Please, help me. Can i forbid and how any outgoing traffic
(ping,trace) to rfc1918 networks on my external interfaces?
Thank you very much.
Aleksandr
--------------------
Продукция AcmePower - это зарядные устройства, аккумуляторы формата АА
и ААА, сетевые адаптеры, аккумуляторные батареи для фото и видеокамер,
ноутбуков и PDA. Гарантия минского сервисного центра. Качество и надежность.
http://www.acmepower.by
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
alex wrote:> Please, help me. Can i forbid and how any outgoing traffic > (ping,trace) to rfc1918 networks on my external interfaces? >/etc/shorewall/rules: REJECT net:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 all -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> alex wrote: >> Please, help me. Can i forbid and how any outgoing traffic >> (ping,trace) to rfc1918 networks on my external interfaces? > > /etc/shorewall/rules: > > REJECT net:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 all > > -TomThank you Tom. But i want block traffic TO rfc1918 addresses (as destination) on external interface (so as Internet have not them) but not from. Alex -------------------- Продукция AcmePower - это зарядные устройства, аккумуляторы формата АА и ААА, сетевые адаптеры, аккумуляторные батареи для фото и видеокамер, ноутбуков и PDA. Гарантия минского сервисного центра. Качество и надежность. http://www.acmepower.by ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On Tue, Nov 20, 2007 at 06:32:49PM +0200, alex wrote:> > alex wrote: > >> Please, help me. Can i forbid and how any outgoing traffic > >> (ping,trace) to rfc1918 networks on my external interfaces? > > > > /etc/shorewall/rules: > > > > REJECT net:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 all > > > > -Tom > > Thank you Tom. > But i want block traffic TO rfc1918 addresses (as destination) on > external interface (so as Internet have not them) but not from. >Your ISPs routers (unless misconfigured) will reject the packets even if they escape your network. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
alex wrote:>> alex wrote: >>> Please, help me. Can i forbid and how any outgoing traffic >>> (ping,trace) to rfc1918 networks on my external interfaces? >> /etc/shorewall/rules: >> >> REJECT net:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 all >> >> -Tom > > Thank you Tom. > But i want block traffic TO rfc1918 addresses (as destination) on > external interface (so as Internet have not them) but not from. >If you really need our help to reverse the rule I posted, perhaps you should consider taking up another line of work. REJECT all net:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Tue, Nov 20, 2007 at 06:32:49PM +0200, alex wrote:> But i want block traffic TO rfc1918 addresses (as destination) on > external interface (so as Internet have not them) but not from.It is pointless to block traffic in one direction only. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>>> Please, help me. Can i forbid and how any outgoing traffic >>>> (ping,trace) to rfc1918 networks on my external interfaces? >>> /etc/shorewall/rules: >>> >>> REJECT net:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 all >>> >>> -Tom >> >> Thank you Tom. >> But i want block traffic TO rfc1918 addresses (as destination) on >> external interface (so as Internet have not them) but not from. > > If you really need our help to reverse the rule I posted, perhaps you >should > consider taking up another line of work. > > REJECT all net:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16After i apply your instruction i see that shorewall add rules into 'fw2net' chain: Chain fw2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 reject all -- * * 0.0.0.0/0 10.0.0.0/8 0 0 reject all -- * * 0.0.0.0/0 172.16.0.0/12 0 0 reject all -- * * 0.0.0.0/0 192.168.0.0/16 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:fw2net:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 But, as before, i can traceroute or ping rfc1918 addresses from LAN. How i can easy discover route of these packets from iptables rules? I see that 'eth2_out' (my external interface) have one reference (fw2net): Chain eth2_out (1 references) pkts bytes target prot opt in out source destination 2 122 fw2net all -- * * 0.0.0.0/0 0.0.0.0/0 And in 'fw2net' i block this traffic. Therefore there is another way for outgoing packets from this interface? Alex -------------------- Международные экзамены на знание языка для жизни и карьеры в школе International House, тел. (017) 293-65-55, 293-06-68, (8-029) 609-89-90, 777-73-18, http://www.ih.by/ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
alex wrote:> > And in ''fw2net'' i block this traffic. Therefore there is another way > for outgoing packets from this interface?Yes. And if you post the output of "shorewall dump", we''ll be happy to point them all out to you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote: erview.html.> > It appears, however, that you don''t have the exact rule that I posted > since the loc2net chain does not include any rules blocking traffic to > rfc1918 addresses. > > If you do have this rule: > > REJECT all net:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 > > then please send me a tarball of your /etc/shorewall directory as I need > to understand why ''loc2net'' is missing those rules. >The loc2net rules are being optimized away because they duplicate the loc->net policy (REJECT). To fix this, use REJECT!: REJECT! all net:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> It appears, however, that you don't have the exact rule that I posted >> since the loc2net chain does not include any rules blocking traffic to >> rfc1918 addresses. >> >> If you do have this rule: >> >> REJECT all net:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 >> >> then please send me a tarball of your /etc/shorewall directory as I need >> to understand why 'loc2net' is missing those rules. >> > > The loc2net rules are being optimized away because they duplicate the > loc->net policy (REJECT). To fix this, use REJECT!: > > REJECT! all net:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16YES! THANK YOU VERY MUCH! 'iptables' work as i need and LOGALLNEW option is what i found. Alex -------------------- Вы ждали новое деловое издание. 'Деловой вестник': новости, факты, комментарии специалистов в сфере экономики и бизнеса. Пилотный номер газеты в Вашем офисе – 28 ноября. Подписной индекс – 633502 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
>> I am sorry Tom, but i think that you don't understand my question >> about discover packet path through iptables rule. >> I mean that when i create by shorewall rule for iptables, is there >> easy method to find through what chains and rules goes concrete packets? >> May be with logging (but simple enabled/disabled)? > > The only thing along those lines is LOGALLNEW in shorewall.conf. > > -TomTom, when i try to change logformat to: LOGFORMAT="Shwall:%s:%d:%s:" 'iptables' stop any logging. :-( Alex -------------------- Вы ждали новое деловое издание. 'Деловой вестник': новости, факты, комментарии специалистов в сфере экономики и бизнеса. Пилотный номер газеты в Вашем офисе – 28 ноября. Подписной индекс – 633502 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On Thu, 2007-11-22 at 19:24 +0200, alex wrote:> >> I am sorry Tom, but i think that you don''t understand my question > >> about discover packet path through iptables rule. > >> I mean that when i create by shorewall rule for iptables, is there > >> easy method to find through what chains and rules goes concrete packets? > >> May be with logging (but simple enabled/disabled)? > > > > The only thing along those lines is LOGALLNEW in shorewall.conf. > > > > -Tom > > Tom, when i try to change logformat to: > > LOGFORMAT="Shwall:%s:%d:%s:" > > ''iptables'' stop any logging. :-( >No it doesn''t. Nov 22 09:31:44 test kernel: Shwall:net2fw:1:DROP:IN=eth0 OUT= MAC=00:16:3e:83:ad:28:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.1.3 DST=192.168.1.7 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=62614 DF PROTO=TCP SPT=59833 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 Nov 22 09:31:47 test kernel: Shwall:net2fw:1:DROP:IN=eth0 OUT= MAC=00:16:3e:83:ad:28:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.1.3 DST=192.168.1.7 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=62615 DF PROTO=TCP SPT=59833 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/