I POSTROUTING -s 212.86.xx.xx -p tcp --dport 23 -j
SNAT --to-source 212.86.yy.yy
> 
>
----------------------------------------------------------------------------------
CUT HERE
---------------------------------------------------------------------------------------------------------------
> 
> Seems to me first part of my file (QUEUE''s target) I can integrate
in /etc/shorewall/rules, but how actually I can do SNAT''ing with new
shorewall config files ?
> 
> Guys ! I really need you help, please give me some guides how to make it
work under latest version of shorewall !
As you say, you should be able to code the QUEUE rules directly in the 
rules file. without knowing what zones eth0 and eth3 are connected to 
though, we can''t possibly help you with that.

The SNAT rules should go in /etc/shorewall/start (where all of these 
rules should have been in the first place).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi Tom !
Thank you very much for quick response.
Here info about zones:

eth0 - 212.86.xx.aa - slavz (my work computer connected there)
eth3 - 212.86.100.zz - net (this is WiFi card for internet access)

As I can see /etc/shorewall/start executed when all rules were inserted into
firewall. Is there exist any config file/way for process run_iptables commands
between/before actions/rules ?
Can you please tell me if it possible to somehow execute custom run_iptables
scripts in action files ? Things mentioned at bottom of
http://www.shorewall.net/User_defined_Actions.html does not work me :(
/etc/shorewall/DropBcasts does not executed for me)

Thank you very much.

--
With kind regards, 
  Vyacheslav

On Friday 09 April 2004 18:56, Tom Eastep wrote:
> Vyacheslav E. Sidin wrote:
> > Hi shorewall community !
> > Recentely, I did apt-get upgrade on my Debian sid box and get
installed
> > shorewall 2.0.0-4 package.
> > I''ve been warned about /etc/shorewall/common not longer
supported.
> > Reading http://www.shorewall.net/User_defined_Actions.html  does not
help me too much, especially, example mentioned at bottom of this document seems
to me
> > does not work. I mean run_iptables commands mentioned in
/etc/shorewall/DropBcasts
> > 
> > Here is piece of significant rules from my common files which i need
to be integrated in 2.0 version:
> > 
> >
----------------------------------------------------------------------------------
CUT HERE
---------------------------------------------------------------------------------------------------------------
> > 
> >
#############################################################################
> > # Queues
> >
#############################################################################
> > run_iptables -A FORWARD -s 212.86..xx.xx -i eth0 -o eth3 -j QUEUE
> > run_iptables -A FORWARD -d 212.86.xx.xx -o eth0 -i eth3 -j QUEUE
> > 
> > # Calypso restrict
> > run_iptables -A OUTPUT -s 212.86.100.zz -o eth3 -j QUEUE
> > run_iptables -A INPUT -d 212.86.100.zz -i eth3 -j QUEUE
> > 
> >
#############################################################################
> > # SNAT for another outgoing IP
> >
#############################################################################
> > 
> > # for ssh
> > run_iptables -t nat -I POSTROUTING -s 212.86.xx.xx -p tcp --dport 22
-j SNAT --to-source 212.86.yy.yy
> > 
> > # for telnet
> > run_iptables -t nat -I POSTROUTING -s 212.86.xx.xx -p tcp --dport 23
-j SNAT --to-source 212.86.yy.yy
> > 
> >
----------------------------------------------------------------------------------
CUT HERE
---------------------------------------------------------------------------------------------------------------
> > 
> > Seems to me first part of my file (QUEUE''s target) I can
integrate in /etc/shorewall/rules, but how actually I can do SNAT''ing
with new shorewall config files ?
> > 
> > Guys ! I really need you help, please give me some guides how to make
it work under latest version of shorewall !
> 
> As you say, you should be able to code the QUEUE rules directly in the 
> rules file. without knowing what zones eth0 and eth3 are connected to 
> though, we can''t possibly help you with that.
> 
> The SNAT rules should go in /etc/shorewall/start (where all of these 
> rules should have been in the first place).
> 
> -Tom
-- 
With best wishes, Vyacheslav
+(380)-67-7049233

Vyacheslav E. Sidin wrote:
> Hi Tom !
> Thank you very much for quick response.
> Here info about zones:
> 
> eth0 - 212.86.xx.aa - slavz (my work computer connected there)
> eth3 - 212.86.100.zz - net (this is WiFi card for internet access)
> 
> As I can see /etc/shorewall/start executed when all rules were inserted
into firewall. Is there exist any config file/way for process run_iptables
commands
> between/before actions/rules ?
Place your rules in /etc/shorewall/FORWARD.
> Can you please tell me if it possible to somehow execute custom
run_iptables scripts in action files ?
Action files are *NOT* simple extension scripts that get executed at 
startup time. They rather define rules that get invoked when a packet is 
passed to the action via the rules file.

