How to start external script when ipfilter rule matches

How to start external script when ipfilter rule matches

[Sören Lorenz]

I'd like to start Squid when packets arrive on port 3128 on my router. 
When the router disconnects from my ISP, Squid is shutdown again. 
Ideally the packets would be kept on hold until Squid is running and 
then delivered to the daemon. Another question is to shutdown squid 
after a certain time of inactivity on port 3128. Is there a way to 
achive this with ipfilter?

Thanks in advance.

Regards,

Sören Lorenz

Re: How to start external script when ipfilter rule matches

[Samuel Jean]

> Date: Thu, 05 Aug 2004 22:39:51 +0200
> From: Sören Lorenz <soeren.lorenz@web.de>
>
> I'd like to start Squid when packets arrive on port 3128 on my router.

That's not netfilter/iptables job. inetd better suits to your needs.
I don't know much about Squid, but I guess it supports inetd.

> When the router disconnects from my ISP, Squid is shutdown again.

If that isn't a question, goto CONTINUE

As you seem to be using PPP connection, I'd consider using
/etc/ppp/ip-down bash script which is launched after successfull
disconnection process.


:CONTINUE
> Ideally the packets would be kept on hold until Squid is running and
> then delivered to the daemon. Another question is to shutdown squid
> after a certain time of inactivity on port 3128. Is there a way to
> achive this with ipfilter?

Again, not iptables/netfilter. Inetd can.

>
> Thanks in advance.
>
> Regards,
>
> Sören Lorenz

Hope this helps.

-- 
Samuel Jean
SysAdmin & NetAdmin
at cookinglinux.org

Re: How to start external script when ipfilter rule matches

[nadim]

I'm a complete noob so I am certainly wrong. I posted a question a few days 
ago about IPQ (that no one bothered to answer :-( ).

Isn't ipq what Sören is trying to come to?

here is a link to what can be done friom perl:
http://michael.toren.net/slides/ipqueue/

Am I getting all wrong?

Cheersn, Nadim.

On Friday 06 August 2004 21:33, Samuel Jean wrote:
> > Date: Thu, 05 Aug 2004 22:39:51 +0200
> > From: Sören Lorenz <soeren.lorenz@web.de>
> >
> > I'd like to start Squid when packets arrive on port 3128 on my router.
>
> That's not netfilter/iptables job. inetd better suits to your needs.
> I don't know much about Squid, but I guess it supports inetd.
>
> > When the router disconnects from my ISP, Squid is shutdown again.
>
> If that isn't a question, goto CONTINUE
>
> As you seem to be using PPP connection, I'd consider using
> /etc/ppp/ip-down bash script which is launched after successfull
> disconnection process.
>
> :CONTINUE
> :
> > Ideally the packets would be kept on hold until Squid is running and
> > then delivered to the daemon. Another question is to shutdown squid
> > after a certain time of inactivity on port 3128. Is there a way to
> > achive this with ipfilter?
>
> Again, not iptables/netfilter. Inetd can.
>
> > Thanks in advance.
> >
> > Regards,
> >
> > Sören Lorenz
>
> Hope this helps.

Re: How to start external script when ipfilter rule matches

[Michael Gale]

You could use Ulog I think .... but the first reply was correct ... not a iptables issue.

Michael.


On Sat, 7 Aug 2004 00:17:29 +0200
nadim <nadim@khemir.net> wrote:

> http://michael.toren.net/slides/ipqueue/

-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: How to start external script when ipfilter rule matches

[nadim]

On Saturday 07 August 2004 00:41, Michael Gale wrote:
> You could use Ulog I think .... but the first reply was correct ... not
> a iptables issue.
Is IPQ a solution or not? IPQ comes with iptables, right?

Cheers, Nadim.

Re: How to start external script when ipfilter rule matches

[Sören Lorenz]

Samuel Jean schrieb:

>That's not netfilter/iptables job. inetd better suits to your needs.
>I don't know much about Squid, but I guess it supports inetd.
>
>  
>
No, it doesn't. It needs to bind the port directly, no way to run it via 
inetd.

>>When the router disconnects from my ISP, Squid is shutdown again.
>>    
>>
>Again, not iptables/netfilter. Inetd can.
>  
>
Come on, there must be a way to trigger userspace actions on netfilter 
matches. Some people do realtime blacklisting on portscanning IPs. I'm 
looking for a lightweight (router suitable) way to do this. Solutions 
depending on Perl are not an option.

Regards,

Sören Lorenz

Re: How to start external script when ipfilter rule matches

[Antony Stone]

On Saturday 14 August 2004 12:09 pm, Sören Lorenz wrote:

> Samuel Jean schrieb:
> >That's not netfilter/iptables job. inetd better suits to your needs.
> >I don't know much about Squid, but I guess it supports inetd.
>
> No, it doesn't. It needs to bind the port directly, no way to run it via
> inetd.

Indeed!   The idea of spawning Squid from inetd is horrible :(

> >>When the router disconnects from my ISP, Squid is shutdown again.
> >
> >Again, not iptables/netfilter. Inetd can.
>
> Come on, there must be a way to trigger userspace actions on netfilter
> matches. Some people do realtime blacklisting on portscanning IPs. I'm
> looking for a lightweight (router suitable) way to do this. Solutions
> depending on Perl are not an option.

Try investigating the ULOG target perhaps?

Antony.

-- 
"Reports that say that something hasn't happened are always interesting to me, 
because as we know, there are known knowns; there are things we know we know. 
We also know there are known unknowns; that is to say we know there are some 
things we do not know. But there are also unknown unknowns - the ones we 
don't know we don't know."

 - Donald Rumsfeld, US Secretary of Defence

                                                     Please reply to the list;
                                                           please don't CC me.

Re: How to start external script when ipfilter rule matches

[Sören Lorenz]

Yes, that's the  way to go. But I need a lightweight userspace program 
to trigger the actions I want to execute based on specific log events. 
I've only come across perl solutions for this which is not suitable for 
a router.

Regards,

Sören Lorenz

Antony Stone schrieb:

>
>Try investigating the ULOG target perhaps?
>
>Antony.
>
>  
>