Can anyone give me a clue? The basics are: 1 machine: SuSE 8.2 3 nics 2 internal networks (examples): $INTLAN1:> 192.0.0.2 $INTLAN2:> 192.0.5.2 3 good ip's (examples): eth0> 128.0.0.1 eth0:1> 128.0.0.2 eth0:2> 128.0.0.3 2 spoofed ip's: $INTIF1> 192.0.5.2 $INTIF2> 192.0.48.3 works: -connecting from the internet/external LAN to all machines via (ssh, FTP, HTTP) not: -connecting between $INTLAN1 & $INTLAN2 -samba connections from anywhere -afp (apple) connections from anywhere -Thanks in advance.... PATH="$PATH:/usr/bin/:/usr/sbin" DEPMOD=/sbin/depmod INSMOD=/sbin/insmod EXTIF=eth0 INTIF1=eth1 INTIF2=eth2 case "$1" in 'start') echo "Clearing any existing rules and setting default policy.." iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -X iptables -t nat -F # loopback rules iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $EXTIF -j ACCEPT echo "Adding Masquerade support for 192.0.0.0 subnet..." iptables -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT echo "Adding Masquerade support for 192.0.5.0 subnet..." iptables -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT echo "Allowing traffic between internal networks..." iptables -A FORWARD -i $INTIF1 -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTIF2 -o $INTIF1 -j ACCEPT iptables -A FORWARD -i $INTIF2 -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTIF1 -o $INTIF2 -j ACCEPT iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo "Associating internal address 192.0.0.2 with external address 128.0.0.2" iptables -t nat -A PREROUTING -p tcp --dst 128.0.0.2 -j DNAT --to-destination 192.0.0.2 iptables -t nat -A PREROUTING -p udp --dst 128.0.0.2 -j DNAT --to-destination 192.0.0.2 iptables -t nat -A PREROUTING -p icmp --dst 128.0.0.2 -j DNAT --to-destination 192.0.0.2 iptables -t nat -A POSTROUTING -p tcp --dst 128.0.0.2 -j SNAT --to-source 192.0.0.2 iptables -t nat -A POSTROUTING -p udp --dst 128.0.0.2 -j SNAT --to-source 192.0.0.2 iptables -t nat -A POSTROUTING -p icmp --dst 128.0.0.2 -j SNAT --to-source 192.0.0.2 echo "Associating internal address 192.0.5.2 with external address 128.0.0.3" iptables -t nat -A PREROUTING -p tcp --dst 128.0.0.3 -j DNAT --to-destination 192.0.5.2 iptables -t nat -A PREROUTING -p udp --dst 128.0.0.3 -j DNAT --to-destination 192.0.5.2 iptables -t nat -A PREROUTING -p icmp --dst 128.0.0.3 -j DNAT --to-destination 192.0.5.2 iptables -t nat -A POSTROUTING -p tcp --dst 128.0.0.3 -j SNAT --to-source 192.0.5.2 iptables -t nat -A POSTROUTING -p udp --dst 128.0.0.3 -j SNAT --to-source 192.0.5.2 iptables -t nat -A POSTROUTING -p icmp --dst 128.0.0.3 -j SNAT --to-source 192.0.5.2 # add logging iptables -A INPUT -j LOG #iptables -A FORWARD -j LOG #iptables -t nat -A PREROUTING -j LOG #iptables -t nat -A POSTROUTING -j LOG #iptables -A OUTPUT -j LOG #iptables -A block -j LOG ;; 'stop') echo "Flushing iptables firewall..." iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD DROP iptables -F FORWARD #iptables -F block iptables -t nat -F ;; 'restart') $0 stop $0 start ;; *) echo "$0 {start|stop}" exit 1 ;; esac exit 0
On Tuesday 02 March 2004 17:05, Gilmore, Eric wrote:
Can anyone give me a clue? The basics are: 1 machine: SuSE 8.2 3 nics 2 internal networks (examples): $INTLAN1:> 192.0.0.2 $INTLAN2:> 192.0.5.2
Does LAN1 trust LAN2 and vice versa ?
3 good ip's (examples): eth0> 128.0.0.1 eth0:1> 128.0.0.2 eth0:2> 128.0.0.3
2 spoofed ip's: $INTIF1> 192.0.5.2 $INTIF2> 192.0.48.3
If by spoofed you mean reserved,internal adresses: be aware that you're outside the allowed range (192.168.0.0/16) (See RFC 1918)
works: -connecting from the internet/external LAN to all machines via (ssh, FTP, HTTP) not: -connecting between $INTLAN1 & $INTLAN2
If full and mutual trust is expected / wanted: set FW_ALLOW_CLASS_ROUTING="yes" Hm... reading on I notice you don't use the Suse firewall filter. Why not ?
-samba connections from anywhere
Explain. From ANYwhere implies "from internet". Surely you CAN not want that. If you mean from LAN1 <-> LAN2 then either the above class routing will fix it (when you use AD + properly configured DNS servers) or you may need to specify the exact share by IPnumber (net use * \\192....\C If both are not options you will need to find a way to relay the Netbios broadcast(s) over the firewall. Dunno offhand how to do that (and wouldn't want to either).
-afp (apple) connections from anywhere
See samba, the services are fairly similar. Maarten -- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER
On Tue, Mar 02, 2004 at 05:51:52PM +0100, maarten van den Berg wrote:
On Tuesday 02 March 2004 17:05, Gilmore, Eric wrote:
Can anyone give me a clue? The basics are:
Hm... reading on I notice you don't use the Suse firewall filter. Why not ?
The listing of iptables rules looks strange. There is an allow policy and there are lots of allow rules, but nothing is denied. There are LOG targets at the end. They will not log anything because the pakets have already been accepted. The rule specifications for POSTROUTING chain are probably uneccessary. I am not shure, because I did not really find out what you are trying to do. Maybe it is easier to use the SuSE firewall script to generate the iptables rules (that is what SuSE firewall does).
-afp (apple) connections from anywhere
See samba, the services are fairly similar.
In addition to the filter rules it is neccessary to allow the connection with some /etc/hosts.allow entry. -- Stefan Tichy ( s.list at pi4tel dot de )
participants (3)
-
Gilmore, Eric -
maarten van den Berg -
Stefan Tichy