Re: [Shorewall-users] restructure routing rules

Sun, 13 Jul 2008 13:38:52 -0700 

Jerry Vonau wrote:




Ok, is been more that a couple of days. ;-) With 4.2, is the reason 
behind the shorewall test layout, using main 999, is for backwards 
compatibility?


Yes.




Getting the "squid in loc" to work with "loose" took a bit of effort but 
that works now.  Give me a bit, I'll have some config info that worked 
for me if you want.


Please -- I haven't tested that configuration.



One a side note:

Running /sbin/iptables-restore...
iptables-restore v1.4.1.1: host/network `!' not found
Error occurred at line: 134
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

    ERROR: iptables-restore Failed. Input is in 
/var/lib/shorewall/.iptables-restore-input

Line 134:
-A loc2fw -p 6 --dport 8080 -m conntrack --ctorigdst ! 10.3.0.10 -j ACCEPT

editing out this line in rules allows a start:

REDIRECT        loc     8080            tcp     80      -       !10.3.0.10

Did I miss something along the journey?


Looks like iptables-restore 1.4.1.1 is broken. That syntax is correct:

/usr/sbin/iptables -m conntrack -h

...

conntrack match v1.4.0 options:
 [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT][,...]
                                State(s) to match
 [!] --ctproto  proto           Protocol to match; by number or name, eg. `tcp'
     --ctorigsrc  [!] address[/mask]
                                Original source specification
     --ctorigdst  [!] address[/mask] <=====================================
                                Original destination specification
     --ctreplsrc  [!] address[/mask]
                                Reply source specification
     --ctrepldst  [!] address[/mask]
                                Reply destination specification
 [!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED][,...]
                                Status(es) to match
 [!] --ctexpire time[:time]     Match remaining lifetime in seconds against
                                value or range of values (inclusive)

and

ursa:~ # iptables -t nat -N foo
ursa:~ # iptables -t nat -A foo -m conntrack --ctorigdst ! 10.1.1.1 -j ACCEPT
ursa:~ # iptables -V
iptables v1.4.0
ursa:~ #

What happens when you try that on your 1.4.1.1?

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




Attachment:
signature.asc

Description: OpenPGP digital signature


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users





























					Reply via email to