-----Ursprüngliche Nachricht----- Von: Alexander Reach [mailto:newsletter@reach.de] Gesendet: Donnerstag, 13. Dezember 2001 13:57 An: SuSE-Security Betreff: [suse-security] SuSE Firewall & Reverse Masquerading
Hello,
I want to do reverse masquerading with the SuSE firewall.
Okay! (I must admit that I only know SuSEfirewall2 with iptables, though ...)
I know, that I can use the switch FW_FORWARD_MASQ_* to do this. The Syntax is "Source IP / Destination IP / Destination Port".
Right!
The Problem is, that I want to redirect to more than one Computer in my local DMZ.
How can I do it with this firewall ?
You can only forward to different hosts if they use different ports. This is because the external client specifies the IP address of the external interface of your fw gateway, so the protocol and port number is the only criterion to differentiate the target hosts ... Assuming your fw gateway looks like: external/internet ! ! eth1 (provider assigned address) ! firewall ! eth0 (192.168.1.x) ! ! +--- 192.168.1.10 port 80 +--- 192.168.1.20 port 992 +--- ... To reach an internal server e.g. on port 80 (192.168.1.10) and another on port 992 (192.168.1.20) use something like the following in your etc/rc.config.d/firewall2.rc.config: FW_FORWARD_MASQ="0/0,192.168.1.10,tcp,80 0/0,192.168.1.20,tcp,992" The "0/0" means _any_ external IP-Adress is allowed access to the internal hosts! To allow outgoing replies from your internal hosts use: FW_MASQ_NETS="192.168.1.10 192.168.1.20" That is: your hosts can do anything outgoing! You can narrow this if you extend it with proto/port ... You also have to provide the following ... FW_ROUTE="yes" This config works on my gateway - but not already behind a second fw gateway which does no masquerading :-( ... try to solve this one in the moment ... Hope that helps Greetings Roland
Greetings, Alexander
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com