[SLE] Need help with Simple IP Masquerading
Ok, I've done my best to get this working over the last few days. And I know I'm missing something really obvious. The SuSE box dials up my ISP fine, and Internet access works fine from this box. The Win98 box can access the SuSE box without a problem. At this point all I want is masquerading -- the Win98 box on the internal network should have full access to the SuSE box services, too. I get this in /var/log/messages when trying to access an external web site via the Win98 PC (the Win98 is 192.168.0.98). Mar 18 07:53:08 SuSE kernel: Packet log: forward DENY ppp0 PROTO=6 192.168.0.98:1152 209.144.167.153:80 L=48 S=0x00 I=43797 F=0x4000 T=127 SYN (#2) SuSE 6.3 firewal 2.0-5 loaded by rpm yesterday. SuSE box: 192.168.10.99 Win98 box: 192.168.10.98 Using: /sbin/init.d/firewall start or SuSEfirewall start /etc/rc.config: START_FW="yes" FW_DEV_WORLD="ppp0" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24" FW_MASQ_DEV="$FW_DEV_WORLD" # e.g. "ippp0" or "$FW_DEV_WORLD" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_GLOBAL_SERVICES="no" FW_SERVICES_EXTERNAL_TCP="" # Common: smtp domain FW_SERVICES_EXTERNAL_UDP="" # Common: domain FW_SERVICES_DMZ_TCP="" # Common: smtp domain FW_SERVICES_DMZ_UDP="" # Common: domain syslog FW_SERVICES_INTERNAL_TCP="" # Common: ssh smtp domain FW_SERVICES_INTERNAL_UDP="" # Common: domain FW_TRUSTED_NETS="" FW_SERVICES_TRUSTED_TCP="" # Common: ssh FW_SERVICES_TRUSTED_UDP="" # Common: syslog time ntp FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" # Common: "ftp-data" (sadly!) FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # Common: "dns" FW_SERVICE_DNS="no" # if yes, FW_TCP_SERVICES_* needs to have port 53 FW_SERVICE_DHCLIENT="no" # if you use dhclient to get an ip address FW_SERVICE_DHCPD="no" # set to yes, if this server is a DHCP server FW_FORWARD_TCP="" # Beware to use this! FW_FORWARD_UDP="" # Beware to use this! FW_REDIRECT_TCP="" FW_REDIRECT_UDP="" FW_LOG_DENY_CRIT="yes" FW_LOG_DENY_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user vdolive" Bill Moseley mailto:moseley@hank.org -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Hi Bill, I am not much of an expert but I do have a few questions: Seems your winbox (in this case) isn't allowed to use port 1152 and something at port 80 isn't allowed to get back to you. What does your hosts.deny and hosts.allow look like on your susebox? I suppose you have a static IP address because you set FW_SERVICE_DHCLIENT="no". If not set to "yes" (this shouldn't make any difference 'cause you can make a connection with the susebox, right?). Did you try to set FW_STOP_KEEP_ROUTING_STATE="no" to "yes"? Did you set the default gateway to 192.168.10.99 on the winbox? Grtjs, Marcel
>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 3/18/00, 5:35:11 PM, Bill Moseley
Ok, I've done my best to get this working over the last few days. And I know I'm missing something really obvious.
The SuSE box dials up my ISP fine, and Internet access works fine from this box. The Win98 box can access the SuSE box without a problem.
At this point all I want is masquerading -- the Win98 box on the internal network should have full access to the SuSE box services, too.
I get this in /var/log/messages when trying to access an external web site via the Win98 PC (the Win98 is 192.168.0.98).
Mar 18 07:53:08 SuSE kernel: Packet log: forward DENY ppp0 PROTO=6 192.168.0.98:1152 209.144.167.153:80 L=48 S=0x00 I=43797 F=0x4000 T=127 SYN (#2)
SuSE 6.3 firewal 2.0-5 loaded by rpm yesterday.
SuSE box: 192.168.10.99 Win98 box: 192.168.10.98
Using: /sbin/init.d/firewall start or SuSEfirewall start
/etc/rc.config: START_FW="yes"
FW_DEV_WORLD="ppp0" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24" FW_MASQ_DEV="$FW_DEV_WORLD" # e.g. "ippp0" or "$FW_DEV_WORLD" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_GLOBAL_SERVICES="no" FW_SERVICES_EXTERNAL_TCP="" # Common: smtp domain FW_SERVICES_EXTERNAL_UDP="" # Common: domain FW_SERVICES_DMZ_TCP="" # Common: smtp domain FW_SERVICES_DMZ_UDP="" # Common: domain syslog FW_SERVICES_INTERNAL_TCP="" # Common: ssh smtp domain FW_SERVICES_INTERNAL_UDP="" # Common: domain FW_TRUSTED_NETS="" FW_SERVICES_TRUSTED_TCP="" # Common: ssh FW_SERVICES_TRUSTED_UDP="" # Common: syslog time ntp FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" # Common: "ftp-data" (sadly!) FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # Common: "dns" FW_SERVICE_DNS="no" # if yes, FW_TCP_SERVICES_* needs to have port 53 FW_SERVICE_DHCLIENT="no" # if you use dhclient to get an ip address FW_SERVICE_DHCPD="no" # set to yes, if this server is a DHCP server FW_FORWARD_TCP="" # Beware to use this! FW_FORWARD_UDP="" # Beware to use this! FW_REDIRECT_TCP="" FW_REDIRECT_UDP="" FW_LOG_DENY_CRIT="yes" FW_LOG_DENY_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user vdolive"
Bill Moseley mailto:moseley@hank.org
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
At 07:10 PM 03/18/00 GMT, Marcel Broekman wrote:
Hi Bill,
I am not much of an expert but I do have a few questions:
Seems your winbox (in this case) isn't allowed to use port 1152 and something at port 80 isn't allowed to get back to you. What does your hosts.deny and hosts.allow look like on your susebox?
They don't look like much. hosts.allow is empty (only comments), and hosts.allow only contains: http-rman : ALL EXCEPT LOCAL But I think I have a problem with the firewall setup. I can access remote web pages from the SuSE (IP_Masquerading) machine, but not from the Win98 machine on the internal network.
I suppose you have a static IP address because you set FW_SERVICE_DHCLIENT="no". If not set to "yes" (this shouldn't make any difference 'cause you can make a connection with the susebox, right?).
No I have a dynamic address assigned via PPP.
Did you try to set FW_STOP_KEEP_ROUTING_STATE="no" to "yes"?
Yes, I tried that -- and then stopping the firewall -- but no difference.
Did you set the default gateway to 192.168.10.99 on the winbox?
Yes. I don't think I would be seeing that /var/log/messages message otherwise.
>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 3/18/00, 5:35:11 PM, Bill Moseley
wrote regarding [SLE] Need help with Simple IP Masquerading: Ok, I've done my best to get this working over the last few days. And I know I'm missing something really obvious.
The SuSE box dials up my ISP fine, and Internet access works fine from this box. The Win98 box can access the SuSE box without a problem.
At this point all I want is masquerading -- the Win98 box on the internal network should have full access to the SuSE box services, too.
I get this in /var/log/messages when trying to access an external web site via the Win98 PC (the Win98 is 192.168.0.98).
Mar 18 07:53:08 SuSE kernel: Packet log: forward DENY ppp0 PROTO=6 192.168.0.98:1152 209.144.167.153:80 L=48 S=0x00 I=43797 F=0x4000 T=127 SYN (#2)
SuSE 6.3 firewal 2.0-5 loaded by rpm yesterday.
SuSE box: 192.168.10.99 Win98 box: 192.168.10.98
Using: /sbin/init.d/firewall start or SuSEfirewall start
/etc/rc.config: START_FW="yes"
FW_DEV_WORLD="ppp0" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24" FW_MASQ_DEV="$FW_DEV_WORLD" # e.g. "ippp0" or "$FW_DEV_WORLD" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_GLOBAL_SERVICES="no" FW_SERVICES_EXTERNAL_TCP="" # Common: smtp domain FW_SERVICES_EXTERNAL_UDP="" # Common: domain FW_SERVICES_DMZ_TCP="" # Common: smtp domain FW_SERVICES_DMZ_UDP="" # Common: domain syslog FW_SERVICES_INTERNAL_TCP="" # Common: ssh smtp domain FW_SERVICES_INTERNAL_UDP="" # Common: domain FW_TRUSTED_NETS="" FW_SERVICES_TRUSTED_TCP="" # Common: ssh FW_SERVICES_TRUSTED_UDP="" # Common: syslog time ntp FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" # Common: "ftp-data" (sadly!) FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # Common: "dns" FW_SERVICE_DNS="no" # if yes, FW_TCP_SERVICES_* needs to have port 53 FW_SERVICE_DHCLIENT="no" # if you use dhclient to get an ip address FW_SERVICE_DHCPD="no" # set to yes, if this server is a DHCP server FW_FORWARD_TCP="" # Beware to use this! FW_FORWARD_UDP="" # Beware to use this! FW_REDIRECT_TCP="" FW_REDIRECT_UDP="" FW_LOG_DENY_CRIT="yes" FW_LOG_DENY_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user vdolive"
Bill Moseley mailto:moseley@hank.org
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Bill Moseley mailto:moseley@hank.org -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
At 08:35 AM 03/18/00 -0800, Bill Moseley wrote:
Ok, I've done my best to get this working over the last few days. And I know I'm missing something really obvious.
Yes, something obvious, like reading the instructions at the top of the firewall.rc.config file! # If you just want to do masquerading without filtering, ignore this script # and run this line (exchange "ippp0" with your masquerade/external interface): # ipchains -A forward -j MASQ -i ippp0 But I wonder if there isn't a problem with the SuSEfirewall script. [disclaimer -- I know very little about any of this] There's a setting in firewall.rc.config that should leave masquerading on when turning off the firewall with "SuSEfirewall stop": FW_STOP_KEEP_ROUTING_STATE="yes" But in the SuSEfirewall script the reset_rules() basically deletes all chains except the user defined fw_masq chain if $FW_STOP_KEEP_ROUTING_STATE = 'yes'. function reset_rules() { echo -n "SuSEfirewall: clearing rules now ..." $IPCHAINS -F input $IPCHAINS -F output $IPCHAINS -F forward $IPCHAINS -P input ACCEPT $IPCHAINS -P output ACCEPT $IPCHAINS -P forward ACCEPT test "$FW_STOP_KEEP_ROUTING_STATE" = "yes" || ( $IPCHAINS -F fw_masq ; $IPCHAINS -X fw_masq echo 0 > /proc/sys/net/ipv4/ip_forward ) > /dev/null 2>&1 But then nothing points to fw_masq after stopping: root@SuSE:/etc/rc.config.d > SuSEfirewall stop Removing filter rules ... SuSEfirewall: clearing rules now ... done root@SuSE:/etc/rc.config.d > ipchains -L Chain input (policy ACCEPT): Chain forward (policy ACCEPT): Chain output (policy ACCEPT): Chain fw_masq (0 references): target prot opt source destination ports MASQ all ------ anywhere anywhere n/a See? Zero references. So Masquerading can't work as Chain forward doesn't point to the user defined chain fw_masq. At least that's what I think is happening.... I'm still curious why I couldn't get SuSEfirewall start to masquerade. Chain forward (policy DENY): target prot opt source destination ports fw_masq all ------ 192.168.10.98 anywhere n/a DENY all ----l- anywhere anywhere n/a I'm unclear of why the DENY is placed in the chain. (Isn't the default for the chain "policy DENY"?) The message in /var/log/messages says DENY from forward rule #2. Yet, removing that DENY rule doesn't allow Masquerading so there is something else blocking. I don't see why rule #2 would ever be reached -- I would think that everything would match and the MASQ would apply. All the DENY rules are set for logging, yet I'm not seeing anything in the log once I delete the forward rule number two (the DENY above) and set the default policy as ACCEPT. root@SuSE:/etc/rc.config.d > ipchains -L forward Chain forward (policy ACCEPT): target prot opt source destination ports fw_masq all ----l- 192.168.10.98 anywhere n/a I'd be happy to send ipchaings -L if needed. I'm also curious why output from ipchains -L is so slow when the firewall is active.... Bill Moseley mailto:moseley@hank.org -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
participants (2)
-
marcelbr@zap.a2000.nl
-
moseley@hank.org