iptables: Using shorewall and the priority (dominance) of rules
I'm editing the /etc/shorewall/rules file in order to block all internet access for a local (internal) client with the IP address 192.168.1.240. This internal computer is a liability if it were able to become infected from the Internet, so I have to restrict its access to the WWW.
I wrote a line in the /etc/shorewall/rules file: Headings included for clarification... Code:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL# And then I noticed the line in the rules file just below the recently added rule. Code:
REDIRECT loc 3128 tcp www Why is it that when I commented the second line out (rules in question reproduced below), the one about redirecting local port 80 traffic to a squid server on port 3128, I was finally able to accomplish my goal of blocking all internet access for the internal machine? Code:
REJECT loc:192.168.1.240 net all #this is the line I added Quote:
Your thoughts please.... |
Does "net" refer to any nonlocal address or your proxy. If you want to block html access, I think you also need to block traffic from 192.168.1.240 to the proxy server IP address.
|
"net" refers to any nonlocal address. Well, thanks for framing the idea in a question. Now I understand that the "pair of zones" as described by shorewall documentation is evaluated in order. The first pair in my rules being loc to net, and the second pair being loc to proxy on port 3128.
Now here's another thing I did so that I wouldn't have to nullify the utility of the Squid proxy. I changed the redirect rule to the following instead of commenting it out. Code:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL# Redirect all local machine TCP port 80 (www) traffic to port 3128 on the proxy (my router), unless the traffic was originally intended to go to machine at address 192.168.1.240. The rule kind of makes sense since, I quote the example in the rules file, "This example shows yet another use for the ORIGINAL DEST column; here, connection requests that were NOT (notice the “!”) originally destined to [192.168.1.240] are redirected to local port 3128." If I think about this in terms of traffic coming from the proxy back to 192.168.1.240 (if the proxy itself is considered in the "loc" group, I don't know), then the rule implies traffic that is originally destined for 192.168.1.240 does not get redirected to 3128. This is confusing... Perhaps I should write a rule like the following to make it explicit what my goal is... Code:
REJECT loc:192.168.1.240 3128 tcp www |
All times are GMT -5. The time now is 08:13 AM. |