On Friday 20 February 2004 01:21 pm, bzzzzzzzzz macacacada wrote: > Hi there > > i'm using leaf-bering-1.2 as a firewall and masquerading for a smallhome > network and works fine > > i'm using DNAT so that one host gets all the packets that arrive at certain > ports on the external interface of the firewall (for bittorentclient) > > right now i have the bittorent client doing all the ip filtering, so that > it will refuse establishing connection to international hosts (very strict > international download limits) > > since i want to change to another client program -- which doesn't do any > filtering -- i would like to know if it's possible to do it with BERING? > > that is, i want to be able to check the destination (for outgoing traffic) > and source addresses (for incoming) of all the packets that arrive at > certain destination ports and drop all those addresses that don't belong to > the list of national addresses (BIG LIST) > > something like (in /etc/shorewall/rules): > DENY loc:192.168.1.3 net:!(1.1.1.0/32,4.0.0.0/8,...) tcp shh > DNAT net:1.1.1.0/32,4.0.0.0/8,... loc:192.168.1.3 tcp ssh > > can anyone help me?
Using Netfilter, it is not possible to REJECT before DNAT. You can DROP before DNAT but not using Shorewall. I think what what you want to do is: a) Upgrade to Shorewall 1.4.10c. b) Use a blanket DNAT- (note the hyphen) rule for those ports that you want to forward: DNAT- net loc:192.168.1.3 tcp ssh c) Create an Action (Call it Dubious just to pick a name). d) In /etc/shorewall/action.Dubious: REJECT net:1.1.1.0/32 REJECT net:4.0.0.0/8 .... ACCEPT e) In /etc/shorewall/rules: Dubious net loc:192.168.1.3 tcp ssh -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html