Re: [suse-security] SuSEfirewall2 and NAT
Good morning,
thank you for your response. I have understood everything (I hope) and I
agree. But I don't want (mustn't <- corp. policy) to use these public
addresses in our private net.
I need every traffic (all ports/protocols) from Internet to our public
address <PUB1> to forward/masq to private address <PRIV1> and the same
thing with the second -- <PUB2> to forward/masq to <PRIV2>.
Is it possible to do it in SuSEfirewall2's configuration? May I use custom
rules?
---
Se srdecnym pozdravem/Best regards
Jan Dus (CNA, CNE, CNS)
AG COM, a.s.
Smirice
Czech Republic
kancelar/office +420 495 421 312
fax +420 495 421 108
Andreas J Mueller
I have enough public IP address - there is no problem but is there a possibility to arrange the same trafic to the second server?
Not as long as your firewall has only one public IP address. If you
have enough public IP addresses, masquerading is not necessary. You
could assign public addresses to your servers and use FW_FORWARD
instead of FW_FORWARD_MASQ. They will still be protected by the
firewall (i.e., only those ports you actually forward from the FW will
be reachable from the outside). I'm sure there are also other
possibilities (SNAT?).
Regards, Andy
- --
Andreas J. Mueller email:
-----BEGIN PGP SIGNED MESSAGE----- Hi Jan!
I need every traffic (all ports/protocols) from Internet to our public address <PUB1> to forward/masq to private address <PRIV1> and the same thing with the second -- <PUB2> to forward/masq to <PRIV2>.
OK. That sounds easy, but I don't think it is possible using the
options in SuSEfirewall2. My understanding of how iptables work is
still limited, and I'm unable to test anything here (being stuck with
only one public IP).
Something along the following (completely untested!) *might* work,
either in fw_custom_before_masq() or fw_custom_before_denyall():
========== snip
for DEV in $FW_DEV_EXT; do
$IPTABLES -A PREROUTING -j DNAT -t nat -s 0/0 -d $PUB1 --to-destination $PRIV1 -i $DEV
$IPTABLES -A PREROUTING -j DNAT -t nat -s 0/0 -d $PUB2 --to-destination $PRIV2 -i $DEV
for CHAIN in forward_ext forward_dmz forward_int; do
$LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT-DNAT " -s 0/0 -d $PRIV1 -i $DEV
$IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s 0/0 -d $PRIV1 -i $DEV
$LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT-DNAT " -s 0/0 -d $PRIV2 -i $DEV
$IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s 0/0 -d $PRIV2 -i $DEV
done
done
# For outbound connections from $PRIV1 and $PRIV2 only (not sure)
for DEV in $FW_DEV_EXT; do
for CHAIN in forward_ext forward_dmz forward_int; do
$LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT-SNAT " -s $PRIV1 -d 0/0 -o $DEV
$IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $PRIV1 -d 0/0 -o $DEV
$LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT-SNAT " -s $PRIV2 -d 0/0 -o $DEV
$IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $PRIV2 -d 0/0 -o $DEV
done
$IPTABLES -A POSTROUTING -j SNAT -t nat -s $PRIV1 -d 0/0 --to-source $PUB1 -o $DEV
$IPTABLES -A POSTROUTING -j SNAT -t nat -s $PRIV2 -d 0/0 --to-source $PUB2 -o $DEV
done
========== snip
Regards, Andy
- --
Andreas J. Mueller email:
participants (2)
-
Andreas J Mueller
-
Jan Dus