[Firehol-support] redirect4 or redirect ?

Tsaousis, Costa costa at tsaousis.gr
Sat Mar 12 15:38:25 CET 2016 

Tony,

the redirect command I sent you has 2 parts:

1. What to do
2. For which traffic to do it

"what to do" is this part:

redirect to 8000

"for which traffic to do it" is everything else:

ipv4 ... proto tcp dport 80 mac not "${MAC_ALLOW}"

I changed 8000 to 80, since no one is going to 8000 by default.
They normally go to port 80.

So, the action has to be port 8000 since your web server is listening
there, but the traffic has to be normal web traffic, so port 80.

Costa

On Sat, Mar 12, 2016 at 3:44 PM, Tony Peña <emperor.cu at gmail.com> wrote:
> Hi again.. and sorry by insist on this but I test it and not works...
> maybe i explain bad what i need.
>
> I got a simple network "192.168.200.0/24"
> on the firewall i serve dhcp for a clients. and with a transparent squid
> send all traffic for squid 80 and 443
> I got the mac list on /etc/firehol/mac_allow
> and on the same firewall i got apache server listen on 8000 port
>
> my problem is redirect any traffic 80 and 443 to my firewall on port 8000
> where i got there an info page to know why can't use internet.
>
> MAC_ALLOW="`cat /etc/firehol/mac_allow`"
>
> not work - ipv4 redirect to 8000 proto tcp dport 8000 mac not "${MAC_ALLOW}"
>
> not work - ipv4 redirect to 8000 proto tcp dport 8000 src "${IPv4_LAN}" dst
> not "${IPv4_LAN}" mac not "${MAC_ALLOW}"
>
> not work the bucle
>
> for x in 80 443
> do
>   ipv4 redirect to $x src "${LAN}" proto tcp dport $x dst not
> "${UNROUTABLE_IPS}" mac not "${MAC_ALLOW}"
> done
>
> any idea?.
>
>
> 2016-03-10 0:01 GMT+01:00 Tony Peña <emperor.cu at gmail.com>:
>
>> Ok thanxs so much
>> I try with this fixes and when working planning the upgrade in that way to
>> can know when was correct because will be migrated from a working config as
>> it.
>> Thanks again
>>
>> Il mer 9 mar 2016, 9:59 PM Tsaousis, Costa <costa at tsaousis.gr> ha scritto:
>>
>>> Tony,
>>>
>>> I suggest to upgrade. FireHOL is just a script itself, so it is very easy
>>> to use the latest version, and v3 is really a lot better. Check the docs
>>> for the upgrade process.
>>>
>>> For the problem you are facing, the whole idea is to select the LAN IPs
>>> that are going to the internet (not UNROUTABLE_IPS) and are not in the
>>> MAC_ALLOW list.
>>>
>>> Since IPv4 and IPv6 do not interfere in any way, you have to somehow
>>> define "LAN IPs" and "going to the internet" for both IPv4 and IPv6.
>>>
>>> So, you could define:
>>>
>>> IPv4_LAN="10.0.0.0/8 ..."
>>> IPv6_LAN="..."
>>>
>>> and then use something like this:
>>>
>>> ipv4 redirect to $x proto tcp dport $x src "${IPv4_LAN}" dst not
>>> "${IPv4_LAN}" mac not "${MAC_ALLOW}"
>>> ipv6 redirect to $x proto tcp dport $x src "${IPv6_LAN}" dst not
>>> "${IPv6_LAN}" mac not "${MAC_ALLOW}"
>>>
>>> Costa
>>>
>>>
>>> On Wed, Mar 9, 2016 at 8:55 PM, Tony Peña <emperor.cu at gmail.com> wrote:
>>>
>>>> Hi again...
>>>>
>>>> Trying redirect traffic for not allowed into my mac list to one internal
>>>> web server. i got some errors, maybe is the version of firehol, i'm using
>>>> 2.0.4
>>>>
>>>> when I wrote this.
>>>>
>>>> LAN="10.0.0.0/8 172.16.0.0/16 192.168.0.0/16"
>>>>
>>>> MAC_ALLOW="`cat /etc/firehol/mac_allow`"
>>>>
>>>> for x in 80 443
>>>> do
>>>>   redirect to $x src "${LAN}" proto tcp dport $x dst not
>>>> "${UNROUTABLE_IPS}" mac not "${MAC_ALLOW}"
>>>> done
>>>>
>>>> error:
>>>> ip6tables v1.4.21: host/network `10.0.0.0' not found
>>>>
>>>> if on the line is changed for use redirect4 to $x ...........
>>>> the error said:
>>>>
>>>> /tmp/firehol-09PkgF4ghF/firehol-tmp.sh: line 8: redirect4: command not
>>>> found
>>>>
>>>> so 1st works for ipv4 but is such mixing using ipv4 on the ip6table
>>>> command
>>>> where not exist .
>>>>
>>>> any idea?
>>>>
>>>> thanxs
>>>>
>>>
>>>> --
>>>> perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'
>>>>
>>>> Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
>>>>
>>> <
>>>> https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on
>>>> >
>>>
>>>
>>>> Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
>>>>
>>> _______________________________________________
>>>> Firehol-support mailing list
>>>> Firehol-support at lists.firehol.org
>>>> http://lists.firehol.org/mailman/listinfo/firehol-support
>>>
>>>
>>>
>
>
> --
> perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'
>
> Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
> <https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
> Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support

More information about the Firehol-support mailing list