Re: [Shorewall-users] rfc1918 on external interface

Wed, 21 Nov 2007 03:01:56 -0800 

>>>>    Please, help me. Can i forbid and how any outgoing traffic
>>>> (ping,trace) to rfc1918 networks on my external interfaces?
>>> /etc/shorewall/rules:
>>>
>>> REJECT      net:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16     all
>>>
>>> -Tom
>> 
>>     Thank you Tom.
>>     But i want block traffic TO rfc1918 addresses (as destination) on
>> external interface (so as Internet have not them) but not from.
> 
> If you really need our help to reverse the rule I posted, perhaps you 
>should
> consider taking up another line of work.
> 
> REJECT        all     net:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

    After i apply your instruction i see that shorewall add rules into 
'fw2net'
chain:

Chain fw2net (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 reject     all  --  *      *       0.0.0.0/0 
           10.0.0.0/8
     0     0 reject     all  --  *      *       0.0.0.0/0 
           172.16.0.0/12
     0     0 reject     all  --  *      *       0.0.0.0/0 
           192.168.0.0/16
     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
           0.0.0.0/0
     0     0 Reject     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
     0     0 LOG        all  --  *      *       0.0.0.0/0 
           0.0.0.0/0           LOG flags 0 level 6 prefix 
`Shorewall:fw2net:REJECT:'
     0     0 reject     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

    But, as before, i can traceroute or ping rfc1918 addresses from LAN.
    How i can easy discover route of these packets from iptables rules?
    I see that 'eth2_out' (my external interface) have one reference 
(fw2net):

Chain eth2_out (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
     2   122 fw2net     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

    And in 'fw2net' i block this traffic. Therefore there is another way
for outgoing packets from this interface?

    Alex



  
                 



--------------------
Международные экзамены на знание языка для жизни и карьеры
в школе International House, тел. (017) 293-65-55, 293-06-68, (8-029) 
609-89-90, 777-73-18, http://www.ih.by/



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to