Shorewall users - Oct 2004 - Fw: setting an exception source to a redirect rule?

I recently setup shorewall on my freshly rebuilt router box.
I setup transparent proxying using transproxy/dansguardian/privoxy/squid.
My current rules for the redirect are:

REDIRECT loc    81      tcp     www     -     !192.168.100.0/24
ACCEPT   fw     net     tcp     www

How do I set this so that all the request are redirected except for requests
FROM a certain machine (192.168.100.11)?
I can''t find anything telling how to do this, and my attempt to figure
it out on my own haven''t worked.  :)
Thanks.

Mark II

-- 
END
-----------------------------------
TechieM2 (Mark D. Montgomery II)
https://techiem2.no-ip.com
techiem2@techiem2.net
Isaiah 40:28-31
-----------------------------------
Whatever you do will be insignificant, but it is very important that you do it.
		-- Gandhi
-----------------------------------

On Mon, 11 Oct 2004 08:00:46 -0400
"Mark D. Mongtomery II" <techiem2@techiem2.net> wrote:
> I recently setup shorewall on my freshly rebuilt router box.
> I setup transparent proxying using transproxy/dansguardian/privoxy/squid.
> My current rules for the redirect are:
> 
> REDIRECT loc    81      tcp     www     -     !192.168.100.0/24
> ACCEPT   fw     net     tcp     www

If I understand the way the rules work, adding
ACCEPT	loc:192.168.100.11	net	tcp	www
under the above rules SHOULD work.  But it doesn''t.
That box still gets redirected.

Mark II


-- 
END
-----------------------------------
TechieM2 (Mark D. Montgomery II)
https://techiem2.no-ip.com
techiem2@techiem2.net
Isaiah 40:28-31
-----------------------------------
We''ll try to cooperate fully with the IRS, because, as citizens, we
feel
a strong patriotic duty not to go to jail.
		-- Dave Barry
-----------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark D. Mongtomery II wrote:
> On Mon, 11 Oct 2004 08:00:46 -0400
> "Mark D. Mongtomery II" <techiem2@techiem2.net> wrote:
>
>
>>I recently setup shorewall on my freshly rebuilt router box.
>>I setup transparent proxying using
transproxy/dansguardian/privoxy/squid.
>>My current rules for the redirect are:
>>
>>REDIRECT loc    81      tcp     www     -     !192.168.100.0/24
>>ACCEPT   fw     net     tcp     www
>
>
>
> If I understand the way the rules work, adding
> ACCEPT	loc:192.168.100.11	net	tcp	www
> under the above rules SHOULD work
Then you totally misunderstand how rules work.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBazaGO/MAbZfjDLIRAmc2AKCikVlSiZ4bAye2o8hmZP6qnNdPEwCgucFe
SWprXTbA5xQQQxnXfX/OMyY=Iiu7
-----END PGP SIGNATURE-----

> On Mon, 11 Oct 2004 08:00:46 -0400
> "Mark D. Mongtomery II" <techiem2@techiem2.net> wrote:
> 
> > I recently setup shorewall on my freshly rebuilt router box.
> > I setup transparent proxying using
transproxy/dansguardian/privoxy/squid.
> > My current rules for the redirect are:
> > 
> > REDIRECT loc    81      tcp     www     -     !192.168.100.0/24
> > ACCEPT   fw     net     tcp     www
> 
> 
> If I understand the way the rules work, adding
> ACCEPT	loc:192.168.100.11	net	tcp	www
> under the above rules SHOULD work.  But it doesn''t.
> That box still gets redirected.
AHA!
I got it!
I poked around the shorewall docs some more.
Here is the resultant rule set.

#Let this machine access the www and exempts it from future DNAT and
#REDIRECT rules
ACCEPT+  loc:192.168.100.11     net     tcp     www
#Redirect local www requests to port 81 (transproxy)
REDIRECT loc    81      tcp     www     -     !192.168.100.0/24
#Let the firewall get to the www
ACCEPT   fw     net     tcp     www

I''m not sure why putting an accept rule for it didn''t work.
Unless shorewall processes the rules when it receives a request until it hits
one that works that would cause the request to leave shorewall control.
Like it hits the redirect, so it redirects, which would mean the request had
left shorewall processing.
Probably same for putting the accept rule above the redirect.
It was probably seeing that the machine was accepted, but then continued
processing since the request hadn''t been dnat''ed or redirected
and therefore hit the redirect rule.

