Mailinglist Archive: opensuse-security (37 mails)

< Previous Next >
Re: [opensuse-security] openSUSE 10.3 SuSEfirewall2 script help
  • From: Lyle Giese <lyle@xxxxxxxxxxxxxxx>
  • Date: Sun, 29 Jun 2008 08:28:39 -0500
  • Message-id: <48678E07.2050108@xxxxxxxxxxxxxxx>
Adsquaired wrote:
I have been tasked with replacing an old Linux firewall. The person
that built the firewall used Iptables. I want to use the SuSEfirewall2
script. I can't change the requirement or the infrastructure because
of existing services.

I'm having some difficulties with the SuSEfirewall2 script. I can't
seem to get traffic forwarded from the DMZ side to the internal
network. Here is my layout and requirements.

The new server has three interfaces and the OS is OpenSUSE 10.3.



The external interface has a public IP address assigned to it.

The internal interface connects to a private subnet where there are
hosted services and a few employees (QA Lab).

The other interface which I am labeling the DMZ is connected to
another private network. This is the main employee network.

The QA lab hosts a secure IMAP server, a public web server, four other
web servers (accessible only to employees) and a public SMTP server.

The QA employees need to have full unrestricted access to the Internet.

The regular employees (DMZ) will not be allowed to use this firewall
as their gateway, therefore they are restricted from using the DMZ
interface to get to the Internet. The employees in front of this
interface should only be allowed to access the four web servers and
mail server. The key here is that services living on the on the
employee network make calls to the web servers on the internal network
using different ports. For example, http requests to port 83 on the
DMZ interface will need to be redirected to port 80 on the internal
web server. FYI. This is where I sit and access to the Firewall for
administration purposes. The QALAB does not get access to the
firewall.

[This is what it would look like in IPTABLES]
-A PREROUTING -s 10.2.2.0/255.0.0.0 -d 10.2.2.10 -i eth2 -p tcp -m tcp
--dport 83 -j DNAT --to-destination 192.168.2.150:80
-A PREROUTING -s 10.2.2.0/255.0.0.0 -d 10.2.2.10 -i eth2 -p tcp -m tcp
--dport 82 -j DNAT --to-destination 192.168.2.150:80
-A PREROUTING -s 10.2.2.0/255.0.0.0 -d 10.2.2.10 -i eth2 -p tcp -m tcp
--dport 81 -j DNAT --to-destination 192.168.2.30:80
-A PREROUTING -s 10.2.2.0/255.0.0.0 -d 10.2.2.10 -i eth2 -p tcp -m tcp
--dport 80 -j DNAT --to-destination 192.168.2.20:80
-A PREROUTING -s 10.2.2.0/255.0.0.0 -d 10.2.2.10 -i eth2 -p tcp -m tcp
--dport 25 -j DNAT --to-destination 192.168.2.20:25

Additionally, there is an SSL VPN connection and IPSEC traffic but
that is for another post. My main problem is getting to the lab
webservice from the DMZ interface. Here is what I have configured in
the SuSEfirewall2 script.

[Interfaces]

FW_DEV_EXT='any eth5'
FW_DEV_INT='eth4'
FW_DEV_DMZ='eth1'
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="zone:ext"

[NAT lab Internet requests only]
FW_MASQ_NETS="192.168.2.0/24"

FW_PROTECT_FROM_INT="yes"

[The only service listening on the external interface]
FW_SERVICES_EXT_TCP="SSLVPNPORT"

[Admin SSH access to the firewall from the DMZ netowrk]
FW_SERVICES_DMZ_TCP="someSSHport"

[Used for VPN]
FW_FORWARD="192.168.20.0/24,192.168.2.0/24 192.168.2.0/24,192.168.20.0/24"

[Allow Access from the Internet]
FW_FORWARD_MASQ="0/0,192.168.2.20,tcp,80 0/0,192.168.2.30,tcp,80
0/0,192.168.2.150,tcp,80 0/0,192.168.2.20,tcp,25
0/0,192.168.2.20,tcp,995"


I tried using FW_FORWARD_MASQ to open connections from the DMS to
Internal but the firewall log shows the connections being dropped.

How do I allow (without using IPTABLES commands in the custom script)
the services in the DMZ to access the web services on the internal
network (using redirection).

I also tried FW_REDIRECT="" but I do not have open ports on the DMZ
side of the firewall. Everything should be forwarded through.

Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx



I am NOT an iptables expert by any means and would trouble doing
something this complicated. However, I would not be using SuSE firewall
either. SuSE firewall is just a scripted frontend to iptables. I have
setup two boxes with special purposes and quickly found limitations in
SuSE firewall scripts and dumped it.

The big one was by default incoming ports on the public interface being
forwarded to an internal address automatically carried rate limits on
those rules. I have found on Novell's website a couple of excellent
articles t by David Mair on getting started with iptables and dumped
SuSE firewall.

Now those firewalls are easy to read and maintain.

Lyle Giese
LCR Computer Services, Inc.
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
This Thread
References