[Shorewall-users] REDIRECT after ACCEPT

Dominik Strnad litinoveweedle at quick.cz
Wed Mar 3 15:39:40 PST 2004


Hello,
I looking for possibility how to handle this case.

I have 2 interfaces on my router. One is conected to local network,
second to internet. I have NAT set properly. I have several several
subnets in my local network.

I have some users at my local network. I generate ACCEPT rules to permit
traffic from theirs IP addreses to internet. For the rest of non listed
IP addresses I want redirect rule - redirect traffic originaly destined
to port 80 proto TCP to firewall itself, port 80.

I created redirect rule. Problem is, that this rule is proccessed in
prerouting chain and ACCEPT rules are proccesed in forwarding chain.
It means that all traffic destined to port 80 is redirected to the
network, doesn't matter on source ip.

Then I tried to exclude permited IP from redirect rule by

 source_zone!host,host,host 

syntax. Unfortunately seems that my rule:

REDIRECT
unh!192.168.140.68/32,192.168.140.69/32,192.168.140.70/32,192.168.140.71
/32,192.168.141.198/32,192.168.141.2/32,192.168.142.2/32,192.168.150.198
/32,192.168.140.198/32,192.168.141.78/32,192.168.140.206/32,192.168.140.
210/32,192.168.140.202/32,192.168.141.218/32,192.168.141.202/32,192.168.
141.214/32,192.168.143.2/32,192.168.141.70/32,192.168.141.210/32,192.168
.143.8/32,192.168.143.26/32,192.168.143.14/32,192.168.143.6/32,192.168.1
42.8/32,192.168.142.4/32,192.168.142.10/32,192.168.142.12/32,192.168.143
.18/32,192.168.143.20/32,192.168.141.246/32,192.168.141.74/32,192.168.15
0.230/32,192.168.150.234/32,192.168.150.222/32,192.168.150.4/32,192.168.
150.210/32,192.168.150.202/32,192.168.150.250/32,192.168.141.242/32,192.
168.141.206/32,192.168.141.226/32,192.168.141.230/32,192.168.141.238/32,
192.168.141.234/32,192.168.140.218/32,192.168.140.251/32,192.168.143.10/
32,192.168.140.250/32,192.168.141.222/32,192.168.150.218/32,192.168.143.
22/32,192.168.142.14/32,192.168.140.214/32,192.168.143.198/32,192.168.14
3.24/32,192.168.150.226/32	80	tcp	http	-
!192.168.140.2

won't work - it can't be proccesed by shorewall - probadly because after
exclude sign - !there should be hosts listed from /etc/shorewall/hosts
file.
But také a look how many ip I need to redirect. And there are changing
dynmicaly. So I don't want to fill hosts file each time.

I probably missed some elagant solution how to handle this case. Please
can you help me to find it out?

Thank you. Regards litin




More information about the Shorewall-users mailing list