On 04/20/2013 09:28 AM, Dash Four wrote: > > > Tom Eastep wrote: >> On 4/20/13 8:57 AM, "Dash Four" <mr.dash.f...@googlemail.com> wrote: >> >> >>> Paul Gear wrote: >>> >>>> On 04/20/2013 12:44 PM, Tom Eastep wrote: >>>> >>>> >>>>> On 4/19/13 6:53 PM, "Tom Eastep" <teas...@shorewall.net> wrote: >>>>> >>>>> >>>>> >>>>>> No. INLINE is a hack to allow raw ip[6]tables commands to be >>>>>> integrated >>>>>> during the compile phase. But it are just that -- raw. >>>>>> >>>>>> >>>>> That breaks new grammatical ground :-) >>>>> >>>>> >>>> I thinking your grammar are just fine. ;-) >>>> >>>> >>> It is not the first such instance either (from "man >>> shorewall-accounting" page): "Causes a jump to that chain to be added to >>> the chain specified in the CHAIN column." - care to "translate" Tom? >>> >> >> When a chain (call it chain2) is specified in the ACTION column: >> >> 1) The chain is created. >> 2) If a chain is specified in the CHAIN column (call it chain1), then a >> jump from chain1 to chain2 is generated. >> 2) If no chain is specified in the CHAIN column, then a jump from the >> default chain (based on SECTION) to chain2 is generated. >> > The last item on your list is "3)" I take it? :-) > > Got it now. Maybe you can include this as part of the "chain:COUNT|JUMP" > explanation in that man page. So, to if I want to "mimic" what shorewall > currently does in rules and create a "net2dmz" accounting zone, the > following needs to be done (assuming eth0 serves the "net" zone, while > eth1 - the "dmz"): > > SECTION FORWARD > dmz_fwd - - eth1 > net2dmz dmz_fwd eth0 > > That should create the following iptables rules: > > :accountfwd > :dmz_fwd > :net2dmz > -A FORWARD -j accountfwd > -A accountfwd -i eth1 -j dmz_fwd > -A dmz_fwd -o eth0 -j net2dmz > > Correct?
[teastep@foobar64 two-interfaces]$ cat accounting # # Shorewall version 4 - Accounting File # # For information about entries in this file, type "man shorewall-accounting" # # Please see http://shorewall.net/Accounting.html for examples and # additional information about how to use this file. # ################################################################################################################# #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC # PORT(S) PORT(S) GROUP SECTION FORWARD dmz_fwd - - eth1 net2dmz dmz_fwd eth0 [teastep@foobar64 two-interfaces]$ shorewall check -r . Checking... Processing /home/teastep/two-interfaces/shorewall.conf... Checking /home/teastep/two-interfaces/zones... ... Optimizing Ruleset... cat << __EOF__ >&3 # # Generated by Shorewall 4.5.15 - Sat Apr 20 09:40:15 2013 # ... *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :Broadcast - [0:0] :Drop - [0:0] :Reject - [0:0] :accountfwd - [0:0] ... :net2dmz - [0:0] ... -A FORWARD -j accountfwd ... -A accountfwd -o eth1 -j dmz_fwd -A dmz_fwd -i eth0 -j net2dmz ... Shorewall configuration verified [teastep@foobar64 two-interfaces]$ So you reversed the SOURCE/DEST interfaces. Also note though that if you actually have a zone named 'dmz' and if ACCOUNTING_TABLE=filter, your example won't work because there is a chain name collision on 'net22dmz'. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
