SuSEfirewall2 assistance
Hello I have been working on a solution to a firewall I have been asked to build now for a week, and I have learnt a lot, but am repeatedly running into the fact I am doing something fundementally wrong. 217.34.xxx.high_end DSL ROUTER | | Firewall2 -----------------------217.34.xxx.low_end (Named/SQUID) | EXHCANGE Server | | | |-----------217.34.xxx.low_end | Backup Server | DHCP LAN Since I did not get to call the shots on the setup of their network the LAN needs to be able to see the services on the DMZ machines. and the DHCP machines need to be masqueraded to the outside world. Through change after change I have managed to get the initial issue solved (subnetting correctly so it knows where the lower and higher IP's are - Doh!). My boss is pushing for another solution - but I am confident I can solve it with this - although I am not producing the goods. If anyone has a similar configuration, or is willing to offer me some wise words - then please contact me directly. Many thanks AH -- For your amusement... # 2.) FW_DEV_EXT="eth0" # 3.) FW_DEV_INT="eth2" # 4.) FW_DEV_DMZ="eth1" # 5.) FW_ROUTE="yes" # 6.) FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="$INT_LAN_RANGE,0/0,tcp,20 $INT_LAN_RANGE,0/0,tcp,21 $INT_LAN_RANGE,0/0,tcp,22 $INT_LAN_RANGE,0/0,tcp,23 $INT_LAN_RANGE,0/0,tcp,25 $INT_LAN_RANGE,0/0,tcp,37 $INT_LAN_RANGE,0/0,udp,37 $INT_LAN_RANGE,0/0,udp,43 $INT_LAN_RANGE,0/0,udp,53 $INT_LAN_RANGE,0/0,tcp,53 $INT_LAN_RANGE,0/0,tcp,80 $INT_LAN_RANGE,0/0,tcp,110 $INT_LAN_RANGE,0/0,tcp,113 $INT_LAN_RANGE,0/0,tcp,123 $INT_LAN_RANGE,0/0,udp,123 $INT_LAN_RANGE,0/0,tcp,143 $INT_LAN_RANGE,0/0,tcp,443 $INT_LAN_RANGE,0/0,tcp,554 $INT_LAN_RANGE,0/0,tcp,993 $INT_LAN_RANGE,0/0,tcp,1863 $INT_LAN_RANGE,0/0,tcp,2401 $INT_LAN_RANGE,0/0,tcp,5800 $INT_LAN_RANGE,0/0,tcp,5900 $INT_LAN_RANGE,0/0,tcp,6800:6900 $INT_LAN_RANGE,0/0,udp,6800:6900 $INT_LAN_RANGE,0/0,tcp,6901 $INT_LAN_RANGE,0/0,udp,6901 $INT_LAN_RANGE,0/0,tcp,6970:7170 $INT_LAN_RANGE,0/0,tcp,7070" # 7.) FW_PROTECT_FROM_INTERNAL="yes" # 8.) FW_AUTOPROTECT_SERVICES="yes" # 9.) FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" # Common: domain FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="53 3128" FW_SERVICES_DMZ_UDP="53" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="23 53 3128" FW_SERVICES_INT_UDP="53" FW_SERVICES_INT_IP="" # 10.) FW_TRUSTED_NETS="$EXT_ZFT_GATE,tcp,22" #SSH/SCP from our gateway # 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # 12.) FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no" # 13.) FW_FORWARD="$INT_LAN_RANGE,$DMZ_IP_RANGE 0/0,$DMZ_EXCHANGE,tcp,25 0/0,$DMZ_EXCHANGE,tcp,80 0/0,$DMZ_EXCHANGE,tcp,135 0/0,$DMZ_EXCHANGE,tcp,443 0/0,$DMZ_BACKUP,tcp,21 0/0,$DMZ_BACKUP,tcp,20" # 14.) FW_FORWARD_MASQ="" # Beware to use this! # 15.) FW_REDIRECT="" # 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" # 17.) FW_KERNEL_SECURITY="yes" # 18.) FW_STOP_KEEP_ROUTING_STATE="yes" # 19.) FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes -- a n t h o n y h o g b i n -----------------------------------------------------
Dear All So far I've not tried to install an IPtables firewall. I have tried the SuSE firewall which is very good. I still haven't been able to get it to work. Won't allow any packets in or out even if I enable routing and forwarding manually. The question is would like to ask is this. If I enable an IPtables firewall on an SuSE machine with eth0 ethernet card as the internet facing card then how do I tell IPtables that it's eth0 and how do I start IPtables so that it works with eth0 ? As I understand it I can tell IPtables that eth1 which is the connection to my internal LAN will allow all IP traffic to and from the net facing box with ...... #no problems for the internal LAN to pass traffic iptables -A INPUT -i $INT -j ACCEPT iptables -A OUTPUT -o $INT -j ACCEPT. Or ... do I replace $INT with eth1 ? Thanks -- Richard
participants (2)
-
Anthony Hogbin
-
Richard Ibbotson