SuSEfirewall2: external ip aliases with forward / masq?
Hello all, I've searched thru FAQs & archives for a couple days now and haven't found anything exactly like my problem, so I will describe it and maybe someone here can offer good advice. I have installed a SuSE 8.0 machine to be an Internet firewall. I have a whole Internet-routable public class C address range to work with on my external interface. I am running only private RFC1918 addresses on my interior network. I have some Windows PCs on the internal network that I need to allow a vendor on the outside to remotely manage via PCAnywhere. Thanks to Togan Muftuoglu's most excellent "Understanding and Using SuSE Firewall2" document, I have been able to configure SuSEfirewall2 to perform the FW_FORWARD_MASQ to make this work for one single internal Windows PC. Now I need to be able to have ip aliases on the external interface eth0 (let's call them A.B.C.100 as the primary address and A.B.C.101 and A.B.C.102 as the ip aliases on the external interface). The internal interface (eth1) of the firewall is 192.168.1.1 and there are no aliases on that one. My internal Windows machines are 192.168.1.10 , 192.168.1.11 and 192.168.1.12 and PCAnywhere is listening on the normal 5631/tcp and 5632/udp ports on each of these machines. I also need to be able to limit the inbound PCAnywhere connection requests to a specific source address. Let's call the vendor's address X.Y.Z.123. To get the firewall to work for the one PCA machine, I used these rules in the /etc/sysconfig/SuSEfirewall2 file: [mundane config stuff that's normally self-explanatory left out] FW_SERVICES_EXT_TCP="5631" FW_SERVICES_EXT_UDP="5632" FW_TRUSTED_NETS="X.Y.Z.123" FW_FORWARD_MASQ="X.Y.Z.123,192.168.1.10,tcp,5631 \ X.Y.Z .123,192.168.1.10,udp,5632" This work great for PCAnywhere to get thru to the one machine. Now I need to set up a similar forward/masq deal happening for some external ip aliases to get forwarded and masqueraded to the other two machines on these tcp/udp ports like: A.B.C.101 -> 192.168.1.11 (both 5631/tcp and 5632/udp) A.B.C.102 -> 192.168.1.12 (both 5631/tcp and 5632/udp) Also only allow X.Y.Z.123 from the outside to be permitted to use these services. In Togan's document, he mentions how to do this using alternative tcp and udp port numbers for multiple internal PCAnywhere machines (i.e. 5631/5632 for first pc, 5633/5634 for second, 5635/5636 for the third one, etc) and only one ip address on the SuSEfirewall2's external address, but my vendor is stubbornly demanding that I provide separate ip addresses for each machine and stick with the standard PCAnywhere port numbers. I already have the aliased external ip addreses on eth0, that part was easy. Does anyone know how to make SuSEfirewall2 scripts support them for my need? Or am I going to have to make an entire script of raw iptables commands from scratch to accomplish such an animal. If so, is there a way of getting the raw list of iptables commands that the SuSEfirewall2 startup processes generates into one big textfile so I may be able to see all that it is doing, and all in correct order, so that I may use it as a learn-by-example script? Thanks, Neal
* Howard, Neal; <nhoward@cwftx.net> on 26 Nov, 2002 wrote:
remotely manage via PCAnywhere. Thanks to Togan Muftuoglu's most excellent "Understanding and Using SuSE Firewall2" document, I have been able to configure SuSEfirewall2 to perform the FW_FORWARD_MASQ to make this work for
Glad that you found it usefull, before I hit the bed I'l try help so if it does not make sense don't try it :-)
need to be able to limit the inbound PCAnywhere connection requests to a specific source address. Let's call the vendor's address X.Y.Z.123. To get the firewall to work for the one PCA machine, I used these rules in the /etc/sysconfig/SuSEfirewall2 file:
[mundane config stuff that's normally self-explanatory left out] FW_SERVICES_EXT_TCP="5631" FW_SERVICES_EXT_UDP="5632"
Here you are opening these services to the whole world is this what you want or only the vendor
FW_TRUSTED_NETS="X.Y.Z.123"
X.Y.Z.123,tcp,5631 X.Y.Z.123,udp,5632 would just limit PcAnywhere for the vendor
FW_FORWARD_MASQ="X.Y.Z.123,192.168.1.10,tcp,5631 \ X.Y.Z .123,192.168.1.10,udp,5632"
This work great for PCAnywhere to get thru to the one machine. Now I need to set up a similar forward/masq deal happening for some external ip aliases to get forwarded and masqueraded to the other two machines on these tcp/udp ports like:
A.B.C.101 -> 192.168.1.11 (both 5631/tcp and 5632/udp) A.B.C.102 -> 192.168.1.12 (both 5631/tcp and 5632/udp)
Also only allow X.Y.Z.123 from the outside to be permitted to use these services.
I think FW_TRUSTED_NETS as I pointed out will do this
In Togan's document, he mentions how to do this using alternative tcp and udp port numbers for multiple internal PCAnywhere machines (i.e. 5631/5632 for first pc, 5633/5634 for second, 5635/5636 for the third one, etc) and only one ip address on the SuSEfirewall2's external address, but my vendor is stubbornly demanding that I provide separate ip addresses for each machine and stick with the standard PCAnywhere port numbers.
I already have the aliased external ip addreses on eth0, that part was easy. Does anyone know how to make SuSEfirewall2 scripts support them for my need?
FW_DEV_EXT="eth0 eth0:1 eth0:2" should make these aliases available and then basicly do the same thing for FW_FORWARD MASQ ps. If it works let me know so I can add in to the new version Warning I am half sleep so no guarantee :-) -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
participants (2)
-
Howard, Neal
-
Togan Muftuoglu