Q: Customizing SuSE80 FW2 router to run service in internal network with dynamic dial-up
Hi folks, I'm new here so just point me if my problem was already solved. So, I have Pentium box with updated SuSE 8.0, eth1 card to DSL modem, eth0 to internal network. It acts as masquerading router for all Internet connections from internal network. I don't want it to run any additional services beside SSH, if possible (no DNS, no proxies, etc.). So I configured firewall in YaST2 between ppp0 and eth0; only enabling ssh; allowing traceroute, doing masquerading, protecting all running services, NOT protecting from internal network; no logging options. So far, so good, I can access Internet and I hope to be protected. Now, I want to run webserver on one of the internal computers, that is accessible from Internet. Thus I've registered a domain by free dynamic DNS provider and IP address updated there is the one I've became upon dial-up from provider. I'm running inetd in its standard configuration on router. First, I was intrigued by the fact that although I can ping everything outside, I cannot ping this dyn IP nor my domain (translated to correct IP) from my internal, masqueraded network. Pinging from router works fine. I undeerstand it to be some anti-spoofing feature of FW to protect it from internal network. I surely can access my website with internal IP, but I want to test how it will be accessed from outside. Same situation for ssh the dyn IP or domain (from router ok, from internal network no way). So, I've tried to set FW_TRUSTED_NETS="192.168.0.0/24,icmp" to no avail. Then I also tried to put iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 192.168.1.1 -j ACCEPT (the destination is internal address of network card connected to modem) into antispoofing section of custom FW script and enable it in configuration, but failed too, as it is probably nonsense anyway. Also, how can I get internal network ping firewall box from outside??? Second, I wanted to "forward" everything coming to firewall from outside on port 80 to reach my webserver in internal network. I know it is a security hole, but I opt for it anyway. Thus I've defined following in configuration: FW_FORWARD_MASQ="0/0,192.168.0.4,tcp,80" Yet I cannot access my website by dyn domain from internal network (what may be related to previous problem). Even more obscure is that I cannot access the site when launching a browser at router too (for ping and ssh it worked there so I suspect this "reverse masquerading" not really functioning). Also, did anybody got webserver with no static IP residing in internal network to response through the SuSE firewall??? Is the kind of configuration I wish possible at all with SuSE8 FW2, or should I rather learn to write iptables manually or get some other firewall/packet filtering? Any help is very appreciated! Peter. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
* Using SuSE wrote on Sat, Nov 30, 2002 at 19:20 -0800:
dial-up from provider. I'm running inetd in its standard configuration on router.
Why that?!
First, I was intrigued by the fact that although I can ping everything outside, I cannot ping this dyn IP nor my domain (translated to correct IP) from my internal, masqueraded network.
The external IP of your router? Then it's probably dropped by the firewall.
Pinging from router works fine.
"lo" device it usually open, yes.
I undeerstand it to be some anti-spoofing feature of FW to protect it from internal network.
anti-spoofing acts on source, not on destination addresses. There is nothing like "spoofing destination addresses" :)
I surely can access my website with internal IP, but I want to test how it will be accessed from outside.
You may use a TCP Relay, a Port Forwarder or a transparent proxy. I would suggest a Port Forwarder.
too, as it is probably nonsense anyway. Also, how can I get internal network ping firewall box from outside???
Add logging and see what get dropped and adjust the rules.
FW_FORWARD_MASQ="0/0,192.168.0.4,tcp,80" Yet I cannot access my website by dyn domain from internal network (what may be related to previous problem).
