Steve Hindle
2007-Jan-03 23:00 UTC
''temporary'' or ''on the fly'' rule additions/removals
Hi! I think gmane ate my previous posting of this - if its a dupe, I''m sorry... I''d like to add/remove ''temporary'' rules to a running shorewall. I''d like to add a port forward to redirect web traffic when I shut my virtual servers down for backups, etc. ("Site currently down for maintenance please try later" type thing) It seems silly to bounce/reload shorewall 10 times in an hour for this, so I was just going to manually add/remove the rule from the firewall. However, I don''t want to break anything Shorewall setup... So its there a specific table/chain I should add rules like this to (shorewall creates a lot of them!)? And should I use raw netfilter commands, or the run_iptables thingy that comes with shorewall? Any help would be appreciated! Thanks and Happy New Year! Steve ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep
2007-Jan-03 23:19 UTC
Re: ''temporary'' or ''on the fly'' rule additions/removals
Steve Hindle wrote:> I''d like to add/remove ''temporary'' rules to a running shorewall. I''d > like to add a port forward to redirect web traffic when I shut my > virtual servers down for backups, etc. ("Site currently down for > maintenance please try later" type thing) > > It seems silly to bounce/reload shorewall 10 times in an hour for > this, so I was just going to manually add/remove the rule from the > firewall. However, I don''t want to break anything Shorewall setup... > > So its there a specific table/chain I should add rules like this to > (shorewall creates a lot of them!)? And should I use raw netfilter > commands, or the run_iptables thingy that comes with shorewall? > > Any help would be appreciated!Port Forward/Redirect rules may be *inserted* (use the ''iptables -I'' command) into the nat table''s PREROUTING chain. Such rules will preempt anything that Shorewall has done. You will probably also have to insert an appropriate ACCEPT rule into the filter table INPUT chain. Use iptables directly. ''run_iptables'' is only intended for use in Shorewall extension scripts. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Steve Hindle
2007-Jan-04 15:58 UTC
Re: ''temporary'' or ''on the fly'' rule additions/removals
On 1/3/07, Tom Eastep <teastep@shorewall.net> wrote:> Port Forward/Redirect rules may be *inserted* (use the ''iptables -I'' > command) into the nat table''s PREROUTING chain. Such rules will preempt > anything that Shorewall has done. You will probably also have to insert an > appropriate ACCEPT rule into the filter table INPUT chain. >Thanks Tom - thats what I needed... BTW, after getting bit by a co-lo provider that caches ARP addresses for _4 Hours_, I took your proxyarp advice to heart, and converted all the systems to proxy arp on the firewall. Works great! And thanks for shorewall! Its one of the nicest pieces of software I''ve used. Good docs, great features.. truly wonderful software :-) Steve ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV