[opensuse] FW_REDIRECT and masquerade
I want 192.168.1.2 and 192.168.1.3 to have a direct internet connection. I want 192.168.1.4 and 192.168.1.5 to use squid on 3128. In 10.2 I masqueraded 2 and 3 and redirected 4 and 5. On 10.3 my 10.2 SuSEfirewall2 script redirects but doesn't masquerade even though I changed the if names. There's a router 192.168.1.1. It takes internet traffic from an adsl router routing external telephone lines stuff to 192.168.0.1. This works fine. Everyone can see the Internet on 3128. Sometimes though I turn off the proxy. Experienced lan setters uppers will know why. But I still want 1 and 2 to have Internet access. I have joe's own wordstar, yast, and my old 10.2 script to hand. For me, the 10.3 yast masquerade dialogue totally confuses what seems a simple issue which I had working fine in 10.2. I'm root on 192.168.1.1. How do I procede? Love from Lynn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
primm wrote:
I want 192.168.1.2 and 192.168.1.3 to have a direct internet connection.
I want 192.168.1.4 and 192.168.1.5 to use squid on 3128.
In 10.2 I masqueraded 2 and 3 and redirected 4 and 5.
On 10.3 my 10.2 SuSEfirewall2 script redirects but doesn't masquerade even though I changed the if names.
There's a router 192.168.1.1. It takes internet traffic from an adsl router routing external telephone lines stuff to 192.168.0.1. This works fine. Everyone can see the Internet on 3128. Sometimes though I turn off the proxy. Experienced lan setters uppers will know why. But I still want 1 and 2 to have Internet access.
I have joe's own wordstar, yast, and my old 10.2 script to hand. For me, the 10.3 yast masquerade dialogue totally confuses what seems a simple issue which I had working fine in 10.2.
I'm root on 192.168.1.1. How do I procede?
Based on the IP addresses you have givem are you saying that you want the linux box to route traffic all on the same lan, i.e try to act as a one-legged router? I would expect that to be problematic. The only way the suse box can control all the things you want to control is if all the traffic of interest is going through it, i.e. in one interface and out another. Could you clarify your network topology? As for the suse firewall I've always found it frustrating and limiting, and discovered that the basic linux firewall module (not shorewall) in webmin allows full and precise control over everything I want to do. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Could you clarify your network topology?
Yes. My firewall script worked perfectly in 10.2. It did exactly what I wanted. I've tried asking the same question before in many guises: why doesn't the 10.2 firewall script work with 10.3? Clarifying further, all traffic passes through the 192.168.1.1 box from an adsl router. Just like most folk have at home. All I want is some boxes to be masqueraded and some to be redirected without having to setup another sub lan. Love L. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
primm wrote:
Could you clarify your network topology?
Yes. My firewall script worked perfectly in 10.2. It did exactly what I wanted.
That could well be, but since I don't have a good idea of exactly what's going on in your lan it's hard to say.
I've tried asking the same question before in many guises: why doesn't the 10.2 firewall script work with 10.3?
A fair question - so let's see this script, that might shed some light.
Clarifying further, all traffic passes through the 192.168.1.1 box from an adsl router. Just like most folk have at home. All I want is some boxes to be masqueraded and some to be redirected without having to setup another sub lan.
OK, let me see if I understand: 192.168.1.x lan <-> linux router <-> adsl router <-> internet So we have a 192.168.1.x net on the lan side and a 192.168.0.x net on the adsl side of the linux router correct? Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
So we have a 192.168.1.x net on the lan side and a 192.168.0.x net on the adsl side of the linux router correct?
Yes. It's as simple as that. I want some machines to have direct access all the time and some machines to be controlled by the proxy. IOW I can turn the Internet on or off for the proxied boxes. but still work on the non proxied boxes. Love L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 10/28/2007 05:56 AM, primm wrote:
So we have a 192.168.1.x net on the lan side and a 192.168.0.x net on the adsl side of the linux router correct?
Yes. It's as simple as that. I want some machines to have direct access all the time and some machines to be controlled by the proxy. IOW I can turn the Internet on or off for the proxied boxes. but still work on the non proxied boxes.
