Re: F19 Firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 09/27/2013 03:04 PM, Lance Lassetter wrote:

with firewalld can i import this rule:

/sbin/iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE

and these rules:

/sbin/iptables -t nat -A OUTPUT -p tcp  --dport 80 -m owner --gid-owner squid -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.2:3129
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 3129 -m owner --uid-owner squid -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3129

hence, Netfilter rules by user/group and using NFQUEUE target.

because if firewalld alllows stuff like this, then problem solved.  last checked, it does not.


Should be possible with permanent direct rules.
I'd point you to firewalld.direct(5), but I've just noticed we actually forgot to ship it :-( 

So just create /etc/firewalld/direct.xml with something like:
<?xml version="1.0" encoding="utf-8"?>
<direct>
[ <rule ipv="ipv4" table="filter" chain="FORWARD_direct" priority="0"> -m mark ! --mark 1/1 -j NFQUEUE </rule> ] [ <rule ipv="ipv4" table="nat" chain="PREROUTING_direct" priority="0"> -p tcp --dport 80 -j DNAT --to 192.168.1.2:3129 </rule> ] [ <rule ipv="ipv4" table="nat" chain="OUTPUT_direct" priority="0"> -p tcp --dport 80 -m owner --gid-owner squid -j ACCEPT </rule> ] [ <rule ipv="ipv4" table="nat" chain="OUTPUT_direct" priority="1"> -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT </rule> ] [ <rule ipv="ipv4" table="nat" chain="OUTPUT_direct" priority="2"> -p tcp --dport 3129 -m owner --uid-owner squid -j ACCEPT </rule> ] [ <rule ipv="ipv4" table="nat" chain="OUTPUT_direct" priority="3"> -p tcp --dport 80 -j REDIRECT --to-ports 3129 </rule> ] 
</direct>

The X_direct chains are created by firewalld and jumped into before
all the other chains (for zones etc.).


and, once again why not something simple like if 'execute some iptables script' , then 'iptables-save' , then 'firewalld-save' or even skip the middle step!
I'm CCing Thomas who has already tried to write something similar, but it's not that simple according to his words. 

--
Jiri
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux