Discussion:
[Shorewall-users] shorewall ipset hash:net
Vieri Di Paola
2017-05-17 10:06:43 UTC
Permalink
Hi,

I've created ipsets to filter outgoing connections with shorewall.

I ran this:
ipset create OUT_WL hash:net timeout 0

and added networks to it. For instance, for "LocalTel Communications":

63.135.48.0/20
63.142.208.0/20
66.172.96.0/19
96.46.16.0/20
173.209.160.0/20
199.36.88.0/21
199.244.28.0/22
206.130.128.0/20

On the shorewall firewall the policy is to drop everything from LAN to Internet and allow outgoing HTTP/S traffic (web browsing) for all but ONLY if the DST address is in an ipset (OUT_WL).

These are the rules:

ACCEPT loc:10.215.144.0/22 net1:+OUT_WL,+OUT_MANUAL_WL all
ACCEPT loc:10.215.144.0/22 net2:+OUT_WL,+OUT_MANUAL_WL all
ACCEPT loc:10.215.144.0/22 net3:+OUT_WL,+OUT_MANUAL_WL all
ACCEPT loc:10.215.144.0/22 net4:+OUT_WL,+OUT_MANUAL_WL all

I'm trying to access www.shorewall.net on port 80 (63.135.54.24) from a LAN host behind Shorewall (10.215.144.48).
It's not working even though I'm expecting it should because 63.135.48.0/20 is within the ipset.

I'm attaching a shorewall dump while trying to connect from 10.215.144.48 to 63.135.54.24:80.

Are hash:net ipsets unsupported?

Thanks,

Vieri
Vieri Di Paola
2017-05-17 10:40:56 UTC
Permalink
Hi,

Regarding my previous post, I was under the assumption that an ACCEPT rule was terminating. It doesn't seem to be so. So if I REDIRECT after an ACCEPT, the connection will be redirected.

So now my ipset with IP network addresses works as expected.

Sorry,

Vieri
Tom Eastep
2017-05-17 16:18:24 UTC
Permalink
Post by Vieri Di Paola
Hi,
Regarding my previous post, I was under the assumption that an
ACCEPT rule was terminating. It doesn't seem to be so. So if I
REDIRECT after an ACCEPT, the connection will be redirected.
ACCEPT *is* terminating, but you need to keep in mind how Netfilter
processes packets (http://www.shorewall.org/NetfilterOverview.html).

REDIRECT and DNAT occur in the PREROUTING chain of the nat table,
while ACCEPT occurs in the INPUT, OUTPUT and FORWARD chains of the
filter table. As a consequence, even though a REDIRECT or DNAT rule
follows an ACCEPT rule in your rules file, the nat PREROUTING rule
will *always* be processed before the ACCEPT rule.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Vieri Di Paola
2017-05-17 20:56:54 UTC
Permalink
________________________________
Post by Tom Eastep
REDIRECT and DNAT occur in the PREROUTING chain of the nat table,
while ACCEPT occurs in the INPUT, OUTPUT and FORWARD chains of the> filter table. As a consequence, even though a REDIRECT or DNAT rule
follows an ACCEPT rule in your rules file, the nat PREROUTING rule
will *always* be processed before the ACCEPT rule.
Thanks, Tom.

Vieri

Loading...