Tom Eastep | 2 Mar 16:17 2004
Picon

Re: rules and masq order

On Tuesday 02 March 2004 02:30 am, Marius Stan wrote:
> Self follow-up:
>
> Marius Stan wrote:
> > Hello,
>
> [pretty much crap here]
>
> > Thanks,
> > Marius
>
> I managed to block all traffic _except_ http; here are the relevant rules:
>
> DROP:info loc:192.168.0.1 net all
> REDIRECT:info loc        3128           tcp     www
>

Because the second rule generates two netfilter rules -- one to REDIRECT the 
request and one to ACCEPT the redirected request. The REDIRECT rule is 
executed before your DROP rule.

You need:

DROP:info	loc:192.168.0.1	net      all
DROP:info	loc:192.168.0.1 $FW:3128 tcp www
REDIRECT:info   loc             3128     tcp www

or:

DROP:info	loc:192.168.0.1	  net      all
REDIRECT:info   loc:!192.168.0.1  3128     tcp www

If you look at the diagram at http://shorewall.net/NetfilterOverview.html this 
should become clearer to you.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net


Gmane