Hi I am looking at converting a Linux terminal server box to iptables using Shorewall 2.0. (At the moment it uses ipchains). The server currently has scripts which are called as each user logs in which run a series of "ipchains" commands to set the access rights for that user (and again to cancel them when the user logs out). My plan is to replace these scripts with ones that call "shorewall add" and "shorewall delete" to add the user to a predefined zone. My problem is that the program which calls the scripts provides the remote IP address of the ppp interface as an argument, but not the actual interface name. Thus I don''t have sufficient information to run something like: shorewall add ppp1 raszone but I can run shorewall add ppp+:192.168.199.199 raszone My attempts at this yielded syntax errors. Can shorewall accept wildcard entries like this? If not is there an easy way to extract the interface name from the peer IP address of the interface. (The local IP of all the ppp interfaces are the same, so that this will not help.) For the record the ipchains commands looked something like this: ipchains -I chain -s 192.168.199.199/32 -d ! 192.168.199.0/24 -j DENY -l Thanks Ian -- Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
Ian Forbes wrote:> > My attempts at this yielded syntax errors. Can shorewall accept > wildcard entries like this?ursa:/etc/test # shorewall -c . add ppp+:1.2.4.5 foo Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing ./shorewall.conf... Loading Modules... ppp+:1.2.4.5 added to zone foo ursa:/etc/test # -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom On Tuesday, 17 August 2004 18:57, Tom Eastep wrote:> ursa:/etc/test # shorewall -c . add ppp+:1.2.4.5 foo > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing ./shorewall.conf... > Loading Modules... > ppp+:1.2.4.5 added to zone foo > ursa:/etc/test #Is there a version required to support the above? I am using version 2.0.7 and I get an error. zslic:~# shorewall version 2.0.7 zslic:~# shorewall add ppp+:165.165.192.1 loc Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Error: Unknown interface ppp+ Terminated zslic:~# Or is there anything special required in the configuration, other than DYNAMIC_ZONES=Yes in shorewall.conf Thanks Ian -- Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
Hello Ian, Wednesday, August 18, 2004, 1:18:27 PM, you wrote: IF> Hi Tom IF> On Tuesday, 17 August 2004 18:57, Tom Eastep wrote: IF> Is there a version required to support the above? I am using version IF> 2.0.7 and I get an error. IF> zslic:~# shorewall version IF> 2.0.7 IF> zslic:~# shorewall add ppp+:165.165.192.1 loc IF> Loading /usr/share/shorewall/functions... IF> Processing /etc/shorewall/params ... IF> Processing /etc/shorewall/shorewall.conf... IF> Loading Modules... IF> Error: Unknown interface ppp+ IF> Terminated IF> zslic:~# I''m running 1.4 so I don''t know if this applies, but have you added ppp to the interfaces ? My entry is - ppp+ HTH Graham -- Graham K. Dodd Director of Operations Falk & Ross GmbH Tel: 06301 717 0
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Graham Dodd wrote: | Hello Ian, | | Wednesday, August 18, 2004, 1:18:27 PM, you wrote: | | IF> Hi Tom | | IF> On Tuesday, 17 August 2004 18:57, Tom Eastep wrote: | | IF> Is there a version required to support the above? I am using version | IF> 2.0.7 and I get an error. | | IF> zslic:~# shorewall version | IF> 2.0.7 | IF> zslic:~# shorewall add ppp+:165.165.192.1 loc | IF> Loading /usr/share/shorewall/functions... | IF> Processing /etc/shorewall/params ... | IF> Processing /etc/shorewall/shorewall.conf... | IF> Loading Modules... | IF> Error: Unknown interface ppp+ | IF> Terminated | IF> zslic:~# | | | I''m running 1.4 so I don''t know if this applies, but have you added ppp to the interfaces ? | | My entry is | | - ppp+ | | With all Shorewall versions that support dynamic zones, the <interface> used in the ''add'' command must be defined in /etc/shorewall/interfaces. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBI2k1O/MAbZfjDLIRAsXjAKCCI9zKqlcuPw8ou/B9yQE/rPNLCQCgy01/ otdrCl93LexukxRqo64rjZk=Yi7P -----END PGP SIGNATURE-----