Put the ones you want to have direct access in the FW_MASQ_NETS, i.e. 192.168.1.2/32 192.168.1.3/32, and the ones you want to redirect through squid in FW_REDIRECT, i.e. 192.168.1.4/32,0/0,tcp,80,3128, same for the other. HTH -- Joe Morris Registered Linux user 231871 running openSUSE 10.3 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 28 October 2007 01:31:38 Joe Morris (NTM) wrote:
On 10/28/2007 05:56 AM, primm wrote:
So we have a 192.168.1.x net on the lan side and a 192.168.0.x net on the adsl side of the linux router correct?
Yes. It's as simple as that. I want some machines to have direct access all the time and some machines to be controlled by the proxy. IOW I can turn the Internet on or off for the proxied boxes. but still work on the non proxied boxes.
Put the ones you want to have direct access in the FW_MASQ_NETS, i.e. 192.168.1.2/32 192.168.1.3/32, and the ones you want to redirect through squid in FW_REDIRECT, i.e. 192.168.1.4/32,0/0,tcp,80,3128, same for the other. HTH
Hi Joe Thanks for the confirmation. I thought it was me going mad. That's exactly what I had in 10.2 (except I had /24 not /32 as the mask) and what I've tried to do in 10.3. In 10.2 it works. In 10.3 it doesn't. I can't find anything explaining the differences between /etc/sysconfig/SuSEfirewall2 in 10.2 and 10.3. I know there are. But it's obviously a secret. L xxx -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 10/28/2007 08:49 AM, primm wrote:
Thanks for the confirmation. I thought it was me going mad.
That's exactly what I had in 10.2 (except I had /24 not /32 as the mask) and what I've tried to do in 10.3.
I would use /32 since you are talking an exact IP address. After rereading your thread earlier, as i understood it, 192.168.1.1 is your LAN NIC. This would not need the rule, as it would not send packets out that interface to go to the internet, it would go out (IIUC 192.168.0.x) NIC and would be routed by the adsl router. 192.168.0.x (not sure what IP it is) should also be the gateway. So, IIUC, you would only need 192.168.1.2/32 in FW_MASQ_NETS. BTW, I am not sure /24 would work. I'm sure others will correct or verify that.
In 10.2 it works. In 10.3 it doesn't. I can't find anything explaining the differences between /etc/sysconfig/SuSEfirewall2 in 10.2 and 10.3. I know there are. But it's obviously a secret.
Yesterday I just upgraded our office server. I have used SuSEfirewall2 since 6.4, and have learned it is really quite a powerful firewall, but most of my FW_MASQ_NETS also include the destination address, protocol, and port. It is much more complicated than you seek. I also redirect the LAN through dansguardian (filter) and squid set up as a transparent proxy. I did not do extensive testing, but what I did said SuSEfirewall2 was work as it had in 10.2. I basically copied and pasted most of the rules I had from my 10.2 /etc/sysconfig/SuSEfirewall2. One change I noted, beside the return of eth0 type IF names, is the FW_MASQ_DEV. It used to be something like $FW_DEV_EXT, now it is zone:ext. Since mine seemed to work, I would suggest checking the subnet mask (i.e /32 for a single IP) and make sure your FW_MASQ_DEV is set correctly. Otherwise, perhaps try iptables -L to double check. HTH. -- Joe Morris Registered Linux user 231871 running openSUSE 10.3 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
While doing an update using Yast I ran into this error message: Subprocess failed. Error: RPM failed: error: unpacking of archive failed on file /opt/kde3/share/apps/celestia: cpio: rename failed - Is a directory --- error: unpacking of archive failed on file /opt/kde3/share/apps/celestia: cpio: rename failed - Is a directory 2007-10-27 15:00:44 celestia-1.4.1-5.1.i586.rpm install failed rpm output: error: unpacking of archive failed on file /opt/kde3/share/apps/celestia: cpio: rename failed - Is a directory 2007-10-27 15:00:45 celestia-1.4.1-5.1.i586.rpm install failed rpm output: error: unpacking of archive failed on file /opt/kde3/share/apps/celestia: cpio: rename failed - Is a directory As best as I can tell Yast was d'ling the update from: Http://software.opensuse.org/KDE:/Backports/openSUSE_10.2/ So I am wondering if anybody else is having problems with this update? Ohh, and as you can probably tell I am using 10.2 - 32 bit. Michael __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
joe
-
Joe Morris (NTM)
-
Michael Juntunen
-
primm