Mailinglist Archive: opensuse (3337 mails)

< Previous Next >
Re: [SLE] A Simple Question on iptables (Forward issue)
  • From: Darryl Gregorash <raven@xxxxxxxxxxxxx>
  • Date: Thu, 20 Apr 2006 13:17:39 -0600
  • Message-id: <4447DE53.6020405@xxxxxxxxxxxxx>
On 20/04/06 09:26, Koenraad Lelong wrote:
> Hi Daryl,
>
> I just read your post about NAT (OP from FW). For a while I was
> thinking how I could forward some ports. I think you gave the answer.
> My procedure :
> set FW_ROUTE to "yes"
> set FW_FORWARD : "192.168.10.0/24,<my_server_ip>,tcp,<smb_ports>"
This will forward network traffic without doing any masquerading; if you
want to allow external systems to access things like a web server, but
that server is on a private IP inside your LAN, you need to use
FW_FORWARD_MASQ instead.

>
> If I do this I think I would be able to access a samba-server from the
> outside.
> Before you say "don't do this, security" I will add that between the
> Suse-machine and the 'net I have a VPN router/firewall. The other side
> of the VPN tunnel will have net-address 192.168.10.x.
> I think this is a secure setup. I hope you can confirm this.

A VPN is really just a connection between two private networks, with the
added twist that at one point, the traffic between the two must travel
on the internet. I have no experience with a VPN, so I cannot say for
sure if using FW_FORWARD is correct. With the information given for that
variable (see /etc/sysconfig/SuSEfirewall2), I would think it is not:

"With this option you may allow access to e.g. your mailserver. The
machines must have valid, non-private, IP addresses which were
assigned to you by your ISP. This opens a direct link to the
specified network, so please think twice befor using this option!"


< Previous Next >
References