I can surely wait as long as iptables is an available option (init scrips, iptables-save, etc) :-) Lance Jiri Popelka <jpopelka@xxxxxxxxxx> wrote: >On 09/27/2013 03:04 PM, Lance Lassetter wrote: >> with firewalld can i import this rule: >> >> /sbin/iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE >> >> and these rules: >> >> /sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner squid -j ACCEPT >> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.2:3129 >> /sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT >> /sbin/iptables -t nat -A OUTPUT -p tcp --dport 3129 -m owner --uid-owner squid -j ACCEPT >> /sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3129 >> >> hence, Netfilter rules by user/group and using NFQUEUE target. >> >> because if firewalld alllows stuff like this, then problem solved. last checked, it does not. > >Should be possible with permanent direct rules. >I'd point you to firewalld.direct(5), but I've just noticed we actually >forgot to ship it :-( > >So just create /etc/firewalld/direct.xml with something like: ><?xml version="1.0" encoding="utf-8"?> ><direct> > [ <rule ipv="ipv4" table="filter" chain="FORWARD_direct" >priority="0"> -m mark ! --mark 1/1 -j NFQUEUE </rule> ] > [ <rule ipv="ipv4" table="nat" chain="PREROUTING_direct" >priority="0"> -p tcp --dport 80 -j DNAT --to 192.168.1.2:3129 </rule> ] > [ <rule ipv="ipv4" table="nat" chain="OUTPUT_direct" >priority="0"> -p tcp --dport 80 -m owner --gid-owner squid -j ACCEPT ></rule> ] > [ <rule ipv="ipv4" table="nat" chain="OUTPUT_direct" >priority="1"> -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT ></rule> ] > [ <rule ipv="ipv4" table="nat" chain="OUTPUT_direct" >priority="2"> -p tcp --dport 3129 -m owner --uid-owner squid -j ACCEPT ></rule> ] > [ <rule ipv="ipv4" table="nat" chain="OUTPUT_direct" >priority="3"> -p tcp --dport 80 -j REDIRECT --to-ports 3129 </rule> ] ></direct> > >The X_direct chains are created by firewalld and jumped into before >all the other chains (for zones etc.). > >> and, once again why not something simple like if 'execute some iptables script' , then 'iptables-save' , then 'firewalld-save' or even skip the middle step! > >I'm CCing Thomas who has already tried to write something similar, but >it's not that simple according to his words. > >-- >Jiri -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
