IPTables / Shorewall.

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

Re: IPTables / Shorewall.

On Wed, 2012-02-01 at 16:58 -0200, Arnaldo Giacomitti Junior wrote:
> Hello All,
> 
> 
> I have a doubt about converting some iptables rules to shorewall, I
> have a setup with $FW, loc, net in my rules file I want to implement
> the following rule to use with IMSpector, I tried find something
> equivalent but no luck...
> 
> 
> iptables -t nat -A OUTPUT -p tcp --destination-port 1863 -m owner
> --uid-owner 100 -j REDIRECT --to-ports 16667
> 
> 
> So if anyone can help I will be grateful!!!

In /etc/shorewall/rules:

	#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
	#					PORT(S)	PORT(S)	DEST		LIMIT	GROUP
	REDIRECT-	$FW	16667	tcp	1863	-	-		-	100

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

Shorewall and IMQ

Hi All
There is a little bit in the archive about shorewall and IMQ. 
http://www.mail-archive.com/shorewall-
users <at> lists.sourceforge.net/msg08109.html
Where Pablo gave a bit of info about putting the bits needed into the init 
script and and the shorewall start and stop files

The same site that I will be converting to shorewall currently runs a brute 
force ingress script using IMQ. It basically just throws away packets if the 
exceed a configured bandwidth. It also gives a bit of priority to ssh, https, 
vnc and nagios traffic and really works well. I used the howto at
http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/
plus a few extra tweaks. 

What are the chances of keeping my IMQ stuff? 

Okay I know that IMQ is not in the kernel or in iptables either and both need 
to be patched. Even with Gentoo emerge this is quite easy with iptables. I 
just manually run ebuild

IMQ has had it's ups and downs but the dev guys seem quite on the ball 
currently. Patches for the latest 3.1.x kernel as well as the latest iptables.
Only reason I seem to have read a few years back was a personality clash that 
resulted in IMQ becoming a black sheep. Black sheep or not it works like a 
wiz.

Cheers
Ang

--

-- 
Angela Williams
angierfw at gmail dot com
Linux/Networking Hacker
Blog http://angierfw.wordpress.com

Smile! Jesus Loves You!

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

Re: Shorewall and sshdfilter

Hi All

On Tuesday 31 January 2012 at 17:50 Tom Eastep :-

> On Tue, 2012-01-31 at 15:03 +0200, Angela Williams wrote:
> > At a guess I would start with the actions file to add a rule but adding
> > the SSHD table is another whole story!
> > 
> > Any ideas anyone! Crack this one and Shorewall will go back into all my
> > customers! My old script is past it's sell by date!
> 
> In /etc/shorewall/compile:

I should have asked this question a few days back.
Any documentation on the compile file? I would guess that it affects the perl 
compiler to add the extra stuff.

Cheers

Ang

--

-- 
Angela Williams
angierfw at gmail dot com
Linux/Networking Hacker
Blog http://angierfw.wordpress.com

Smile! Jesus Loves You!

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

Re: Shorewall and IMQ

On 02/02/2012 03:36 AM, Angela Williams wrote:

> 
> What are the chances of keeping my IMQ stuff? 
> 

The commands shown in Pablo's email should still work.

Regards,
-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

Re: Shorewall and sshdfilter

On 02/02/2012 03:41 AM, Angela Williams wrote:
> On Tuesday 31 January 2012 at 17:50 Tom Eastep :-
> 
>> On Tue, 2012-01-31 at 15:03 +0200, Angela Williams wrote:
>>> At a guess I would start with the actions file to add a rule but adding
>>> the SSHD table is another whole story!
>>>
>>> Any ideas anyone! Crack this one and Shorewall will go back into all my
>>> customers! My old script is past it's sell by date!
>>
>> In /etc/shorewall/compile:
> 
> I should have asked this question a few days back.
> Any documentation on the compile file? I would guess that it affects the perl 
> compiler to add the extra stuff.

See: http://www.shorewall.net/ManualChains.html. There is also a bit of
information in http://www.shorewall.net/shorewall_extension_scripts.htm.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

Re: Shorewall and IMQ

Hi All

On Thursday 02 February 2012 at 16:26 Tom Eastep :-

> On 02/02/2012 03:36 AM, Angela Williams wrote:
> > What are the chances of keeping my IMQ stuff?
> 
> The commands shown in Pablo's email should still work.

Thanks Tom!

I will post my results once I have it up and running. I will get the basic 
done first and then add the extras. Openvpn and IMQ. Openvpn seems to be a no 
brainer really. My old script largely ignored is and just made tun+ part of 
the local lan. Only security was routes on the windows boxes the raidwarriors 
needed access to, Baan/SSA and Exchange.

Cheers

Ang

--

-- 
Angela Williams
angierfw at gmail dot com
Linux/Networking Hacker
Blog http://angierfw.wordpress.com

Smile! Jesus Loves You!

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

Re: IPTables / Shorewall.

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

Re: Shorewall and sshdfilter

Hi All

On Thursday 02 February 2012 at 16:29 Tom Eastep :-

> On 02/02/2012 03:41 AM, Angela Williams wrote:
> > On Tuesday 31 January 2012 at 17:50 Tom Eastep :-
> > 
> >> On Tue, 2012-01-31 at 15:03 +0200, Angela Williams wrote:
> >>> At a guess I would start with the actions file to add a rule but adding
> >>> the SSHD table is another whole story!
> >>> 
> >>> Any ideas anyone! Crack this one and Shorewall will go back into all my
> >>> customers! My old script is past it's sell by date!
> >> 
> >> In /etc/shorewall/compile:
> > I should have asked this question a few days back.
> > Any documentation on the compile file? I would guess that it affects the
> > perl compiler to add the extra stuff.
> 
> See: http://www.shorewall.net/ManualChains.html. There is also a bit of
> information in http://www.shorewall.net/shorewall_extension_scripts.htm.

Thanks again Tom.

New project is always information overload.
The documentation is really great

Sort of reminds me of SCO Xenix and tcp networking. Information overload it 
was.

Cheers

Ang

--

-- 
Angela Williams
angierfw at gmail dot com
Linux/Networking Hacker
Blog http://angierfw.wordpress.com

Smile! Jesus Loves You!

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

Re: IPTables / Shorewall.

On Thu, 2012-02-02 at 12:59 -0200, Arnaldo Giacomitti Junior wrote:

> Also I can use:
> 
> 
> REDIRECT-       $FW:192.168.0.232     16667   tcp     1863    -       -               -       100
> 

To redirect only traffic addressed *to* 192.168.0.232, you would use:

       #ACTION         SOURCE  	DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/
       #                                       	PORT(S) PORT(S) DEST            LIMIT   GROUP
       REDIRECT-	$FW	16667	tcp	1863	-	192.168.0.232	-	100

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d