Glad we could help you.
Thanks Dominic, I just had a big "duh" moment regarding original dest.
On Oct 11, 2013 12:39 AM, "Brian Burch" <[email protected]> wrote:
> I'm in the UK and have been asleep, so I apologise if it seems I was
> ignoring your suggestions.
>
> This post should bring everyone up to date, but it means I will have to
> top-post so that my reply makes chronological sense.
>
> 1. I've been there before, but I reconfigured like this:
>
> REDIRECT loc 8080 tcp 80
>
> Yes, this properly intercepts request to port 80 and sends them to the
> web server running on the firewall and listening to port 8080.
>
> No good though, because REDIRECT is completely indiscriminate... ANY
> port 80 connection from the loc zone to ANY host in the net zone will be
> sent to port 8080 on the firewall. This is what REDIRECT does, but not
> what I need - it is FAR too blunt an instrument.
>
> 2. I don't know how to use the ORIGINAL DEST in my situation, because I
> ONLY want to catch port 80 connections to one of the firewall
> interfaces, while allowing all legitimate web traffic through for
> masquerading.
>
> 3. Qualifying the SOURCE, e.g. "loc:10.1.252.200" isn't really relevant
> in my case, because my "fake" web server would let me know whether I
> have more than one trusted host that is misbehaving.
>
> 4. I really need to specify the ORIGINAL DEST as either $FW, or the
> specific address of the ip address used by the firewall for its snat
> traffic. I tried this:
>
> REDIRECT loc 8080 tcp 80 -
> 217.154.193.215
>
> and was surprised to discover it works the way I wanted - I /thought/I
> had tried it before, but must have made a mistake.
>
> This rule properly intercepts the rogue traffic from any host in the loc
> zone, while masquerading all port 80 datagrams sent to the new zone.
>
> Not surprisingly, I could also use my symbolic from the params file:
> REDIRECT loc 8080 tcp 80 -
> $INTERNET_CLIENTS
>
> 5. Just to learn more, I tried to intercept port 80 requests to ANY of
> the firewall ip addresses, like this:
>
> REDIRECT loc 8080 tcp 80 -
> $FW
>
> but it would not compile:
> ERROR: Unknown Interface (fw) /etc/shorewall/rules (line 132)
>
> 6. I tried adding the firewall's safe lan interface:
> REDIRECT loc 8080 tcp 80 -
> $INTERNET_CLIENTS,eth1
>
> but that would not compile:
> WARNING: Ipset eth1 does not exist /etc/shorewall/rules (line 138)
> ERROR: Unknown Host (eth1) /etc/shorewall/rules (line 138)
>
> ... so I defined another param for that interface, which works fine:
> REDIRECT loc 8080 tcp 80 -
> $INTERNET_CLIENTS,$FW_ETH1
>
>
> To summarise, rules 4a and 4b work for me. Thanks very much for your
> help, Johnny and Dominic.
>
> Regards,
>
> Brian
>
>
> On 10/10/13 20:45, johnny bowen wrote:
> > Dominic,
> >
> > With the orginal destination column you can restrict the scope of
> > 'traffic to', not 'traffic from'. In his case he's looking to trap some
> > packets from 'traffic from' .
> >
> > I think the following example explains it better:
> >
> > Example 5:
> > All http requests from the internet to address 130.252.100.69 are to be
> > forwarded to 192.168.1.3
> >
> > #ACTION SOURCE DEST PROTO DEST SOURCE
> ORIGINAL
> > # PORT PORT(S) DEST
> > DNAT net loc:192.168.1.3 tcp 80 -
> 130.252.100.69
> >
> >
> >
> > On Thu, Oct 10, 2013 at 11:18 AM, Dominic Benson <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> >
> > > On 10 Oct 2013, at 18:52, Brian Burch <[email protected]
> > <mailto:[email protected]>> wrote:
> > >
> > >> On 10/10/13 17:55, johnny bowen wrote:
> > >> REDIRECT net 22 tcp 902
> > >
> > > Thanks for thinking about it Johnny, but I said in my first post
> > that I
> > > couldn't make REDIRECT work in my situation.
> >
> > Isn't it possible to restrict the scope of the redirect using the
> > ORIGINAL_DEST column - e.g.:
> >
> > REDIRECT loc 80 tcp 8080 - 1.2.3.4
> >
> > (I haven't tried, so I may be off here)
> >
> >
> >
> ------------------------------------------------------------------------------
> > October Webinars: Code for Performance
> > Free Intel webinars can help you accelerate application performance.
> > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
> > most from
> > the latest Intel processors and coprocessors. See abstracts and
> > register >
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Shorewall-users mailing list
> > [email protected]
> > <mailto:[email protected]>
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > October Webinars: Code for Performance
> > Free Intel webinars can help you accelerate application performance.
> > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> > the latest Intel processors and coprocessors. See abstracts and register
> >
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> >
> >
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
