Shorewall users - Feb 2009 - Excluding some ips from a port traffic redirection for a network?

Hi,

i want to ask how to exclude some ips from a port traffic redirection
for a network, or some range of ips?

For example, i redirect traffic for port 25 for network 192.168.1.0 to
redirect to 127.0.0.1.

REDIRECT        loc:192.168.1.0/24      25    tcp     25    - 127.0.0.1

I don''t want to redirect traffic from port 25 for these ips,
192.168.1.5, 192.168.1.8, and for this range:
192.168.1.240-192.168.1.250?

How can i do that

Thanks i advanced!




------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H

anebi@iguanait.com wrote:
> Hi,
> 
> i want to ask how to exclude some ips from a port traffic redirection
> for a network, or some range of ips?
> 
> For example, i redirect traffic for port 25 for network 192.168.1.0 to
> redirect to 127.0.0.1.
> 
> REDIRECT        loc:192.168.1.0/24      25    tcp     25    - 127.0.0.1
That rule says that SMTP traffic from the loc zone that was originally
addressed to 127.0.0.1 should be redirected to port 25 on the local
host. In other words, it doesn''t work.
> 
> I don''t want to redirect traffic from port 25 for these ips,
> 192.168.1.5, 192.168.1.8, and for this range:
> 192.168.1.240-192.168.1.250?
> 
> How can i do that
REDIRECT loc:192.168.1.0/24    25    tcp    25  -  \
!192.168.1.5,192.168.1.8,192.168.1.240-192.168.1.250

Note that I''ve folded the line using line-continuation
(http://www.shorewall.net/configuration_file_basics.htm#Continuation);
you will probably put the entire rule on a single line.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H

Tom Eastep wrote:
> anebi@iguanait.com wrote:
>> Hi,
>>
>> i want to ask how to exclude some ips from a port traffic redirection
>> for a network, or some range of ips?
>>
>> For example, i redirect traffic for port 25 for network 192.168.1.0 to
>> redirect to 127.0.0.1.
>>
>> REDIRECT        loc:192.168.1.0/24      25    tcp     25    - 127.0.0.1
> 
> That rule says that SMTP traffic from the loc zone that was originally
> addressed to 127.0.0.1 should be redirected to port 25 on the local
> host. In other words, it doesn''t work.
>> I don''t want to redirect traffic from port 25 for these ips,
>> 192.168.1.5, 192.168.1.8, and for this range:
>> 192.168.1.240-192.168.1.250?
>>
>> How can i do that
> 
> REDIRECT loc:192.168.1.0/24    25    tcp    25  -  \
> !192.168.1.5,192.168.1.8,192.168.1.240-192.168.1.250
> 
> Note that I''ve folded the line using line-continuation
> (http://www.shorewall.net/configuration_file_basics.htm#Continuation);
> you will probably put the entire rule on a single line.
My apologies -- I totally screwed that up. I was thinking of destination
exclusion rather than source exclusion.

What you really want is:

REDIRECT \
loc:192.168.1.0/24!192.168.1.5,192.168.1.8,192.168.1.240-192.168.1.250 \
            25    tcp   25

-Tom


-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H

Thanks :)

yes, this is what i wanted to do.

I tough to go this way before to ask, but i was not sure and this is why
i asked.

The first case is also useful for me. I can use it with redirection web
traffic to squid.

Thanks again
Regards, Ali Nebi!

On Wed, 2009-02-18 at 09:05 -0800, Tom Eastep wrote:
> Tom Eastep wrote:
> > anebi@iguanait.com wrote:
> >> Hi,
> >>
> >> i want to ask how to exclude some ips from a port traffic
redirection
> >> for a network, or some range of ips?
> >>
> >> For example, i redirect traffic for port 25 for network
192.168.1.0 to
> >> redirect to 127.0.0.1.
> >>
> >> REDIRECT        loc:192.168.1.0/24      25    tcp     25    -
127.0.0.1
> > 
> > That rule says that SMTP traffic from the loc zone that was originally
> > addressed to 127.0.0.1 should be redirected to port 25 on the local
> > host. In other words, it doesn''t work.
> >> I don''t want to redirect traffic from port 25 for these
ips,
> >> 192.168.1.5, 192.168.1.8, and for this range:
> >> 192.168.1.240-192.168.1.250?
> >>
> >> How can i do that
> > 
> > REDIRECT loc:192.168.1.0/24    25    tcp    25  -  \
> > !192.168.1.5,192.168.1.8,192.168.1.240-192.168.1.250
> > 
> > Note that I''ve folded the line using line-continuation
> > (http://www.shorewall.net/configuration_file_basics.htm#Continuation);
> > you will probably put the entire rule on a single line.
> 
> My apologies -- I totally screwed that up. I was thinking of destination
> exclusion rather than source exclusion.
> 
> What you really want is:
> 
> REDIRECT \
> loc:192.168.1.0/24!192.168.1.5,192.168.1.8,192.168.1.240-192.168.1.250 \
>             25    tcp   25
> 
> -Tom
> 
> 

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H