I have been migrating older local sysadmin content, with a goal of 'no more iptables' ruleset manipulation. Part of the load is getting outgoing email redirect into a single exit machine, so I can get logging (and identification of compromised hosts propagating virus and such )-- working. We take traffic counts by originating host IP, and regularly find 'phishing' compromised internal host sending large volumes of email -- the traffic counts spike up and go 'through the roof'
The standby script from long ago which I wrote is:
[herrold@centos-7 rc.d]$ cat mailfunnel.sh #!/bin/sh # mailfunnel.sh NATHOST="172.168.33.2" INSIDE="172.168.33.105" LOCALNET="172.168.33.0/24" LOCALHOST="127.0.0.1" WORLD="0.0.0.0/0" MAILPORT="25" IPTABLES="/sbin/iptables " # pass content initiating on 'lo' $IPTABLES -t nat -A PREROUTING \ -s $LOCALHOST -d $WORLD \ -j ACCEPT $IPTABLES -t nat -A POSTROUTING \ -s $LOCALHOST -d $WORLD \ -j ACCEPT # hand off a portforward of the backside email traffic # to the logging host $IPTABLES -t nat -A PREROUTING -p tcp \ -s ! $INSIDE -d $WORLD --dport $MAILPORT \ -j DNAT --to-destination $INSIDE # I suspect this rule is never hit $IPTABLES -t nat -A POSTROUTING -p tcp \ -s ! $INSIDE -d $WORLD --dport $MAILPORT \ -j SNAT --to $NATHOST [herrold@centos-7 rc.d]$
looks like I've not touched the one for that site in a long time:
-rwxr-xr-x. 1 herrold herrold 1050 Feb 2 2005 mailfunnel.sh
This was a mixture of NAT and port forwarding
It would not harm my feelings if both the NATHOST and the INSIDE (mail destination) were on the same IP, and indeed that that destination was the gateway. That was my first attempt, with trying to get 'transparent redirect' into the gateway 'squid' to catch even hosts not explicitly set to use the proxy
I had tried and failed to add to a NAT barrier host, a 'catchall' rule to feed all port 80 traffic from the 'backside' network over to port 3128 -- squid -- on the localhost, but I am missing what is wrong with this command:
[root@router squid]# firewall-cmd --zone=internal --add-rule-rich='rule family="ipv4" forward-port to-port="3128" to-addr="127.0.0.1" port="80" protocol="tcp" '
usage: see firewall-cmd man page
firewall-cmd: error: unrecognized arguments: --add-rule-rich=rule family="ipv4" forward-port to-port="3128" to-addr="127.0.0.1" port="80" protocol="tcp"
ehh? that example was lifted right out of the 'man' page
What approach to convert this set of rules is most direct? I suspect my answer in each case will involve reference firewalld.richlanguage from its man page. I tried to follow Example 5. I adjusted it to a general rule
[root@router squid]# firewall-cmd --zone=internal --add-rule-rich='rule family="ipv4" forward-port to-port="25" to-addr="10.16.0.1" port="25" protocol="tcp" '
usage: see firewall-cmd man page
firewall-cmd: error: unrecognized arguments: --add-rule-rich=rule family="ipv4" forward-port to-port="25" to-addr="10.16.0.1" port="25" protocol="tcp"
So clearly I am missing something
Thoughts? Pointers? (My Google-fu does not produce useful pointers)
-- Russ herrold
On 09/21/2017 11:57 AM, R P Herrold wrote:
I have been migrating older local sysadmin content, with a goal of 'no more iptables' ruleset manipulation. Part of the load is getting outgoing email redirect into a single exit machine, so I can get logging (and identification of compromised hosts propagating virus and such )-- working. We take traffic counts by originating host IP, and regularly find 'phishing' compromised internal host sending large volumes of email -- the traffic counts spike up and go 'through the roof'
The standby script from long ago which I wrote is:
[herrold@centos-7 rc.d]$ cat mailfunnel.sh #!/bin/sh # mailfunnel.sh NATHOST="172.168.33.2" INSIDE="172.168.33.105" LOCALNET="172.168.33.0/24" LOCALHOST="127.0.0.1" WORLD="0.0.0.0/0" MAILPORT="25" IPTABLES="/sbin/iptables " # pass content initiating on 'lo' $IPTABLES -t nat -A PREROUTING \ -s $LOCALHOST -d $WORLD \ -j ACCEPT $IPTABLES -t nat -A POSTROUTING \ -s $LOCALHOST -d $WORLD \ -j ACCEPT # hand off a portforward of the backside email traffic # to the logging host $IPTABLES -t nat -A PREROUTING -p tcp \ -s ! $INSIDE -d $WORLD --dport $MAILPORT \ -j DNAT --to-destination $INSIDE # I suspect this rule is never hit $IPTABLES -t nat -A POSTROUTING -p tcp \ -s ! $INSIDE -d $WORLD --dport $MAILPORT \ -j SNAT --to $NATHOST [herrold@centos-7 rc.d]$
looks like I've not touched the one for that site in a long time:
-rwxr-xr-x. 1 herrold herrold 1050 Feb 2 2005 mailfunnel.sh
This was a mixture of NAT and port forwarding
It would not harm my feelings if both the NATHOST and the INSIDE (mail destination) were on the same IP, and indeed that that destination was the gateway. That was my first attempt, with trying to get 'transparent redirect' into the gateway 'squid' to catch even hosts not explicitly set to use the proxy
I had tried and failed to add to a NAT barrier host, a 'catchall' rule to feed all port 80 traffic from the 'backside' network over to port 3128 -- squid -- on the localhost, but I am missing what is wrong with this command:
[root@router squid]# firewall-cmd --zone=internal --add-rule-rich='rule family="ipv4" forward-port to-port="3128" to-addr="127.0.0.1" port="80" protocol="tcp" '
usage: see firewall-cmd man page
firewall-cmd: error: unrecognized arguments: --add-rule-rich=rule family="ipv4" forward-port to-port="3128" to-addr="127.0.0.1" port="80" protocol="tcp"
ehh? that example was lifted right out of the 'man' page
"--add-rule-rich=" Is this an email typo or did actually run the command like that?
Just in case, it should be "--add-rich-rule="
What approach to convert this set of rules is most direct? I suspect my answer in each case will involve reference firewalld.richlanguage from its man page. I tried to follow Example 5. I adjusted it to a general rule
[root@router squid]# firewall-cmd --zone=internal --add-rule-rich='rule family="ipv4" forward-port to-port="25" to-addr="10.16.0.1" port="25" protocol="tcp" '
usage: see firewall-cmd man page
firewall-cmd: error: unrecognized arguments: --add-rule-rich=rule family="ipv4" forward-port to-port="25" to-addr="10.16.0.1" port="25" protocol="tcp"
So clearly I am missing something
Thoughts? Pointers? (My Google-fu does not produce useful pointers)
-- Russ herrold _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
On Fri, 22 Sep 2017, JonRam@AOD wrote:
[root@router squid]# firewall-cmd --zone=internal --add-rule-rich='rule family="ipv4" forward-port to-port="3128" to-addr="127.0.0.1" port="80" protocol="tcp" '
usage: see firewall-cmd man page
firewall-cmd: error: unrecognized arguments: --add-rule-rich=rule family="ipv4" forward-port to-port="3128" to-addr="127.0.0.1" port="80" protocol="tcp"
ehh? that example was lifted right out of the 'man' page
"--add-rule-rich=" Is this an email typo or did actually run the command like that?
Just in case, it should be "--add-rich-rule="
will test ...
[root@router ~]# firewall-cmd --zone=internal \ --add-rich-rule='rule family="ipv4" forward-port \ to-port="3128" to-addr="127.0.0.1" port="80" protocol="tcp" ' success [root@router ~]#
I recall scraping and pasting with the man page open but it was some weeks ago -- I dug through some backup detail, and it seems I was running (which the piece was composed before a summer break), firewalld-0.4.3.2-x .... it is a puzzlement -- perhaps a man page change, perhaps just stray beta particles altering my recollection
actually I see also that my example is the transparent 'squid' one, rather than the email / smtp port one
THANK YOU for the proof reading, in either case
-- Russ herrold
firewalld-users@lists.fedorahosted.org