Mailinglist Archive: opensuse-security (409 mails)
| < Previous | Next > |
Fwd: [suse-security] Virtual IP adress on the firewall, the dmz and DNAT / MASQUERADE
- From: Harald Wallus <wallus@xxxxxxxxxxxxxxx>
- Date: Mon, 12 Aug 2002 09:18:21 +0200
- Message-id: <200208120918.21832.wallus@xxxxxxxxxxxxxxx>
High Kai,
your patch works great.
Only your patch in the email has lost some tabs, so I do the changes by hand
and not with patch.
Thank You
Harald Wallus
---------- Weitergeleitete Nachricht ----------
Subject: [suse-security] Virtual IP adress on the firewall, the dmz and DNAT /
MASQUERADE
Date: Mon, 27 May 2002 17:39:47 +0200
From: "Kai-H. Weutzing" <suse@xxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Cc: <marc@xxxxxxx>
Hi,
my problem was that I have a box with three interfaces (ext, dmz, int) and
many IPs on the ext-interface and one (or more) server in the dmz.
In the moment the SuSEfirewall2 (v2.1) on my SuSE 8.0 installation can't do
that (look in the TODO file). So I spend some time in patching the
SuSEfirewall2 script and it works well for me.
The patch is very small:
1310c1310,1311
< ERROR=`echo $NETS | $AWK -F, '{print $6}'`
---
> DEST=`echo $NETS | $AWK -F, '{print $6}'`
> ERROR=`echo $NETS | $AWK -F, '{print $7}'`
1337a1339
> test -z "$DEST" || DEST="-d $DEST"
1339c1341
< $IPTABLES -A PREROUTING -j DNAT -t nat $PROTO $NET1
$PORT1 --to-destination ${NET2}${PORT2} -i $DEV
---
> $IPTABLES -A PREROUTING -j DNAT -t nat $PROTO $NET1 $PORT1
$DEST --to-destination ${NET2}${PORT2} -i $DEV
Short description:
- edit the test of the arguments of FW_FORWARD_MASQ and add the variable
DEST for the IP adress on the firewall
- add line for test the variable DEST, if set add '-d ' for later use in the
iptables command
- edit the iptables command for PREROUTING; added the DEST variable
And the point 14 in /etc/sysconfig/SuSEfirewall2 gets a fifth argument: The
IP adress on that the firewall listen on the ext-interface, e.g. a
www-server:
FW_FORWARD_MASQ="0/0,192.168.13.130,tcp,80,80,<public IP adress on
ext-interface>"
Warning: With that parameter file u can't start the unpachted SuSEfirewall2
script because it controlls how many arguments are given.
btw. of cource you must configure the public IP adress on the firewall-box
(/etc/sysconfig/network ...)!
I test this config but maybe there are some points I can't see with my
config... Comments are welcome...
Greetings Kai
--
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here
netlike-gmbh
Am Listholze 78, D-30177 Hannover
Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 951-90
Email: wallus@xxxxxxxxxxxxxx
Internet: http://netlike-gmbh.de
your patch works great.
Only your patch in the email has lost some tabs, so I do the changes by hand
and not with patch.
Thank You
Harald Wallus
---------- Weitergeleitete Nachricht ----------
Subject: [suse-security] Virtual IP adress on the firewall, the dmz and DNAT /
MASQUERADE
Date: Mon, 27 May 2002 17:39:47 +0200
From: "Kai-H. Weutzing" <suse@xxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Cc: <marc@xxxxxxx>
Hi,
my problem was that I have a box with three interfaces (ext, dmz, int) and
many IPs on the ext-interface and one (or more) server in the dmz.
In the moment the SuSEfirewall2 (v2.1) on my SuSE 8.0 installation can't do
that (look in the TODO file). So I spend some time in patching the
SuSEfirewall2 script and it works well for me.
The patch is very small:
1310c1310,1311
< ERROR=`echo $NETS | $AWK -F, '{print $6}'`
---
> DEST=`echo $NETS | $AWK -F, '{print $6}'`
> ERROR=`echo $NETS | $AWK -F, '{print $7}'`
1337a1339
> test -z "$DEST" || DEST="-d $DEST"
1339c1341
< $IPTABLES -A PREROUTING -j DNAT -t nat $PROTO $NET1
$PORT1 --to-destination ${NET2}${PORT2} -i $DEV
---
> $IPTABLES -A PREROUTING -j DNAT -t nat $PROTO $NET1 $PORT1
$DEST --to-destination ${NET2}${PORT2} -i $DEV
Short description:
- edit the test of the arguments of FW_FORWARD_MASQ and add the variable
DEST for the IP adress on the firewall
- add line for test the variable DEST, if set add '-d ' for later use in the
iptables command
- edit the iptables command for PREROUTING; added the DEST variable
And the point 14 in /etc/sysconfig/SuSEfirewall2 gets a fifth argument: The
IP adress on that the firewall listen on the ext-interface, e.g. a
www-server:
FW_FORWARD_MASQ="0/0,192.168.13.130,tcp,80,80,<public IP adress on
ext-interface>"
Warning: With that parameter file u can't start the unpachted SuSEfirewall2
script because it controlls how many arguments are given.
btw. of cource you must configure the public IP adress on the firewall-box
(/etc/sysconfig/network ...)!
I test this config but maybe there are some points I can't see with my
config... Comments are welcome...
Greetings Kai
--
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here
netlike-gmbh
Am Listholze 78, D-30177 Hannover
Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 951-90
Email: wallus@xxxxxxxxxxxxxx
Internet: http://netlike-gmbh.de
| < Previous | Next > |