SuSEfirewall2 and NAT help : i am so lost!
Hi, all -- From reviewing the archives I *believe* I'm in a good place to ask, but I could be wrong. Please be gentle in your redirection :-) I am a loyal :-) SuSE user and am doing some work for a client who has finally switched from SCO UNIX to SCO's version of Linux, which includes SuSEfirewall2 and otherwise looks quite a bit like a SuSE system (gee, go figure!). In any given location he has a static external interface and a 10.x.y.z internal interface and would like to do NATting for his internal windows machines. I am trying to write a script to configure and enable SuSEfirewall2 for this so that he can do a hands-off install on his literally thousands of clients. SCO UNIX used ipf and ipnat, and I got those simple rules worked out. Now I need to do the same thing for iptables and SuSEfirewall2 and I'm pretty lost. Recalling that this has to be a hands-off install, I have whipped up a little script to identify the internal and external interfaces, and then apply cat /etc/sysconfig/SuSEfirewall2.bak.$$ | \ sed \ -e "s/FW_DEV_EXT=.*/FW_DEV_EXT='$EXT'/" \ -e "s/FW_DEV_INT=.*/FW_DEV_INT='$INT'/" \ -e "s/FW_QUICKMODE=.*/FW_QUICKMODE='yes'/" \ -e "s/FW_ROUTE=.*/FW_ROUTE='yes'/" \ -e "s/FW_MASQUERADE=.*/FW_MASQUERADE='yes'/" \ -e "s:FW_MASQ_NETS=.*:FW_MASQ_NETS='10.0.0.0/8':" \ -e "s/FW_SERVICES_QUICK_TCP=.*/FW_SERVICES_QUICK_TCP='telnet ftp ssh www mysql'/" \ -e "s:FW_TRUSTED_NETS=.*:FW_TRUSTED_NETS='10.0.0.0/8':" > \ /etc/sysconfig/SuSEfirewall2 to set the variables accordingly and then create the rc?.d start and stop symlinks for the three scripts. Unfortunately, a client machine on the inside properly pointing to the internal address as its default gateway cannot get through. Having read the example file, asked google for help, read through list archives, and generally poked and prodded everywhere I can, I've come up with many "you need to turn on NAT" but no pointers to how to do so! TIA & HAND :-D -- David T-G * There is too much animal courage in (play) davidtg@justpickone.org * society and not sufficient moral courage. (work) davidtgwork@justpickone.org -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg!
On Thu, 15 May 2003, David T-G wrote:
From reviewing the archives I *believe* I'm in a good place to ask, but I could be wrong. Please be gentle in your redirection :-)
I am a loyal :-) SuSE user and am doing some work for a client who has finally switched from SCO UNIX to SCO's version of Linux, which includes SuSEfirewall2 and otherwise looks quite a bit like a SuSE system (gee, go figure!).
I suppose that is the reason for the "UnitedLinux" sticker on the box :-)
In any given location he has a static external interface and a 10.x.y.z internal interface and would like to do NATting for his internal windows machines. I am trying to write a script to configure and enable SuSEfirewall2 for this so that he can do a hands-off install on his literally thousands of clients.
I really don't understand your architecture - I suppose your client has thousands of NAT routers at convenience stores or metropolitan schools or something
little script to identify the internal and external interfaces, and then apply
cat /etc/sysconfig/SuSEfirewall2.bak.$$ | \ sed \ -e "s/FW_DEV_EXT=.*/FW_DEV_EXT='$EXT'/" \ -e "s/FW_DEV_INT=.*/FW_DEV_INT='$INT'/" \ -e "s/FW_QUICKMODE=.*/FW_QUICKMODE='yes'/" \ -e "s/FW_ROUTE=.*/FW_ROUTE='yes'/" \ -e "s/FW_MASQUERADE=.*/FW_MASQUERADE='yes'/" \ -e "s:FW_MASQ_NETS=.*:FW_MASQ_NETS='10.0.0.0/8':" \ -e "s/FW_SERVICES_QUICK_TCP=.*/FW_SERVICES_QUICK_TCP='telnet ftp ssh www mysql'/" \ -e "s:FW_TRUSTED_NETS=.*:FW_TRUSTED_NETS='10.0.0.0/8':" > \ /etc/sysconfig/SuSEfirewall2
to set the variables accordingly and then create the rc?.d start and stop symlinks for the three scripts.
Unfortunately, a client machine on the inside properly pointing to the internal address as its default gateway cannot get through. Having read the example file, asked google for help, read through list archives, and generally poked and prodded everywhere I can, I've come up with many "you need to turn on NAT" but no pointers to how to do so!
I am not sure if your script is right but I know how to turn on NAT. It is the same for all Linux :- echo 1 > /proc/sys/net/ipv4/ip_forward The canonical way to do this on SuSE is to set IP_FORWARD=yes in /etc/sysconfig/sysctl and reboot (but double check your UnitedLinux manual as I am reading the 8.2 manual) (naturally google gives you trouble because the kernel hackers always call their implementation of NAT 'masquerading') dproc
participants (2)
-
David T-G
-
dproc@dol.net