bergman on 22 May 2017 14:12:57 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] iptables question on redirection & circumvention reporting

In the message dated: Mon, 22 May 2017 16:10:32 -0400,
The pithy ruminations from brent timothy saner on 
<Re: [PLUG] iptables question on redirection & circumvention reporting> were:
=> On 05/22/2017 03:41 PM, Thomas Delrue wrote:

You don't say what distro you're running.

I bring this up because I've started looking more closely @ firewalld
(RHEL7 default, replaces iptables).

I can't offer a nice answer to your actual question like Brent did,
but the firewalld syntax is closer to shorewall than iptables, and it's
got similarly conscise ways to setup rules & logging.

If you're using RHEL7 (or downstream version, ie. CentOS7, etc), you
may want to look at firewalld.

Perhaps someone can compare & contrast firewalld vs shorewall (or others).

=> here's where it gets hairy. you can definitely log with iptables but
=> once you start doing logchains (e.g.
=> ), you'll
=> probably want something like Shorewall (
=> Your example below can be done with one line in /etc/shorewall{,6}/rules
=> (assuming you named your WAN zone as "wan" and your local zone as "lan"):
=> #ACTION       SRC DST          PROTO   DPRT    SPRT   ORIGDEST...
=> DNAT:Info:DNS wan lan: tcp,udp 53       -       -
=> If you only want the rule to apply to specific external DNS servers, you
=> can put those IPs for ORIGDEST.
=> trust me. shorewall actually makes iptables rules sane.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --