Re: [Shorewall-users] Zone based connection tracking

Fri, 13 Jul 2018 14:49:08 -0700 

Thanks Tom

Regards
Naveen


On Wed, Jul 11, 2018 at 11:29 AM, Tom Eastep <teas...@shorewall.net> wrote:

> On 07/10/2018 12:32 PM, Naveen Neelakanta wrote:
> > Hi All,
> >
> > How can I achieve, the below zone based connection tracking, using
> > Shorewall so that a new connection entry gets created when the traffic
> > is routed to another internet interface.
> >
> > These are manually added command :
> > iptables -A PREROUTING -i eth3 -j CT --zone 1 -t raw
> > iptables -A OUTPUT -o eth3 -j CT --zone 1 -t raw
> >
> > cat /proc/net/nf_conntrack | grep zone=| grep 192.168.103.1 | grep
> > 192.168.55.1
> > ipv4     2 icmp     1 29 src=192.168.55.1 dst=192.168.103.1 type=8
> > code=0 id=4391 src=192.168.103.1 dst=192.168.103.2 type=0 code=0 id=4391
> > mark=0 zone=1
> >
> >
> > I have the existing below-configured zones.
> >
> > # cat /etc/shorewall/zones
> > #ZONE   TYPE        OPTIONS     IN          OUT
> > #                   OPTIONS         OPTIONS
> > fw     firewall
> > lan    ipv4
> > vpn    ipsec
> > inet   ipv4
> >
> > # cat /etc/shorewall/interfaces
> > #ZONE     INTERFACE       OPTIONS
> > lan     eth4            detect          tcpflags,nosmurfs,logmartians
> > inet     eth5            detect          tcpflags,nosmurfs,logmartians
> > inet     eth3            detect          tcpflags,nosmurfs,logmartians
> > lan     eth0            detect          tcpflags,nosmurfs,logmartians
> >
>
> In /etc/shorewall/conntrack:
>
> IPTABLES(CT --zone 1)   eth3            -
> IPTABLES(CT --zone 1):O 0.0.0.0/0       eth3
>
> -Tom
> --
> Tom Eastep        \   Q: What do you get when you cross a mobster with
> Shoreline,         \     an international standard?
> Washington, USA     \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>                       \_______________________________________________
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to