[Firehol-support] redirect4 or redirect ?

Tsaousis, Costa costa at tsaousis.gr
Sat Mar 12 16:06:16 GMT 2016


Tony,

To test your setup, you can try this:

First go to: http://192.168.200.1:8000/
If you have configured your web server properly, it should work. If
not, fix your web server.

Then add this at the top of your firewall:

ipv4 redirect to 8000 proto tcp dport 8001 log "REDIRECTING 8000 TO 8001"

Then go to http://192.168.200.1:8001/
It should work again - I just did it on mine - it worked.

Your iptables log should also log "REDIRECTING 8000 TO 8001" on the
first packet of each connection.

Costa

On Sat, Mar 12, 2016 at 5:58 PM, Tony Peña <emperor.cu at gmail.com> wrote:
> Hi
>
> the request never hit on the server web,
> the web server is the same firewall just in other port... not 80
> if i type 192.168.200.1:8000 i can see the info from the client without
> internet, because is not on the mac_allow file to use the firewall as
> gateway ... but redirecting not hit to the page on web server. (8000)
> how can i tcpdump that for trace ?
>
>
> 2016-03-12 16:48 GMT+01:00 Tsaousis, Costa <costa at tsaousis.gr>:
>>
>> ok,
>>
>> then you have to check the following:
>>
>> Does the request goes to your web server?
>> check its logs. It may be logging an error or something.
>>
>> If the url is https it will probably not work because your web server
>> at port 8000 is not https. This is a good cause for timeout. It cannot
>> even get connected.
>> Try http first.
>>
>> Keep in mind that you are going to need a properly configured web server.
>> Let's see why:
>>
>> Your browser goes to "http:/host/path".
>> We intercent this and send it to your web server.
>> Your web server receives a connection and a request that says, give me
>> the page for
>>
>> 1. host, and
>> 2. path
>>
>> Your web server needs to know how to handle both of the above.
>>
>> If your web server received and processed the reply, without any errors,
>> then, we have the replies. Since the browser times out, it didn't
>> receive a reply.
>> So, tcpdump the traffic to see it. Did it really send a reply? Where
>> did it send it?
>>
>> So, trace it...
>>
>> Costa
>>
>>
>> On Sat, Mar 12, 2016 at 4:48 PM, Tony Peña <emperor.cu at gmail.com> wrote:
>> > Hi Costa, ok i got it how works in theory, but on practice not works for
>> > me.
>> >
>> > MAC_ALLOW="`cat /etc/firehol/mac_allow`"
>> >
>> > for x in 80 443
>> > do
>> >   ipv4 redirect to 8000 src "${LAN}" proto tcp dport $x dst not
>> > "${UNROUTABLE_IPS}" mac not "${MAC_ALLOW}"
>> > done
>> >
>> > on browser i got.. time out.. can't access to site and not the web it
>> > self.
>> > :(
>> >
>> >
>> > 2016-03-12 15:38 GMT+01:00 Tsaousis, Costa <costa at tsaousis.gr>:
>> >>
>> >> Tony,
>> >>
>> >> the redirect command I sent you has 2 parts:
>> >>
>> >> 1. What to do
>> >> 2. For which traffic to do it
>> >>
>> >> "what to do" is this part:
>> >>
>> >> redirect to 8000
>> >>
>> >> "for which traffic to do it" is everything else:
>> >>
>> >> ipv4 ... proto tcp dport 80 mac not "${MAC_ALLOW}"
>> >>
>> >> I changed 8000 to 80, since no one is going to 8000 by default.
>> >> They normally go to port 80.
>> >>
>> >> So, the action has to be port 8000 since your web server is listening
>> >> there, but the traffic has to be normal web traffic, so port 80.
>> >>
>> >> Costa
>> >>
>> >> On Sat, Mar 12, 2016 at 3:44 PM, Tony Peña <emperor.cu at gmail.com>
>> >> wrote:
>> >> > Hi again.. and sorry by insist on this but I test it and not works...
>> >> > maybe i explain bad what i need.
>> >> >
>> >> > I got a simple network "192.168.200.0/24"
>> >> > on the firewall i serve dhcp for a clients. and with a transparent
>> >> > squid
>> >> > send all traffic for squid 80 and 443
>> >> > I got the mac list on /etc/firehol/mac_allow
>> >> > and on the same firewall i got apache server listen on 8000 port
>> >> >
>> >> > my problem is redirect any traffic 80 and 443 to my firewall on port
>> >> > 8000
>> >> > where i got there an info page to know why can't use internet.
>> >> >
>> >> > MAC_ALLOW="`cat /etc/firehol/mac_allow`"
>> >> >
>> >> > not work - ipv4 redirect to 8000 proto tcp dport 8000 mac not
>> >> > "${MAC_ALLOW}"
>> >> >
>> >> > not work - ipv4 redirect to 8000 proto tcp dport 8000 src
>> >> > "${IPv4_LAN}"
>> >> > dst
>> >> > not "${IPv4_LAN}" mac not "${MAC_ALLOW}"
>> >> >
>> >> > not work the bucle
>> >> >
>> >> > for x in 80 443
>> >> > do
>> >> >   ipv4 redirect to $x src "${LAN}" proto tcp dport $x dst not
>> >> > "${UNROUTABLE_IPS}" mac not "${MAC_ALLOW}"
