[Firehol-support] src/dst include/exclude

Costa Tsaousis costa at tsaousis.gr
Fri Jun 1 23:45:15 BST 2007 

Daniel L. Miller wrote:
> Costa Tsaousis wrote:
>   
>> Daniel L. Miller wrote:
>>   
>>     
>>> Is there a way to specify "all but one" in a src / dst parameter?  
>>> Something like "src not 192.168.0.73 src 192.168.0.0/24"?
>>>
>>>   
>>>     
>>>       
>> group with src 192.168.0.0/24
>> server smtp accept src not 192.168.0.73
>> group end
>>
>> or
>>
>> group with src 192.168.0.0/24
>>     group with src not 192.168.0.73
>>        server smtp accept
>>        server imap accept
>>        ...
>>     group end
>> group end
>>
>> Costa
>>   
>>     
> Sorry, should have been more specific - I wanted to do this with a 
> helper.  Something like
> transparent_proxy "80" 8080 "root proxy" inface not eth2 src 
> "192.168.0.0/24" not "192.168.0.71 192.168.0.72 192.168.0.73"
>
> This is supposed to mean, "Proxy from port 80 to port 8080, when the 
> request did not come from interface eth2 (eth2 is the internet), for any 
> legal address in my subnet 192.168.0.0/24 - except for HTTP requests 
> from the internal Squid server's three addresses".
>
>   
Well,

CASE 1:
**mark 1 PREROUTING src "192.168.0.71 192.168.0.72 192.168.0.73" proto
tcp dport 80
transparent_proxy 80 8080 "root proxy" inface not eth2 src
"192.168.0.0/24" mark not 1

Never tested it, but I guess should work (I am not sure about PREROUTING
above - the idea is that you have to mark the traffic to exclude before
the transparent proxy, and have the transparent proxy ignore marked
traffic).


CASE 2:
LanIpsWithoutProxies="192.168.0.0/26 192.168.0.64/30 192.168.0.68/31
192.168.0.70 192.168.0.74/31 192.168.0.76/30 192.168.0.80/28
192.168.0.96/27 192.168.0.128/25 "
transparent_proxy 80 8080 "root proxy" inface not eth2 src
"$LanIpsWithoutProxies"

It is not the best way, but should work no matter what.

The list of IPs has been produced by "aggregate", with this script:

(
    for x in `seq 0 255`
    do
        test $x -eq 71 && continue
        test $x -eq 72 && continue
        test $x -eq 73 && continue
        echo "192.168.0.$x/32"
    done
) | aggregate


Costa

More information about the Firehol-support mailing list