  Things mentioned at bottom of
> http://www.shorewall.net/User_defined_Actions.html does not work me :(
/etc/shorewall/DropBcasts does not executed for me)
> 
Actions only get executed when invoked from your rules file. They are 
*NOT* scripts that get run at startup time. They only support rules 
dealing with the Netfilter ''filter'' table.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> Vyacheslav E. Sidin wrote:
> 
>> Hi Tom !
>> Thank you very much for quick response.
>> Here info about zones:
>>
>> eth0 - 212.86.xx.aa - slavz (my work computer connected there)
>> eth3 - 212.86.100.zz - net (this is WiFi card for internet access)
>>
>> As I can see /etc/shorewall/start executed when all rules were 
>> inserted into firewall. Is there exist any config file/way for process 
>> run_iptables commands between/before actions/rules ?
> 
> 
> Place your rules in /etc/shorewall/FORWARD.
> 
Or in /etc/shorewall/INPUT if that''s where you want to insert the
rules.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Vyacheslav E. Sidin wrote:
> Hi Tom !
> Thank you very much for quick response.
> Here info about zones:
> 
> eth0 - 212.86.xx.aa - slavz (my work computer connected there)
> eth3 - 212.86.100.zz - net (this is WiFi card for internet access)
 >>>run_iptables -A FORWARD -s 212.86..xx.xx -i eth0 -o eth3 -j QUEUE
 >>>run_iptables -A FORWARD -d 212.86.xx.xx -o eth0 -i eth3 -j QUEUE
 >>>

QUEUE	slavz:212.86..xx.xx net	all
QUEUE	net slavz:212.86..xx.xx all	

 >>># Calypso restrict
 >>>run_iptables -A OUTPUT -s 212.86.100.zz -o eth3 -j QUEUE
 >>>run_iptables -A INPUT -d 212.86.100.zz -i eth3 -j QUEUE

QUEUE	fw:212.100.zz	net	all
QUEUE	net	fw:212.100.zz	all

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi Tom!
Thank you very much for you responses.
Does it mean that /etc/shorewall/FORWARD is extension script for FORWARD chain ?
the same rule for INPUT/OUTPUT/POSTROUTING/PREROUTING chains ? Is this scripts
executed before
insertions all other rules to mentioned chain ?

About custom actions and example in
http://www.shorewall.net/User_defined_Actions.html ....
/etc/shorewall/DropBcasts - looks like extension script, when it executed ?

Thank you very much!

--
With kind regards,
  Vyacheslav

On Friday 09 April 2004 20:45, Tom Eastep wrote:
> Vyacheslav E. Sidin wrote:
> > Hi Tom !
> > Thank you very much for quick response.
> > Here info about zones:
> > 
> > eth0 - 212.86.xx.aa - slavz (my work computer connected there)
> > eth3 - 212.86.100.zz - net (this is WiFi card for internet access)
> > 
> > As I can see /etc/shorewall/start executed when all rules were
inserted into firewall. Is there exist any config file/way for process
run_iptables commands
> > between/before actions/rules ?
> 
> Place your rules in /etc/shorewall/FORWARD.
> 
> > Can you please tell me if it possible to somehow execute custom
run_iptables scripts in action files ?
> 
> Action files are *NOT* simple extension scripts that get executed at 
> startup time. They rather define rules that get invoked when a packet is 
> passed to the action via the rules file.
> 
>   Things mentioned at bottom of
> > http://www.shorewall.net/User_defined_Actions.html does not work me :(
/etc/shorewall/DropBcasts does not executed for me)
> > 
> 
> Actions only get executed when invoked from your rules file. They are 
> *NOT* scripts that get run at startup time. They only support rules 
> dealing with the Netfilter ''filter'' table.
> 
> -Tom

Vyacheslav E. Sidin wrote:
> Hi Tom!
> Thank you very much for you responses.
> Does it mean that /etc/shorewall/FORWARD is extension script for FORWARD
chain ?
> the same rule for INPUT/OUTPUT/POSTROUTING/PREROUTING chains ? Is this
scripts executed before
> insertions all other rules to mentioned chain ?
First of all, there are no POSTROUTING or PREROUTING extension scripts 
-- there are INPUT, FORWARD and OUTPUT.