That''s my guess anyhow.
I''m just happy that it works now.
:)
Mark II


-- 
END
-----------------------------------
TechieM2 (Mark D. Montgomery II)
https://techiem2.no-ip.com
techiem2@techiem2.net
Isaiah 40:28-31
-----------------------------------
Sam:  What do you say, Norm?
Norm: Any cheap, tawdry thing that''ll get me a beer.
		-- Cheers, Birth, Death, Love and Rice

Sam:  What do you say to a beer, Normie?
Norm: Hiya, sailor.  New in town?
		-- Cheers, Woody Goes Belly Up

Norm: [coming in from the rain] Evening, everybody.
All:  Norm!  (Norman.)
Sam:  Still pouring, Norm?
Norm: That''s funny, I was about to ask you the same thing.
		-- Cheers, Diane''s Nightmare
-----------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark D. Mongtomery II wrote:
>
> #Let this machine access the www and exempts it from future DNAT and
> #REDIRECT rules
> ACCEPT+  loc:192.168.100.11     net     tcp     www
> #Redirect local www requests to port 81 (transproxy)
> REDIRECT loc    81      tcp     www     -     !192.168.100.0/24
> #Let the firewall get to the www
> ACCEPT   fw     net     tcp     www
>
> I''m not sure why putting an accept rule for it didn''t
work.
Trivially, your REDIRECT rule redirects *all* www connections from the
''loc'' zone to your proxy (except those being sent to
192.168.100.0/24).
So *any* rule following that one could only affect traffic destined for
192.168.100.0/24 (rules are processed in the order listed and the first
matching rule determines the disposition of the connection request).

But there is a more subtle issue at play here as well. Please refer to
http://shorewall.net/PacketHandling.html and it''s companion article
http://shorewall.net/NetfilterOverview.html.

Each DNAT or REDIRECT Shorewall rule creates *two* Netfilter rules --
one in the ''nat'' table PREROUTING chain and one in the
''filter'' table
FORWARD (DNAT) or INPUT (REDIRECT) chain. A plain ACCEPT rule only
creates an entry in the ''filter'' table FORWARD, INPUT or
OUTPUT chains.
All rules in the PREROUTING ''nat'' chain are traversed before
any rules
in the ''filter'' FORWARD, INPUT or OUTPUT chains -- so to
exempt
192.168.100.11 from your REDIRECT rule, you either needed to encode the
exception in the rule:

REDIRECT  loc:!192.168.100.11 81 tcp  www  - !192.168.100.0/24

or you needed to do exactly what you did with the ACCEPT+ rule. That
rule also created two Netfilter rules:

a) One in the ''nat'' table PREROUTING chain that terminates
processing of
rules in that chain.

b) One in the ''filter'' table FORWARD chain (just like a plain
ACCEPT would).

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBa+gZO/MAbZfjDLIRAl+WAJ9wIVFOXtpeUGznVpEvrxRNUoIU9gCgjBF0
elBNaRaOfCkpOJ1Shq6oItA=r0sI
-----END PGP SIGNATURE-----

On Tue, 12 Oct 2004 07:20:10 -0700
Tom Eastep <teastep@shorewall.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Mark D. Mongtomery II wrote:
<snip> 
Technical stuff
</snip>

Ah.
Thanks.
That clears things up a little more.
I''ll get my head around it all eventually.
:)
Mark II

-- 
END
-----------------------------------
TechieM2 (Mark D. Montgomery II)
https://techiem2.no-ip.com
techiem2@techiem2.net
Isaiah 40:28-31
-----------------------------------
World Domination, One CPU Cycle At A Time 

Forget about searching for alien signals or prime numbers. The real
distributed computing application is "Domination@World", a program to
advocate
Linux and Apache to every website in the world that uses Windows and IIS. 

The goal of the project is to probe every IP number to determine what kind of
platform each Net-connected machine is running. "That''s a tall
order... we
need lots of computers running our Domination@World clients to help probe
every nook and cranny of the Net," explained Mr. Zell Litt, the project
head.

After the probing is complete, the second phase calls for the data to be
cross-referenced with the InterNIC whois database. "This way we''ll
have the
names, addresses, and phone numbers for every Windows-using system
administrator on the planet," Zell gloated. "That''s when the
fun begins."

The "fun" part involves LART (Linux Advocacy & Re-education
Training), a plan
for extreme advocacy. As part of LART, each Linux User Group will receive a
list of the Windows-using weenies in their region. The LUG will then be able
to employ various advocacy techniques, ranging from a soft-sell approach
(sending the target a free Linux CD in the mail) all the way to "LARTcon
5"
(cracking into their system and forcibly installing Linux). 
-----------------------------------