Hi all, I''m using shorewall 4.0.13 (and the perl compiler). I need to add some arbitrary mangle rules to my iptables configuration e.g. iptables -t mangle -I PREROUTING -p udp --dport <port> -j TEE --gateway <ipaddr> (this is using one of the ''addon'' targets in iptables 1.4.1). Is there a recommended way to add arbitrary iptables rules to shorewall? I was thinking I could add them via the ''start'' or ''started'' extension scripts, but wasn''t sure if that was a good idea or not? Any better suggestions? Thanks, Gavin ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Gavin Carr wrote:> Hi all, > > I''m using shorewall 4.0.13 (and the perl compiler). > > I need to add some arbitrary mangle rules to my iptables configuration e.g. > > iptables -t mangle -I PREROUTING -p udp --dport <port> -j TEE > --gateway <ipaddr> > > (this is using one of the ''addon'' targets in iptables 1.4.1). > > Is there a recommended way to add arbitrary iptables rules to shorewall? > I was thinking I could add them via the ''start'' or ''started'' extension > scripts, but wasn''t sure if that was a good idea or not? Any better > suggestions?There is no other supported way to add arbitrary rules in the mangle table. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> Gavin Carr wrote: >> I''m using shorewall 4.0.13 (and the perl compiler). >> >> I need to add some arbitrary mangle rules to my iptables configuration e.g. >> >> iptables -t mangle -I PREROUTING -p udp --dport <port> -j TEE >> --gateway <ipaddr> >> >> (this is using one of the ''addon'' targets in iptables 1.4.1). >> >> Is there a recommended way to add arbitrary iptables rules to shorewall? >> I was thinking I could add them via the ''start'' or ''started'' extension >> scripts, but wasn''t sure if that was a good idea or not? Any better >> suggestions? > > There is no other supported way to add arbitrary rules in the mangle table.Great, thanks Tom, I''ll run with that. Cheers, Gavin ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
> Is there a recommended way to add arbitrary iptables rules to shorewall? > I was thinking I could add them via the ''start'' or ''started'' extension > scripts, but wasn''t sure if that was a good idea or not? Any better > suggestions?My own experience is it''s much better to translate the intent of all existing IPtables rules into Shorewall rules, get them all working as desired, then throw the old IPtables rules away completely. Why? 1) Having some rules in IPtables and other rules in Shorewall is a maintenance nightmare when you go to change something. Where is it? How do I change it? 2) Weird problems that are at root due to conflicting IPtables and Shorewall rules. Which one takes precedence? Why doesn''t this rule work as desired?Why does this rule work sometimes but not other times depending on which commands I issued to get here? 3) Debugging is very difficult because Shorewall and IPtables might not do something exactly the same way. Several common rules can be implemented more than one way. In these cases it''s normal to choose the method that is most "syntactically convenient" in the tool being used, but sometimes that results in different choices in IPtables and Shorewall. 4) Double training: if you get a helper, you have to teach them _both_ Shorewall and IPtables. (also two mailing lists to follow rather than just one:-) thanks! -Chuck Kollars ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Mon, 2008-09-22 at 09:15 -0700, Chuck Kollars wrote:> My own experience is it''s much better to translate the intent of all existing IPtables rules into Shorewall rules, get them all working as desired, then throw the old IPtables rules away completely. Why?... 5) It might be that you find that what you want to do has no shorewall equivalent. That means that either a) what you are trying to do is just insane and makes you rethink the reason/implementation or b) there is a use-case which shorewall does not (yet) cover that others might be interested in. This is how RFEs come about. b. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> Gavin Carr wrote: >> Hi all, >> >> I''m using shorewall 4.0.13 (and the perl compiler). >> >> I need to add some arbitrary mangle rules to my iptables configuration e.g. >> >> iptables -t mangle -I PREROUTING -p udp --dport <port> -j TEE >> --gateway <ipaddr> >> >> (this is using one of the ''addon'' targets in iptables 1.4.1). >> >> Is there a recommended way to add arbitrary iptables rules to shorewall? >> I was thinking I could add them via the ''start'' or ''started'' extension >> scripts, but wasn''t sure if that was a good idea or not? Any better >> suggestions? > > There is no other supported way to add arbitrary rules in the mangle table. >Actually, there is another way -- given that you run Shorewall-perl, you can place this in your tcrules file: BEGIN PERL use Shorewall::Chains; insert_rule( $mangle_table->{PREROUTING} , 1, ''-p udp --dport 4444 -j TEE --gateway 192.168.0.4'' ); END PERL -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/