using susefirewall2 for NAT
Hi all, I just joint suse-security, I have using suse 82. for several months. Right now I have problem using susefirewall2 for my firewall / router. I'd like to change my network topology from this Internet | | ---------- Web Server 200.200.200.1 | ---------- Mail Server (qmail) 200.200.200.2 | ---------- SSH server 200.200.200.3 SuseFirewall2 | | LAN To This : Internet | | | SuseFirewall (200....1 for web and SSH, 200...2 for mail ) | |----------- Web Server 192.127.0.2 |----------- SSH server 192.127.0.3 LAN With this case, if someone go to 200.200.200.1 port 80, will forwarded to my internal webserver 192.127.0.2, and if they use SSH to that IP, it will go to my SSH server. Right now I use astaro secure linux 4 as my firewall and I use NAT for this purpose. With SuSEFirewall2, how can I use it ? I've read EXAMPELS, FAQ and search the web but I still got no clue. If someone can point me examples or documentation to do that, I'd be more greatful.. :) regards, -- Arie Reynaldi Zanahar reyman@reynaldi.com
Arie Reynaldi Zanahar wrote:
If someone can point me examples or documentation to do that, I'd be more greatful.. :)
Read the documentation n /etc/sysconfig/SuSEfirewall2 for the variable FW_FORWARD_MASQ And See Togan's Guide to the Firewall2: http://sourceforge.net/project/showfiles.php?group_id=42064&package_id=60847 -- Have fun, Peter
I have read it.. :D But the examples only show just like /usr/share/doc/packages/SuSEFirewall2/EXAMPLES means. Maybe someone else can give me another examples or howto for NAT'ing IP Globals to IP Locals. regards, On Tuesday 27 January 2004 16:15, Peter Wiersig wrote:
Arie Reynaldi Zanahar wrote:
If someone can point me examples or documentation to do that, I'd be more greatful.. :)
Read the documentation n /etc/sysconfig/SuSEfirewall2 for the variable FW_FORWARD_MASQ
And See Togan's Guide to the Firewall2: http://sourceforge.net/project/showfiles.php?group_id=42064&package_id=6084 7
-- Have fun, Peter
-- Arie Reynaldi Zanahar reyman@reynaldi.com
Why don't you go direct through iptables (I think susefirewall do it)? You can write a shell script and use the following rules: # for web server iptables -A INPUT -d 200.200.200.1 -p tcp --dport 80 -J DNAT --to-destination 192.127.0.2 # for mail server iptables -A INPUT -d 200.200.200.2 -p tcp --dport 25 -J DNAT --to-destination 192.127.0.2 # for ssh server iptables -A INPUT -d 200.200.200.3 -p tcp --dport 80 -J DNAT --to-destination 192.127.0.3 Of course you have to care about other issues. Best, Fabrício Adorno Arie Reynaldi Zanahar wrote:
Hi all,
I just joint suse-security, I have using suse 82. for several months. Right now I have problem using susefirewall2 for my firewall / router. I'd like to change my network topology from this
Internet | | ---------- Web Server 200.200.200.1 | ---------- Mail Server (qmail) 200.200.200.2 | ---------- SSH server 200.200.200.3 SuseFirewall2 | | LAN
To This : Internet | | | SuseFirewall (200....1 for web and SSH, 200...2 for mail ) | |----------- Web Server 192.127.0.2 |----------- SSH server 192.127.0.3 LAN With this case, if someone go to 200.200.200.1 port 80, will forwarded to my internal webserver 192.127.0.2, and if they use SSH to that IP, it will go to my SSH server. Right now I use astaro secure linux 4 as my firewall and I use NAT for this purpose. With SuSEFirewall2, how can I use it ? I've read EXAMPELS, FAQ and search the web but I still got no clue. If someone can point me examples or documentation to do that, I'd be more greatful.. :)
regards,
On Tue, 2004-01-27 at 06:01, Fabricio Adorno wrote:
Why don't you go direct through iptables (I think susefirewall do it)? You can write a shell script and use the following rules:
# for web server iptables -A INPUT -d 200.200.200.1 -p tcp --dport 80 -J DNAT --to-destination 192.127.0.2
# for mail server iptables -A INPUT -d 200.200.200.2 -p tcp --dport 25 -J DNAT --to-destination 192.127.0.2
# for ssh server iptables -A INPUT -d 200.200.200.3 -p tcp --dport 80 -J DNAT --to-destination 192.127.0.3
Of course you have to care about other issues.
