anebi@iguanait.com
2009-Feb-18 15:55 UTC
Excluding some ips from a port traffic redirection for a network?
Hi, i want to ask how to exclude some ips from a port traffic redirection for a network, or some range of ips? For example, i redirect traffic for port 25 for network 192.168.1.0 to redirect to 127.0.0.1. REDIRECT loc:192.168.1.0/24 25 tcp 25 - 127.0.0.1 I don''t want to redirect traffic from port 25 for these ips, 192.168.1.5, 192.168.1.8, and for this range: 192.168.1.240-192.168.1.250? How can i do that Thanks i advanced! ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep
2009-Feb-18 16:42 UTC
Re: Excluding some ips from a port traffic redirection for a network?
anebi@iguanait.com wrote:> Hi, > > i want to ask how to exclude some ips from a port traffic redirection > for a network, or some range of ips? > > For example, i redirect traffic for port 25 for network 192.168.1.0 to > redirect to 127.0.0.1. > > REDIRECT loc:192.168.1.0/24 25 tcp 25 - 127.0.0.1That rule says that SMTP traffic from the loc zone that was originally addressed to 127.0.0.1 should be redirected to port 25 on the local host. In other words, it doesn''t work.> > I don''t want to redirect traffic from port 25 for these ips, > 192.168.1.5, 192.168.1.8, and for this range: > 192.168.1.240-192.168.1.250? > > How can i do thatREDIRECT loc:192.168.1.0/24 25 tcp 25 - \ !192.168.1.5,192.168.1.8,192.168.1.240-192.168.1.250 Note that I''ve folded the line using line-continuation (http://www.shorewall.net/configuration_file_basics.htm#Continuation); you will probably put the entire rule on a single line. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep
2009-Feb-18 17:05 UTC
Re: Excluding some ips from a port traffic redirection for a network?
Tom Eastep wrote:> anebi@iguanait.com wrote: >> Hi, >> >> i want to ask how to exclude some ips from a port traffic redirection >> for a network, or some range of ips? >> >> For example, i redirect traffic for port 25 for network 192.168.1.0 to >> redirect to 127.0.0.1. >> >> REDIRECT loc:192.168.1.0/24 25 tcp 25 - 127.0.0.1 > > That rule says that SMTP traffic from the loc zone that was originally > addressed to 127.0.0.1 should be redirected to port 25 on the local > host. In other words, it doesn''t work. >> I don''t want to redirect traffic from port 25 for these ips, >> 192.168.1.5, 192.168.1.8, and for this range: >> 192.168.1.240-192.168.1.250? >> >> How can i do that > > REDIRECT loc:192.168.1.0/24 25 tcp 25 - \ > !192.168.1.5,192.168.1.8,192.168.1.240-192.168.1.250 > > Note that I''ve folded the line using line-continuation > (http://www.shorewall.net/configuration_file_basics.htm#Continuation); > you will probably put the entire rule on a single line.My apologies -- I totally screwed that up. I was thinking of destination exclusion rather than source exclusion. What you really want is: REDIRECT \ loc:192.168.1.0/24!192.168.1.5,192.168.1.8,192.168.1.240-192.168.1.250 \ 25 tcp 25 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
anebi@iguanait.com
2009-Feb-18 17:17 UTC
Re: Excluding some ips from a port traffic redirection for a network?
Thanks :) yes, this is what i wanted to do. I tough to go this way before to ask, but i was not sure and this is why i asked. The first case is also useful for me. I can use it with redirection web traffic to squid. Thanks again Regards, Ali Nebi! On Wed, 2009-02-18 at 09:05 -0800, Tom Eastep wrote:> Tom Eastep wrote: > > anebi@iguanait.com wrote: > >> Hi, > >> > >> i want to ask how to exclude some ips from a port traffic redirection > >> for a network, or some range of ips? > >> > >> For example, i redirect traffic for port 25 for network 192.168.1.0 to > >> redirect to 127.0.0.1. > >> > >> REDIRECT loc:192.168.1.0/24 25 tcp 25 - 127.0.0.1 > > > > That rule says that SMTP traffic from the loc zone that was originally > > addressed to 127.0.0.1 should be redirected to port 25 on the local > > host. In other words, it doesn''t work. > >> I don''t want to redirect traffic from port 25 for these ips, > >> 192.168.1.5, 192.168.1.8, and for this range: > >> 192.168.1.240-192.168.1.250? > >> > >> How can i do that > > > > REDIRECT loc:192.168.1.0/24 25 tcp 25 - \ > > !192.168.1.5,192.168.1.8,192.168.1.240-192.168.1.250 > > > > Note that I''ve folded the line using line-continuation > > (http://www.shorewall.net/configuration_file_basics.htm#Continuation); > > you will probably put the entire rule on a single line. > > My apologies -- I totally screwed that up. I was thinking of destination > exclusion rather than source exclusion. > > What you really want is: > > REDIRECT \ > loc:192.168.1.0/24!192.168.1.5,192.168.1.8,192.168.1.240-192.168.1.250 \ > 25 tcp 25 > > -Tom > >------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H