Re: [suse-security] 3 internet links thru firewall to windows PC
i have 3 internet links.
2 coming through the same cisco router.
and one other coming through a separate router.
1 link is purely reserved for surfing the web.
while the other 2 links should be used to link to some other organisation. The two links should be accessible from one windows server inside the orgarnisation.
my question is,
how do i tell my SuSEFirewall to separate the traffic for the 3 links, i want the windows server to sit behind the firewall. probably in a DMZ. but it's traffic should only pass through one of the other 2 links.
You can load additional custom rules into SuSEfirewall2 using the /etc/sysconfig/scripts/SuSEfirewall2-custom file, after enabling it in /etc/sysconfig/SuSEfirewall2. I'm not entirely sure if I understand your question correctly, but we had 3 internet connections in our house last year and did something like this (tried to simplify example so may have introduced errors. The methods for doing such things are described in full at lartc.org I suggest you read there. ------ INTERNALNIC=eth0 EXTERNALNICA=eth1 EXTERNALNICB=eth2 EXTERNALIP=0.0.0.0 #clean up for restart ip rule del fwmark 1 table interfacea.out ip rule del fwmark 2 table interfaceb.out #add rules to route packets marked with 1 with interfacea routing table #and packets marked with 2 with interfaceb routing table #you will need to have created these routing tables ip rule add fwmark 1 table interfacea.out ip rule add fwmark 2 table interfaceb.out #delete default route ip route del default #add default route through interfacea ip route add default via $externalipaddress dev $EXTERNALNICA table main #set default route for interfacea routing table through interfacea ip route del default table interfacea.out ip route add default via $EXTERNALIPA dev $EXTERNALNICA table interfacea.out #set default route for interfaceb routing table through interfaceb ip route del default table interfaceb.out ip route add default via $EXTERNALIPB dev $EXTERNALNICB table interfaceb.out #mark everything for connection 1 iptables -t mangle -A PREROUTING -i $INTERNALNIC -d 0/0 -j MARK --set-mark 1 #now mark stuff we want to go over connection2 #ssh iptables -A PREROUTING -i $INTERNALNIC -t mangle -p tcp --dport 22 -j MARK --set-mark 2 #http(s) iptables -A PREROUTING -i $INTERNALNIC -t mangle -p tcp --dport 80 -j MARK --set-mark 2 iptables -A PREROUTING -i $INTERNALNIC -t mangle -p tcp --dport 443 -j MARK --set-mark 2 #irc iptables -A PREROUTING -i $INTERNALNIC -t mangle -p tcp --dport 6667 -j MARK --set-mark 2 iptables -A PREROUTING -i $INTERNALNIC -t mangle -p tcp --dport 6669 -j MARK --set-mark 2 #ssl iptables -A PREROUTING -i $INTERNALNIC -t mangle -p tcp --dport 7070 -j MARK --set-mark 2 #freenode alternative port #put a specific machine on one connection iptables -A PREROUTING -i $INTERNALNIC -t mangle -p udp -s 192.168.0.30 -j MARK --set-mark 2 iptables -A PREROUTING -i $INTERNALNIC -t mangle -p tcp -s 192.168.0.30 -j MARK --set-mark 2
On Wed, 27 Sep, 2006 at 07:53:01 +0100, B.Weber@warwick.ac.uk wrote: <snip>
my question is,
how do i tell my SuSEFirewall to separate the traffic for the 3 links, i want the windows server to sit behind the firewall. probably in a DMZ. but it's traffic should only pass through one of the other 2 links.
You can load additional custom rules into SuSEfirewall2 using the /etc/sysconfig/scripts/SuSEfirewall2-custom file, after enabling it in /etc/sysconfig/SuSEfirewall2.
True.
I'm not entirely sure if I understand your question correctly,
Me neither... :P <snip>
The methods for doing such things are described in full at lartc.org I suggest you read there.
Sound advice, but
------
<big snip> In general... If you want to do complicated routing/firewalling, but for some reason aren't up to the task of understanding iptables... Replace SuSEfirewall with Shorewall. It's been a while since I last did anything serious with Shorewall (if you don't count setting up proxyarping for use with my new ISP) and I'm not sure where it's at these days, but: Anything involving three WAN links, DMZ, server, LAN, and the rules to control all that, *will* inherently become somewhat complicated. What Shorewall does is substitue the horrors^H^H^H^H^H^H^H complexity of iptables for a very comprehensive and supremely well documented set of configuration files. Basically Shorewall is vastly more capable than SuSEfirewall is, but still manages to be human readable, which raw iptables (IMHO) is not. HTH /Jon -- YMMV
On Wednesday 27 September 2006 08:37, Jon Clausen wrote:
Basically Shorewall is vastly more capable than SuSEfirewall is, but still manages to be human readable, which raw iptables (IMHO) is not.
Full ACK! Shorewall is the way to go. -- _____________________________________ John Andersen
participants (3)
-
B.Weber@warwick.ac.uk -
John Andersen -
Jon Clausen