Re: [Shorewall-users] Redirect Suspended Users

[Tom Eastep]

Marco C. Coelho wrote:
> I've "upgraded" to 3.4.7 with the same results
> 
> Marco C. Coelho wrote:
>> Shorewall 3.4.2
>>
>> I have assigned suspended users on my network a private IP address in
>> the 192.168.50.0/24 range.  My Cisco router is configured to forward
>> that range to a linux web server running shorewall 3.4.2
>>
>> I want to redirect all those users to a web page at a specific ip
>> address hosted on that server.
>> In rules I have:
>>
>> REDIRECT net:192.168.50.0/24 all net:64.202.230.254

That is wrong on two levels:

a) From an IPv4 standpoint, IT WON'T WORK.

        - 192.168.50.4 sends a SYN packet addressed to 206.124.146.177
        - The firewall rewrites the destination IP address to
          64.202.230.254 and forwards the packet.
        - 64.202.230.254 gets the SYN and returns a SYN/ACK. The source
          IP address in the response is 64.202.230.254. The destination
          IP address is whatever the source IP address was in the SYN.
        - If the destination is 192.168.50.4, the packet can't be routed
        - If it an address on the Cisco, then the Cisco won't know what
          to do with it since it won't match any connection which that
          router knows about.

b) From a Shorewall standpoint:

        - REDIRECT is used to capture packets and send them TO THE
          FIREWALL ITSELF. DNAT is used to forward the packet to another
          system.
        - The syntax of your rule is incorrect for both REDIRECT and
          DNAT; given that you are running Shorewall 3, that results in
          an invalid command being given to iptables.

>>
>> It runs through the check without error

You *really* should consider an upgrade to Shorewall 4 and
Shorewall-perl. It catches almost all configuration errors during
'check' and 'compile'.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users