Re: [leaf-user] Deny International Downloads From Certain Destination Ports

Sat, 21 Feb 2004 07:39:15 -0800 

On Friday 20 February 2004 01:47 pm, Tom Eastep wrote:
> On Friday 20 February 2004 01:21 pm, bzzzzzzzzz macacacada wrote:
> > Hi there
> >
> > i'm using leaf-bering-1.2 as a firewall and masquerading for a smallhome
> > network and works fine
> >
> > i'm using DNAT so that one host gets all the packets that arrive at
> > certain ports on the external interface of the firewall (for
> > bittorentclient)
> >
> > right now i have the bittorent client doing all the ip filtering, so that
> > it will refuse establishing connection to international hosts (very
> > strict international download limits)
> >
> > since i want to change to another client program -- which doesn't do any
> > filtering -- i would like to know if it's possible to do it with BERING?
> >
> > that is, i want to be able to check the destination (for outgoing
> > traffic) and source addresses (for incoming) of all the packets that
> > arrive at certain destination ports and drop all those addresses that
> > don't belong to the list of national addresses (BIG LIST)
> >
> > something like (in /etc/shorewall/rules):
> >  DENY loc:192.168.1.3 net:!(1.1.1.0/32,4.0.0.0/8,...) tcp shh
> >  DNAT net:1.1.1.0/32,4.0.0.0/8,... loc:192.168.1.3 tcp ssh
> >
> > can anyone help me?
>
> Using Netfilter, it is not possible to REJECT before DNAT. You can DROP
> before DNAT but not using Shorewall.
>
> I think what what you want to do is:
>
> a) Upgrade to Shorewall 1.4.10c.
> b) Use a blanket DNAT- (note the hyphen) rule for those ports that you want
> to forward:
>
>       DNAT-   net     loc:192.168.1.3 tcp     ssh
>
> c) Create an Action (Call it Dubious just to pick a name).
> d) In /etc/shorewall/action.Dubious:
>
>       REJECT  net:1.1.1.0/32
>       REJECT  net:4.0.0.0/8
>       ....
>       ACCEPT

Sorry -- the above syntax is incorrect. The /etc/shorewall/action.Dubious file 
would contain:

        REJECT  1.1.1.0/32
        REJECT  4.0.0.0/8
        ...
        ACCEPT

Unlike in the rules file, in an action file zone names are not allowed in the 
SOURCE and DEST columns.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]




-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to