These scripts are executed just before the common action jump (if any) 
is inserted into the corresponding chain in the *filter* table.
> 
> About custom actions and example in
http://www.shorewall.net/User_defined_Actions.html ....
> /etc/shorewall/DropBcasts - looks like extension script, when it executed ?
> 
NO -- An action defines a set of rules that you want to be able to 
selectively send packets through.

If you have an action called A:

a) When A appears in the ACTION column of a rule then those packets 
matching the rule are sent through the filter table chain called A. The 
contents of A are determined by what /etc/shorewall/A does and what is 
contained in /etc/shorewall/action.A. /etc/shorewall/A (if it exists) is 
invoked before the contents of /etc/shorewall/action.A are converted to 
iptables rules and added to the chain A.

b) /etc/shorewall/A *WILL ONLY BE INVOKED IF*
	- A is defined as a common action (that is, it is associated with 
REJECT, ACCEPT or DROP policies) in /etc/shorewall/actions; or
	- A appears in the ACTION column of at least one entry in 
/etc/shorewall/rules.

c) The intent of /etc/shorewall/A is to add (-A) rules to chain A *AND 
THAT IS ALL*.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
>>
>> About custom actions and example in 
>> http://www.shorewall.net/User_defined_Actions.html ....
>> /etc/shorewall/DropBcasts - looks like extension script, when it 
>> executed ?
>>
> 
> NO -- An action defines a set of rules that you want to be able to 
> selectively send packets through.
> 
Actually, /etc/shorewall/DropBcasts is executed just like an extension 
script but only under certain circumstances as I''ve already described.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi Tom !
Thank you very much for detailed responses.

No, I get picture more clear and think that already able to advanced configure
my firewall.

by the way, thank you for great shorewall application.

With best wishes,
  Vyacheslav

On Friday 09 April 2004 21:27, Tom Eastep wrote:
> Vyacheslav E. Sidin wrote:
> > Hi Tom!
> > Thank you very much for you responses.
> > Does it mean that /etc/shorewall/FORWARD is extension script for
FORWARD chain ?
> > the same rule for INPUT/OUTPUT/POSTROUTING/PREROUTING chains ? Is this
scripts executed before
> > insertions all other rules to mentioned chain ?
> 
> First of all, there are no POSTROUTING or PREROUTING extension scripts 
> -- there are INPUT, FORWARD and OUTPUT.
> 
> These scripts are executed just before the common action jump (if any) 
> is inserted into the corresponding chain in the *filter* table.
> 
> > 
> > About custom actions and example in
http://www.shorewall.net/User_defined_Actions.html ....
> > /etc/shorewall/DropBcasts - looks like extension script, when it
executed ?
> > 
> 
> NO -- An action defines a set of rules that you want to be able to 
> selectively send packets through.
> 
> If you have an action called A:
> 
> a) When A appears in the ACTION column of a rule then those packets 
> matching the rule are sent through the filter table chain called A. The 
> contents of A are determined by what /etc/shorewall/A does and what is 
> contained in /etc/shorewall/action.A. /etc/shorewall/A (if it exists) is 
> invoked before the contents of /etc/shorewall/action.A are converted to 
> iptables rules and added to the chain A.
> 
> b) /etc/shorewall/A *WILL ONLY BE INVOKED IF*
> 	- A is defined as a common action (that is, it is associated with 
> REJECT, ACCEPT or DROP policies) in /etc/shorewall/actions; or
> 	- A appears in the ACTION column of at least one entry in 
> /etc/shorewall/rules.
> 
> c) The intent of /etc/shorewall/A is to add (-A) rules to chain A *AND 
> THAT IS ALL*.
> 
> -Tom
-- 
With best wishes, Vyacheslav
+(380)-67-7049233