F19 Firewall

Jiri Popelka jpopelka at redhat.com
Mon Sep 30 15:42:28 UTC 2013 

On 09/27/2013 03:04 PM, Lance Lassetter wrote:
> with firewalld can i import this rule:
>
> /sbin/iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE
>
> and these rules:
>
> /sbin/iptables -t nat -A OUTPUT -p tcp  --dport 80 -m owner --gid-owner squid -j ACCEPT
> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.2:3129
> /sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
> /sbin/iptables -t nat -A OUTPUT -p tcp --dport 3129 -m owner --uid-owner squid -j ACCEPT
> /sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3129
>
> hence, Netfilter rules by user/group and using NFQUEUE target.
>
> because if firewalld alllows stuff like this, then problem solved.  last checked, it does not.

Should be possible with permanent direct rules.
I'd point you to firewalld.direct(5), but I've just noticed we actually 
forgot to ship it :-(

So just create /etc/firewalld/direct.xml with something like:
<?xml version="1.0" encoding="utf-8"?>
<direct>
   [ <rule ipv="ipv4" table="filter" chain="FORWARD_direct" 
priority="0"> -m mark ! --mark 1/1 -j NFQUEUE </rule> ]
   [ <rule ipv="ipv4" table="nat" chain="PREROUTING_direct" 
priority="0"> -p tcp --dport 80 -j DNAT --to 192.168.1.2:3129 </rule> ]
   [ <rule ipv="ipv4" table="nat"     chain="OUTPUT_direct" 
priority="0"> -p tcp  --dport 80 -m owner --gid-owner squid -j ACCEPT 
</rule> ]
   [ <rule ipv="ipv4" table="nat"     chain="OUTPUT_direct" 
priority="1"> -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT 
</rule> ]
   [ <rule ipv="ipv4" table="nat"     chain="OUTPUT_direct" 
priority="2"> -p tcp --dport 3129 -m owner --uid-owner squid -j ACCEPT 
</rule> ]
   [ <rule ipv="ipv4" table="nat"     chain="OUTPUT_direct" 
priority="3"> -p tcp --dport 80 -j REDIRECT --to-ports 3129 </rule> ]
</direct>

The X_direct chains are created by firewalld and jumped into before
all the other chains (for zones etc.).

> and, once again why not something simple like if 'execute some iptables script' , then 'iptables-save' , then 'firewalld-save' or even skip the middle step!

I'm CCing Thomas who has already tried to write something similar, but 
it's not that simple according to his words.

--
Jiri

More information about the security mailing list