Best,
Fabrício Adorno
Just curious as to why this person would be using public addresses internally? There are plenty of private addresses to use. -- Ken Schneider unix user since 1989 linux user since 1994 SuSE user since 1998 (5.2)
I want to strict people accessing my server. With this rules I can direct any connection / services from outside to my server as I wish.
Just curious as to why this person would be using public addresses internally? There are plenty of private addresses to use.
-- Ken Schneider unix user since 1989 linux user since 1994 SuSE user since 1998 (5.2)
-- Arie Reynaldi Zanahar reyman@reynaldi.com
Hi, I think any rules that edited direct to iptables, will be erased when I use susefirewall later on, would it ? Would be nicer if I can add the rules by still using susefirewall. regards, On Tuesday 27 January 2004 18:01, Fabricio Adorno wrote:
Why don't you go direct through iptables (I think susefirewall do it)? You can write a shell script and use the following rules:
# for web server iptables -A INPUT -d 200.200.200.1 -p tcp --dport 80 -J DNAT --to-destination 192.127.0.2
# for mail server iptables -A INPUT -d 200.200.200.2 -p tcp --dport 25 -J DNAT --to-destination 192.127.0.2
# for ssh server iptables -A INPUT -d 200.200.200.3 -p tcp --dport 80 -J DNAT --to-destination 192.127.0.3
Of course you have to care about other issues.
Best,
Fabrício Adorno
Arie Reynaldi Zanahar wrote:
Hi all,
I just joint suse-security, I have using suse 82. for several months. Right now I have problem using susefirewall2 for my firewall / router. I'd like to change my network topology from this
Internet
| ---------- Web Server 200.200.200.1 | ---------- Mail Server (qmail) 200.200.200.2 | ---------- SSH server 200.200.200.3
SuseFirewall2
LAN
To This : Internet
SuseFirewall (200....1 for web and SSH, 200...2 for mail )
|----------- Web Server 192.127.0.2 |----------- SSH server 192.127.0.3
LAN With this case, if someone go to 200.200.200.1 port 80, will forwarded to my internal webserver 192.127.0.2, and if they use SSH to that IP, it will go to my SSH server. Right now I use astaro secure linux 4 as my firewall and I use NAT for this purpose. With SuSEFirewall2, how can I use it ? I've read EXAMPELS, FAQ and search the web but I still got no clue. If someone can point me examples or documentation to do that, I'd be more greatful.. :)
regards,
-- Arie Reynaldi Zanahar reyman@reynaldi.com
On Thu, Jan 29, 2004 at 10:44:12AM +0700, Arie Reynaldi Zanahar wrote:
Hi,
I think any rules that edited direct to iptables, will be erased when I use susefirewall later on, would it ? Would be nicer if I can add the rules by still using susefirewall.
You can. Just read the comments in /etc/sysconfig/scripts/SuSEfirewall2-custom. Robert -- Robert Schiele Tel.: +49-621-181-2517 Dipl.-Wirtsch.informatiker mailto:rschiele@uni-mannheim.de
* Arie Reynaldi Zanahar;
Hi,
I think any rules that edited direct to iptables, will be erased when I use susefirewall later on, would it ? Would be nicer if I can add the rules by still using susefirewall.
You can by using editing /etc/sysconfig/scripts/SuSEfirewall2-custom and making sure uncommenting FW_CUSTOMRULES ## Type: string # # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/SuSEfirewall2-custom # #FW_CUSTOMRULES="/etc/sysconfig/SuSEfirewall2-custom" -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
participants (6)
-
Arie Reynaldi Zanahar
-
Fabricio Adorno
-
Kenneth Schneider
-
Peter Wiersig
-
Robert Schiele
-
Togan Muftuoglu