On 09/27/2013 03:04 PM, Lance Lassetter wrote:
with firewalld can i import this rule:
/sbin/iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE
and these rules:
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner squid -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.2:3129
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 3129 -m owner --uid-owner squid -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3129
hence, Netfilter rules by user/group and using NFQUEUE target.
because if firewalld alllows stuff like this, then problem solved. last checked, it does not.
Should be possible with permanent direct rules.
I'd point you to firewalld.direct(5), but I've just noticed we actually
forgot to ship it :-(
So just create /etc/firewalld/direct.xml with something like:
<?xml version="1.0" encoding="utf-8"?>
<direct>
[ <rule ipv="ipv4" table="filter" chain="FORWARD_direct"
priority="0"> -m mark ! --mark 1/1 -j NFQUEUE </rule> ]
[ <rule ipv="ipv4" table="nat" chain="PREROUTING_direct"
priority="0"> -p tcp --dport 80 -j DNAT --to 192.168.1.2:3129 </rule> ]
[ <rule ipv="ipv4" table="nat" chain="OUTPUT_direct"
priority="0"> -p tcp --dport 80 -m owner --gid-owner squid -j ACCEPT
</rule> ]
[ <rule ipv="ipv4" table="nat" chain="OUTPUT_direct"
priority="1"> -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
</rule> ]
[ <rule ipv="ipv4" table="nat" chain="OUTPUT_direct"
priority="2"> -p tcp --dport 3129 -m owner --uid-owner squid -j ACCEPT
</rule> ]
[ <rule ipv="ipv4" table="nat" chain="OUTPUT_direct"
priority="3"> -p tcp --dport 80 -j REDIRECT --to-ports 3129 </rule> ]
</direct>
The X_direct chains are created by firewalld and jumped into before
all the other chains (for zones etc.).
and, once again why not something simple like if 'execute some iptables script' , then 'iptables-save' , then 'firewalld-save' or even skip the middle step!
I'm CCing Thomas who has already tried to write something similar, but
it's not that simple according to his words.
--
Jiri
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security