[Firehol-support] redirect4 or redirect ?

Tony Peña emperor.cu at gmail.com
Sat Mar 12 13:44:06 GMT 2016


Hi again.. and sorry by insist on this but I test it and not works...
maybe i explain bad what i need.

I got a simple network "192.168.200.0/24"
on the firewall i serve dhcp for a clients. and with a transparent squid
send all traffic for squid 80 and 443
I got the mac list on /etc/firehol/mac_allow
and on the same firewall i got apache server listen on 8000 port

my problem is redirect any traffic 80 and 443 to my firewall on port 8000
where i got there an info page to know why can't use internet.

MAC_ALLOW="`cat /etc/firehol/mac_allow`"

not work - ipv4 redirect to 8000 proto tcp dport 8000 mac not "${MAC_ALLOW}"

not work - ipv4 redirect to 8000 proto tcp dport 8000 src "${IPv4_LAN}" dst
not "${IPv4_LAN}" mac not "${MAC_ALLOW}"

not work the bucle

for x in 80 443
do
  ipv4 redirect to $x src "${LAN}" proto tcp dport $x dst not
"${UNROUTABLE_IPS}" mac not "${MAC_ALLOW}"
done

any idea?.


2016-03-10 0:01 GMT+01:00 Tony Peña <emperor.cu at gmail.com>:

> Ok thanxs so much
> I try with this fixes and when working planning the upgrade in that way to
> can know when was correct because will be migrated from a working config as
> it.
> Thanks again
>
> Il mer 9 mar 2016, 9:59 PM Tsaousis, Costa <costa at tsaousis.gr> ha scritto:
>
>> Tony,
>>
>> I suggest to upgrade. FireHOL is just a script itself, so it is very easy
>> to use the latest version, and v3 is really a lot better. Check the docs
>> for the upgrade process.
>>
>> For the problem you are facing, the whole idea is to select the LAN IPs
>> that are going to the internet (not UNROUTABLE_IPS) and are not in the
>> MAC_ALLOW list.
>>
>> Since IPv4 and IPv6 do not interfere in any way, you have to somehow
>> define "LAN IPs" and "going to the internet" for both IPv4 and IPv6.
>>
>> So, you could define:
>>
>> IPv4_LAN="10.0.0.0/8 ..."
>> IPv6_LAN="..."
>>
>> and then use something like this:
>>
>> ipv4 redirect to $x proto tcp dport $x src "${IPv4_LAN}" dst not
>> "${IPv4_LAN}" mac not "${MAC_ALLOW}"
>> ipv6 redirect to $x proto tcp dport $x src "${IPv6_LAN}" dst not
>> "${IPv6_LAN}" mac not "${MAC_ALLOW}"
>>
>> Costa
>>
>>
>> On Wed, Mar 9, 2016 at 8:55 PM, Tony Peña <emperor.cu at gmail.com> wrote:
>>
>>> Hi again...
>>>
>>> Trying redirect traffic for not allowed into my mac list to one internal
>>> web server. i got some errors, maybe is the version of firehol, i'm using
>>> 2.0.4
>>>
>>> when I wrote this.
>>>
>>> LAN="10.0.0.0/8 172.16.0.0/16 192.168.0.0/16"
>>>
>>> MAC_ALLOW="`cat /etc/firehol/mac_allow`"
>>>
>>> for x in 80 443
>>> do
>>>   redirect to $x src "${LAN}" proto tcp dport $x dst not
>>> "${UNROUTABLE_IPS}" mac not "${MAC_ALLOW}"
>>> done
>>>
>>> error:
>>> ip6tables v1.4.21: host/network `10.0.0.0' not found
>>>
>>> if on the line is changed for use redirect4 to $x ...........
>>> the error said:
>>>
>>> /tmp/firehol-09PkgF4ghF/firehol-tmp.sh: line 8: redirect4: command not
>>> found
>>>
>>> so 1st works for ipv4 but is such mixing using ipv4 on the ip6table
>>> command
>>> where not exist .
>>>
>>> any idea?
>>>
>>> thanxs
>>>
>>
>>> --
>>> perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'
>>>
>>> Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
>>>
>> <
>>> https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on
>>> >
>>
>>
>>> Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
>>>
>> _______________________________________________
>>> Firehol-support mailing list
>>> Firehol-support at lists.firehol.org
>>> http://lists.firehol.org/mailman/listinfo/firehol-support
>>
>>
>>


-- 
perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'

Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
<https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001



More information about the Firehol-support mailing list