I'm in the UK and have been asleep, so I apologise if it seems I was
ignoring your suggestions.
This post should bring everyone up to date, but it means I will have to
top-post so that my reply makes chronological sense.
1. I've been there before, but I reconfigured like this:
REDIRECT loc 8080 tcp 80
Yes, this properly intercepts request to port 80 and sends them to the
web server running on the firewall and listening to port 8080.
No good though, because REDIRECT is completely indiscriminate... ANY
port 80 connection from the loc zone to ANY host in the net zone will be
sent to port 8080 on the firewall. This is what REDIRECT does, but not
what I need - it is FAR too blunt an instrument.
2. I don't know how to use the ORIGINAL DEST in my situation, because I
ONLY want to catch port 80 connections to one of the firewall
interfaces, while allowing all legitimate web traffic through for
masquerading.
3. Qualifying the SOURCE, e.g. "loc:10.1.252.200" isn't really relevant
in my case, because my "fake" web server would let me know whether I
have more than one trusted host that is misbehaving.
4. I really need to specify the ORIGINAL DEST as either $FW, or the
specific address of the ip address used by the firewall for its snat
traffic. I tried this:
REDIRECT loc 8080 tcp 80 -
217.154.193.215
and was surprised to discover it works the way I wanted - I /thought/I
had tried it before, but must have made a mistake.
This rule properly intercepts the rogue traffic from any host in the loc
zone, while masquerading all port 80 datagrams sent to the new zone.
Not surprisingly, I could also use my symbolic from the params file:
REDIRECT loc 8080 tcp 80 -
$INTERNET_CLIENTS
5. Just to learn more, I tried to intercept port 80 requests to ANY of
the firewall ip addresses, like this:
REDIRECT loc 8080 tcp 80 -
$FW
but it would not compile:
ERROR: Unknown Interface (fw) /etc/shorewall/rules (line 132)
6. I tried adding the firewall's safe lan interface:
REDIRECT loc 8080 tcp 80 -
$INTERNET_CLIENTS,eth1
but that would not compile:
WARNING: Ipset eth1 does not exist /etc/shorewall/rules (line 138)
ERROR: Unknown Host (eth1) /etc/shorewall/rules (line 138)
... so I defined another param for that interface, which works fine:
REDIRECT loc 8080 tcp 80 -
$INTERNET_CLIENTS,$FW_ETH1
To summarise, rules 4a and 4b work for me. Thanks very much for your
help, Johnny and Dominic.
Regards,
Brian
On 10/10/13 20:45, johnny bowen wrote:
> Dominic,
>
> With the orginal destination column you can restrict the scope of
> 'traffic to', not 'traffic from'. In his case he's looking to trap some
> packets from 'traffic from' .
>
> I think the following example explains it better:
>
> Example 5:
> All http requests from the internet to address 130.252.100.69 are to be
> forwarded to 192.168.1.3
>
> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
> # PORT PORT(S) DEST
> DNAT net loc:192.168.1.3 tcp 80 -
> 130.252.100.69
>
>
>
> On Thu, Oct 10, 2013 at 11:18 AM, Dominic Benson <domi...@lenny.cus.org
> <mailto:domi...@lenny.cus.org>> wrote:
>
>
> > On 10 Oct 2013, at 18:52, Brian Burch <br...@pingtoo.com
> <mailto:br...@pingtoo.com>> wrote:
> >
> >> On 10/10/13 17:55, johnny bowen wrote:
> >> REDIRECT net 22 tcp 902
> >
> > Thanks for thinking about it Johnny, but I said in my first post
> that I
> > couldn't make REDIRECT work in my situation.
>
> Isn't it possible to restrict the scope of the redirect using the
> ORIGINAL_DEST column - e.g.:
>
> REDIRECT loc 80 tcp 8080 - 1.2.3.4
>
> (I haven't tried, so I may be off here)
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
> most from
> the latest Intel processors and coprocessors. See abstracts and
> register >
>
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> <mailto:Shorewall-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
