Hi,
I want to dynamically blacklist the IP addresses of hosts that try to connect
to unadvertized ports. I do this by setting the following in shorewall.conf:
DYNAMIC_BLACKLIST=ipset,timeout=172800:POL_BL:info:polbl
I also set the BLACKLIST policy:
net4 $FW BLACKLIST
net4 loc BLACKLIST
net4 dmz BLACKLIST
net4 net3 BLACKLIST
net4 net2 BLACKLIST
net4 net1 BLACKLIST
net4 all BLACKLIST
net3 $FW BLACKLIST
net3 loc BLACKLIST
net3 dmz BLACKLIST
net3 net4 BLACKLIST
net3 net2 BLACKLIST
net3 net1 BLACKLIST
net3 all BLACKLIST
net2 $FW BLACKLIST
net2 loc BLACKLIST
net2 dmz BLACKLIST
net2 net4 BLACKLIST
net2 net3 BLACKLIST
net2 net1 BLACKLIST
net2 all BLACKLIST
net1 $FW BLACKLIST
net1 loc BLACKLIST
net1 dmz BLACKLIST
net1 net4 BLACKLIST
net1 net3 BLACKLIST
net1 net2 BLACKLIST
net1 all BLACKLIST
However, after blacklisting the hosts' IP addresses I'd also like to redirect
and allow ONLY traffic to port 62000 on the $FW IF the original destination
port was 80.
In other words, if a listed client were to connect to http://myserver then it
would be redirected to TCP 62000. No other traffic allowed for that source IP
addr.
I have this in rules almost at the top:
REDIRECT:info:blsinit net1,net2,net3,net4:+IPS_BL,+POL_BL!+GLOBAL_WL 62000
tcp 80
However, I get this in the log:
Shorewall:blsinit:REDIRECT:IN=enp9s4 OUT= MAC=<MAC> SRC=<IP> DST=192.168.92.2
LEN=52 TOS=0x00 PREC=0x00 TTL=122 ID=20594 DF PROTO=TCP SPT=30142 DPT=80
WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x1
Shorewall:polbl:DROP:IN=enp9s4 OUT= MAC=<MAC> SRC=<IP> DST=192.168.92.2 LEN=52
TOS=0x00 PREC=0x00 TTL=122 ID=20594 DF PROTO=TCP SPT=30142 DPT=62000
WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x1
Here, "polbl" refers to the setting in DYNAMIC_BLACKLIST.
I guess it's expected, so I don't know if posting a shorewall dump to this list
would help. I'd like to know how to change my shorewall configuration in order
to only accept connections to 62000 for blacklisted hosts.
Adding an explicit ACCEPT rule before or after REDIRECT does not seem to
"work".
Am I required to use a custom DROP action instead of DYNAMIC_BLACKLIST?
Vieri
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users