allow EXCEPT (SuSEfirewall2)
Helo suse-security (little mail joke, sorry) I want to set up a rule in SuSEfirewall2 that allows all users from my LAN to browse or FTP from 192.168.0.0/24 to 0/0 This is easy and done. FW_MASQ_NETS="192.168.0.0/24,0/0,tcp,80 \ 192.168.0.0/24,0/0,tcp,21" My question is, I only want two internal addresses to be able to FTP and Browse to a specific FTP/WWW server. I cannot find any reference in SuSEfirewall2 to include an exclusion in the above line. I was thinking something like: FW_MASQ_NETS="192.168.0.0/24,0/0!200.200.200.211,tcp,80 \ 192.168.0.222,200.200.200.211,tcp,80" Any idea how to do this, or should I create all my forwarding rules directly using iptables? B
I want to set up a rule in SuSEfirewall2 that allows all users from my LAN to browse or FTP from 192.168.0.0/24 to 0/0
This is easy and done.
FW_MASQ_NETS="192.168.0.0/24,0/0,tcp,80 \ 192.168.0.0/24,0/0,tcp,21"
This does activate NAT for 192.168.0.0 when dport is (80|21) and proto is tcp
My question is, I only want two internal addresses to be able to FTP and Browse to a specific FTP/WWW server. I cannot find any reference in SuSEfirewall2 to include an exclusion in the above line.
I was thinking something like: FW_MASQ_NETS="192.168.0.0/24,0/0!200.200.200.211,tcp,80 \ 192.168.0.222,200.200.200.211,tcp,80"
Any idea how to do this, or should I create all my forwarding rules directly using iptables?
put some rules into the firewall.local file iptables -A INPUT -j ACCEPT -s $ok1 -p tcp -d $server.to.allow 80 -i $int iptables -A INPUT -j ACCEPT -s $ok2 -p tcp -d $server.to.allow 80 -i $int iptables -A INPUT -j DENY -s 192.168.0.0/24 -p tcp -d $server.to.allow 80 -i $int where $ok1,$ok2 are the clients allowed to access, $int is the internal nic and $server.to.allow is the server only $ok1,$ok2 can access to. Since iptables rules are checked from top to down, $ok1 and $ok2 are allowed to input, before the 3rd rule it denies for all. the bob -- http://www.hs-pongratz.de
I want to set up a rule in SuSEfirewall2 that allows all users from my LAN to browse or FTP from 192.168.0.0/24 to 0/0
This is easy and done.
FW_MASQ_NETS="192.168.0.0/24,0/0,tcp,80 \ 192.168.0.0/24,0/0,tcp,21"
This does activate NAT for 192.168.0.0 when dport is (80|21) and proto is tcp
My question is, I only want two internal addresses to be able to FTP and Browse to a specific FTP/WWW server. I cannot find any reference in SuSEfirewall2 to include an exclusion in the above line.
I was thinking something like: FW_MASQ_NETS="192.168.0.0/24,0/0!200.200.200.211,tcp,80 \ 192.168.0.222,200.200.200.211,tcp,80"
Any idea how to do this, or should I create all my forwarding rules directly using iptables?
put some rules into the firewall.local file
iptables -A INPUT -j ACCEPT -s $ok1 -p tcp -d $server.to.allow 80 -i $int iptables -A INPUT -j ACCEPT -s $ok2 -p tcp -d $server.to.allow 80 -i $int iptables -A INPUT -j DENY -s 192.168.0.0/24 -p tcp -d $server.to.allow 80 -i $int
where $ok1,$ok2 are the clients allowed to access, $int is the internal nic and $server.to.allow is the server only $ok1,$ok2 can access to. Since iptables rules are checked from top to down, $ok1 and $ok2 are allowed to input, before the 3rd rule it denies for all.
the bob Or like this for more than one ip:
FILTER="3 7 9" SUBNET="192.168.0" server.to.allow="1.2.3.4" int="eth1" for IP in $FILTER; do IP="$SUBNET.$IP" iptables -A INPUT -j ACCEPT -s $ok1 -p tcp -d $server.to.allow 80 -i $int done iptables -A INPUT -j DENY -s 192.168.0.0/24 -p tcp -d $server.to.allow 80 -i $int e.g. for ip 192.168.0.3 .7 and .9 If the server is a SuSE box as well and you want to allow only access from some ip's to the server do the following on the server. This is only if you want to filter ip's to server xy and not if you want to filter access from int to only one ext ip from the specified pc's. /etc/sysconfig/SuSEfirewall2 # 10.) FW_TRUSTED_NETS="192.168.0.3,tcp,20:21 192.168.0.7,tcp,20:21 192.168.0.9,tcp,20:21" Philippe
Philippe Vogel wrote:
iptables -A INPUT -j ACCEPT -s $ok1 -p tcp -d $server.to.allow 80 -i $int ^^^^^ must read FORWARD if the firewall isn't $server.to.allow.
done iptables -A INPUT -j DENY -s 192.168.0.0/24 -p tcp -d $server.to.allow ^^^^^ ^^^^ The same here, s/INPUT/FORWARD/. And, DENY is ok if you're using ipchains, but using iptables it must be DROP. Paranoiac_User made the same mistake.
GTi
participants (4)
-
Barry Gill
-
list@nolog.org
-
Paranoiac_User
-
Philippe Vogel