>> >> > done
>> >> >
>> >> > any idea?.
>> >> >
>> >> >
>> >> > 2016-03-10 0:01 GMT+01:00 Tony Peña <emperor.cu at gmail.com>:
>> >> >
>> >> >> Ok thanxs so much
>> >> >> I try with this fixes and when working planning the upgrade in that
>> >> >> way
>> >> >> to
>> >> >> can know when was correct because will be migrated from a working
>> >> >> config as
>> >> >> it.
>> >> >> Thanks again
>> >> >>
>> >> >> Il mer 9 mar 2016, 9:59 PM Tsaousis, Costa <costa at tsaousis.gr> ha
>> >> >> scritto:
>> >> >>
>> >> >>> Tony,
>> >> >>>
>> >> >>> I suggest to upgrade. FireHOL is just a script itself, so it is
>> >> >>> very
>> >> >>> easy
>> >> >>> to use the latest version, and v3 is really a lot better. Check the
>> >> >>> docs
>> >> >>> for the upgrade process.
>> >> >>>
>> >> >>> For the problem you are facing, the whole idea is to select the LAN
>> >> >>> IPs
>> >> >>> that are going to the internet (not UNROUTABLE_IPS) and are not in
>> >> >>> the
>> >> >>> MAC_ALLOW list.
>> >> >>>
>> >> >>> Since IPv4 and IPv6 do not interfere in any way, you have to
>> >> >>> somehow
>> >> >>> define "LAN IPs" and "going to the internet" for both IPv4 and
>> >> >>> IPv6.
>> >> >>>
>> >> >>> So, you could define:
>> >> >>>
>> >> >>> IPv4_LAN="10.0.0.0/8 ..."
>> >> >>> IPv6_LAN="..."
>> >> >>>
>> >> >>> and then use something like this:
>> >> >>>
>> >> >>> ipv4 redirect to $x proto tcp dport $x src "${IPv4_LAN}" dst not
>> >> >>> "${IPv4_LAN}" mac not "${MAC_ALLOW}"
>> >> >>> ipv6 redirect to $x proto tcp dport $x src "${IPv6_LAN}" dst not
>> >> >>> "${IPv6_LAN}" mac not "${MAC_ALLOW}"
>> >> >>>
>> >> >>> Costa
>> >> >>>
>> >> >>>
>> >> >>> On Wed, Mar 9, 2016 at 8:55 PM, Tony Peña <emperor.cu at gmail.com>
>> >> >>> wrote:
>> >> >>>
>> >> >>>> Hi again...
>> >> >>>>
>> >> >>>> Trying redirect traffic for not allowed into my mac list to one
>> >> >>>> internal
>> >> >>>> web server. i got some errors, maybe is the version of firehol,
>> >> >>>> i'm
>> >> >>>> using
>> >> >>>> 2.0.4
>> >> >>>>
>> >> >>>> when I wrote this.
>> >> >>>>
>> >> >>>> LAN="10.0.0.0/8 172.16.0.0/16 192.168.0.0/16"
>> >> >>>>
>> >> >>>> MAC_ALLOW="`cat /etc/firehol/mac_allow`"
>> >> >>>>
>> >> >>>> for x in 80 443
>> >> >>>> do
>> >> >>>>   redirect to $x src "${LAN}" proto tcp dport $x dst not
>> >> >>>> "${UNROUTABLE_IPS}" mac not "${MAC_ALLOW}"
>> >> >>>> done
>> >> >>>>
>> >> >>>> error:
>> >> >>>> ip6tables v1.4.21: host/network `10.0.0.0' not found
>> >> >>>>
>> >> >>>> if on the line is changed for use redirect4 to $x ...........
>> >> >>>> the error said:
>> >> >>>>
>> >> >>>> /tmp/firehol-09PkgF4ghF/firehol-tmp.sh: line 8: redirect4: command
>> >> >>>> not
>> >> >>>> found
>> >> >>>>
>> >> >>>> so 1st works for ipv4 but is such mixing using ipv4 on the
>> >> >>>> ip6table
>> >> >>>> command
>> >> >>>> where not exist .
>> >> >>>>
>> >> >>>> any idea?
>> >> >>>>
>> >> >>>> thanxs
>> >> >>>>
>> >> >>>
>> >> >>>> --
>> >> >>>> perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'
>> >> >>>>
>> >> >>>> Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
>> >> >>>>
>> >> >>> <
>> >> >>>>
>> >> >>>>
>> >> >>>> https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on
>> >> >>>> >
>> >> >>>
>> >> >>>
>> >> >>>> Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
>> >> >>>>
>> >> >>> _______________________________________________
>> >> >>>> Firehol-support mailing list
>> >> >>>> Firehol-support at lists.firehol.org
>> >> >>>> http://lists.firehol.org/mailman/listinfo/firehol-support
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >
>> >> >
>> >> > --
>> >> > perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'
>> >> >
>> >> > Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
>> >> >
>> >> >
>> >> > <https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
>> >> > Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
>> >> > _______________________________________________
>> >> > Firehol-support mailing list
>> >> > Firehol-support at lists.firehol.org
>> >> > http://lists.firehol.org/mailman/listinfo/firehol-support
>> >
>> >
>> >
>> >
>> > --
>> > perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'
>> >
>> > Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
>> > Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
>
>
>
>
> --
> perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'
>
> Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
> Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001



More information about the Firehol-support mailing list