2 Mar 2004 16:17
Re: rules and masq order
Tom Eastep <teastep <at> shorewall.net>
2004-03-02 15:17:37 GMT
2004-03-02 15:17:37 GMT
On Tuesday 02 March 2004 02:30 am, Marius Stan wrote: > Self follow-up: > > Marius Stan wrote: > > Hello, > > [pretty much crap here] > > > Thanks, > > Marius > > I managed to block all traffic _except_ http; here are the relevant rules: > > DROP:info loc:192.168.0.1 net all > REDIRECT:info loc 3128 tcp www > Because the second rule generates two netfilter rules -- one to REDIRECT the request and one to ACCEPT the redirected request. The REDIRECT rule is executed before your DROP rule. You need: DROP:info loc:192.168.0.1 net all DROP:info loc:192.168.0.1 $FW:3128 tcp www REDIRECT:info loc 3128 tcp www or: DROP:info loc:192.168.0.1 net all REDIRECT:info loc:!192.168.0.1 3128 tcp www If you look at the diagram at http://shorewall.net/NetfilterOverview.html this should become clearer to you. -Tom -- -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep <at> shorewall.net
RSS Feed