Hi, I've got/want to build the following environment: Firewall: 14 ext. IP's bound to eth0:0...eth0:13 1 internal IP 192.168.1.199 (of course...) on eth1 Masquerading of the internal network Acting as public DNS Acting as proxy (squid) for the local network Mail- and Web-Server in internal network (192.168.1.200) I want to: * local PC's should more or less be allowed to get access to the usual services * foreign PC's should only be allowed to get dns, www and smtp/pop access * foreign PC's requesting www or smtp/pop services should be forwarded/masqueraded to 192.168.1.200 * ssh should be allowed for the firewall and eventually also be forwarded/masqueraded (on another port?!?) to 192.168.1.200 * everything else should be forbidden Since I couldn't manage to get SuSEfirewall 4.2 to work (everything works fine apart from the forwarding/masquerading of www/smtp/pop to the internal machine 192.168.1.200): does anybody please have an ipchains (rc.firewall) script that does more or less what I described? It's especially difficult to find an ipchains sample that does aliasing on the external interface AND port forwarding or masquerading to an internal machine. Is there something else I have to to on the firewall? Routing etc. to the outer world looks fine, ifconfig looks fine. Everything works perfect as long as the Web- and Mail-Server reside on the firewall - but that's what I need to avoid. Thanks a lot in advance!
At 11:52 PM 10/01/2001 +0100, you wrote:
Hi,
I've got/want to build the following environment:
Firewall: 14 ext. IP's bound to eth0:0...eth0:13 1 internal IP 192.168.1.199 (of course...) on eth1 Masquerading of the internal network Acting as public DNS Acting as proxy (squid) for the local network
Mail- and Web-Server in internal network (192.168.1.200)
I want to: * local PC's should more or less be allowed to get access to the usual services * foreign PC's should only be allowed to get dns, www and smtp/pop access * foreign PC's requesting www or smtp/pop services should be forwarded/masqueraded to 192.168.1.200 * ssh should be allowed for the firewall and eventually also be forwarded/masqueraded (on another port?!?) to 192.168.1.200 * everything else should be forbidden
Since I couldn't manage to get SuSEfirewall 4.2 to work (everything works fine apart from the forwarding/masquerading of www/smtp/pop to the internal machine 192.168.1.200): does anybody please have an ipchains (rc.firewall) script that does more or less what I described? It's especially difficult to find an ipchains sample that does aliasing on the external interface AND port forwarding or masquerading to an internal machine.
Is there something else I have to to on the firewall? Routing etc. to the outer world looks fine, ifconfig looks fine. Everything works perfect as long as the Web- and Mail-Server reside on the firewall - but that's what I need to avoid.
Thanks a lot in advance!
This also is a FAQ, however I have not had time to add it to http://www.susesecurity.com :-( I will try to this week. You need to install the package ipmasqadm and run "man ipmasqadm" There are howtos out there but I'm a little drunk to remember where. I've just gotten home from "this" (http://www.au.vergenet.net/~horms/gallery/lyle/sydney4.html) party with Richard Gooch (devfs), Raster (E), Horms (HA and LoadBalancing) etc etc.. who are over here for http://linux.conf.au (IS anyone else from this list coming???) bah.. 5am..time for bed.. --- Nix - nix@susesecurity.com SuSE-Security FAQ Maintainer http://www.susesecurity.com
participants (2)
-
Markus Schwaiger
-
Nix