F19 Firewall

Lance Lassetter lancelassetter at gmail.com
Mon Sep 30 19:15:17 UTC 2013 

I can surely wait as long as iptables is an available option (init scrips, iptables-save, etc)

:-)

Lance

Jiri Popelka <jpopelka at redhat.com> wrote:

>On 09/27/2013 03:04 PM, Lance Lassetter wrote:
>> with firewalld can i import this rule:
>>
>> /sbin/iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE
>>
>> and these rules:
>>
>> /sbin/iptables -t nat -A OUTPUT -p tcp  --dport 80 -m owner --gid-owner squid -j ACCEPT
>> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.2:3129
>> /sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
>> /sbin/iptables -t nat -A OUTPUT -p tcp --dport 3129 -m owner --uid-owner squid -j ACCEPT
>> /sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3129
>>
>> hence, Netfilter rules by user/group and using NFQUEUE target.
>>
>> because if firewalld alllows stuff like this, then problem solved.  last checked, it does not.
>
>Should be possible with permanent direct rules.
>I'd point you to firewalld.direct(5), but I've just noticed we actually 
>forgot to ship it :-(
>
>So just create /etc/firewalld/direct.xml with something like:
><?xml version="1.0" encoding="utf-8"?>
><direct>
>   [ <rule ipv="ipv4" table="filter" chain="FORWARD_direct" 
>priority="0"> -m mark ! --mark 1/1 -j NFQUEUE </rule> ]
>   [ <rule ipv="ipv4" table="nat" chain="PREROUTING_direct" 
>priority="0"> -p tcp --dport 80 -j DNAT --to 192.168.1.2:3129 </rule> ]
>   [ <rule ipv="ipv4" table="nat"     chain="OUTPUT_direct" 
>priority="0"> -p tcp  --dport 80 -m owner --gid-owner squid -j ACCEPT 
></rule> ]
>   [ <rule ipv="ipv4" table="nat"     chain="OUTPUT_direct" 
>priority="1"> -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT 
></rule> ]
>   [ <rule ipv="ipv4" table="nat"     chain="OUTPUT_direct" 
>priority="2"> -p tcp --dport 3129 -m owner --uid-owner squid -j ACCEPT 
></rule> ]
>   [ <rule ipv="ipv4" table="nat"     chain="OUTPUT_direct" 
>priority="3"> -p tcp --dport 80 -j REDIRECT --to-ports 3129 </rule> ]
></direct>
>
>The X_direct chains are created by firewalld and jumped into before
>all the other chains (for zones etc.).
>
>> and, once again why not something simple like if 'execute some iptables script' , then 'iptables-save' , then 'firewalld-save' or even skip the middle step!
>
>I'm CCing Thomas who has already tried to write something similar, but 
>it's not that simple according to his words.
>
>--
>Jiri

More information about the security mailing list