| bergman on 22 May 2017 14:12:57 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] iptables question on redirection & circumvention reporting |
In the message dated: Mon, 22 May 2017 16:10:32 -0400,
The pithy ruminations from brent timothy saner on
<Re: [PLUG] iptables question on redirection & circumvention reporting> were:
=> On 05/22/2017 03:41 PM, Thomas Delrue wrote:
You don't say what distro you're running.
I bring this up because I've started looking more closely @ firewalld
(RHEL7 default, replaces iptables).
I can't offer a nice answer to your actual question like Brent did,
but the firewalld syntax is closer to shorewall than iptables, and it's
got similarly conscise ways to setup rules & logging.
If you're using RHEL7 (or downstream version, ie. CentOS7, etc), you
may want to look at firewalld.
Perhaps someone can compare & contrast firewalld vs shorewall (or others).
=>
=> here's where it gets hairy. you can definitely log with iptables but
=> once you start doing logchains (e.g.
=> https://www.svennd.be/creating-a-log-chain-for-iptables/ ), you'll
=> probably want something like Shorewall (http://shorewall.org/).
=>
=> Your example below can be done with one line in /etc/shorewall{,6}/rules
=> (assuming you named your WAN zone as "wan" and your local zone as "lan"):
=>
=> #ACTION SRC DST PROTO DPRT SPRT ORIGDEST...
=> DNAT:Info:DNS wan lan:10.0.0.2 tcp,udp 53 - -
=>
=>
=> If you only want the rule to apply to specific external DNS servers, you
=> can put those IPs for ORIGDEST.
=>
=> trust me. shorewall actually makes iptables rules sane.
=>
Mark
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug