Re: [leaf-user] Deny International Downloads From Certain Destination Ports

Fri, 20 Feb 2004 13:50:59 -0800 

On Friday 20 February 2004 01:21 pm, bzzzzzzzzz macacacada wrote:
> Hi there
>
> i'm using leaf-bering-1.2 as a firewall and masquerading for a smallhome
> network and works fine
>
> i'm using DNAT so that one host gets all the packets that arrive at certain
> ports on the external interface of the firewall (for bittorentclient)
>
> right now i have the bittorent client doing all the ip filtering, so that
> it will refuse establishing connection to international hosts (very strict
> international download limits)
>
> since i want to change to another client program -- which doesn't do any
> filtering -- i would like to know if it's possible to do it with BERING?
>
> that is, i want to be able to check the destination (for outgoing traffic)
> and source addresses (for incoming) of all the packets that arrive at
> certain destination ports and drop all those addresses that don't belong to
> the list of national addresses (BIG LIST)
>
> something like (in /etc/shorewall/rules):
>  DENY loc:192.168.1.3 net:!(1.1.1.0/32,4.0.0.0/8,...) tcp shh
>  DNAT net:1.1.1.0/32,4.0.0.0/8,... loc:192.168.1.3 tcp ssh
>
> can anyone help me?

Using Netfilter, it is not possible to REJECT before DNAT. You can DROP before 
DNAT but not using Shorewall.

I think what what you want to do is:

a) Upgrade to Shorewall 1.4.10c.
b) Use a blanket DNAT- (note the hyphen) rule for those ports that you want to 
forward:

        DNAT-   net     loc:192.168.1.3 tcp     ssh

c) Create an Action (Call it Dubious just to pick a name).
d) In /etc/shorewall/action.Dubious:

        REJECT  net:1.1.1.0/32
        REJECT  net:4.0.0.0/8
        ....
        ACCEPT

e) In /etc/shorewall/rules:

        Dubious net     loc:192.168.1.3 tcp     ssh

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]




-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to