Maybe the firewall drops this still. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi Steffen, --- Steffen Dettmer <steffen@dett.de> wrote:
dial-up from provider. I'm running inetd in its standard configuration on router. Why that?! I just though there is some socket service that I need to have listening when connecting to the web server from outside, but I actually have no deep knowledge about networking and so I try around. I surely think there's no need for inetd.
ping everything outside, I cannot ping this dyn IP nor my domain (translated to correct IP) from my internal, masqueraded network. The external IP of your router? Then it's probably dropped by the firewall. Sure it gets dropped. I can see SuSE-FW-NO_ACCESS_INT->FWEXT entry in my logfile for everything I send to the dynamic IP from internal network. As I could not find it documented anywhere in net, I can only think it is a feature of this FW filtering. Although no protection from internal network is turned on, the firewall is protected indeed against all the communication that accesses the IP dynamically set to ppp0 interface. I"m not sure if it is a measure for some kind of spoofed packets that get through the firewall from outside even when they should not and then get mirrored/forwarded by internal network, as the only known public IP is the dynamic one from provider but internal network ought to have no knowledge about the masquerading going on the router for connections to outside world. I cannot comprehend it, but I just want it to disappear. Yet I'm afraid it's built in too deep in FW2 so it is hardly possible to get rid of it. Nevertheless, I think I'm not the first one in the universe to be bothered with it, so I better ask.
Pinging from router works fine. "lo" device it usually open, yes. So there must be a rule that recognizes the communication to dynamically assigned IP, going from router, in fact as loopback and doesn't put any limitations to it? Or it doesn't reach the FW at all?
anti-spoofing acts on source, not on destination addresses. There is nothing like "spoofing destination addresses" :) Yes, but as I tried to explain already, it is apparently not allowed by design of SuSE FW2 for some undocumented security reasons. I'm not able to guess which.
You may use a TCP Relay, a Port Forwarder or a transparent proxy. I would suggest a Port Forwarder. Thanks, I will try to find something usable. Still, I think there has to be a possibility to do it with iptables of 2.4 kernel, not using ipchains at all, but the great majority of info in the web describes ipchains or uses sofisticated user-friendlier tools to cover up the complexity of iptables. I just hoped the SuSE80 built-in FW2 is everything I need for my configuration. I don't feel like writing packet filtering of my own from the scratch to suit my needs, I want to rely on the work already done by SuSE developers. Am I wrong with this assumption?
Add logging and see what get dropped and adjust the rules. As said, I see the logging, but I don't want to deactivate SuSE FW2 if I am not sure there is no easy workaround possible using just its configuration. If I write some rules of my own, flushing or rewriting what's in /sbin/SuSEfirewall, I could as well build it from start. I strongly believe my aimed configuration is nothing unusual and there must be someone outside there who already went through this crap. 5
Maybe the firewall drops this still. Trying to access the Apache using public IP from provider launched at router alone behaves as there would be no masqueraded port forwarding at all. As I don't start the Apache on router, the response from browser is it cannoct connect to this host - the port 80 is not open. No entry from FW2 is logged. Repeating, from internal network, packages get dropped by FW2 and timeout occurs. I would say, the FW2 works in parts as it was designed, but promises given in its configuration comments are not fullfilled. I cannot override the defense against accessing the ppp0 through its IP address from internal network using FW_TRUSTED_NETS and I cannot do port forwarding to internal network using reverse masquerading with FW_FORWARD_MASQ. To me, it seems like masquerading and protection of home network for small users is working very user-friendly in professional SuSE distribution available almost at supermarkets, but any features going outside this scope are simply ignored. I would say, I've spent too much time to ponder about it, instead I could better try to get Debian running, where the documentaion is readily available. But by tomorrow I have to have the configuration working. Just because of this dreaded router I've lost almost weeks. The whole infrastructure including mail server, secured FTP with access to user and public webspace and knowledge base, public sites and intranet applications utilizing PHP, Python in several open-source projects, advanced configuration of web server to business model also using unique connections to several J2EE applications, CVS server with automatical propagating of changes, mSQL, MySQL and PostgreSQL as backend, Web Services, LDAP and even tunnels for VPN (Samba, NFS, video-conferencing, cryptography in Mandrake, RedHat and W2K), everything secured out - that was all a piece of cake compared to get the access to it from Internet using dynamically assigned IP from my DSL ISP through SuSE80 Firewall2. Either I am too dumb to understand the SuSE concepts or I was cheated by features they seemingly provide. I can achieve wonderful things in my home network, but as soon as I want to make it public, everything breaks apart. I'm a programmer, not administrator and I don't want to study yet another sources to get in my eyes very primitive and usual networking scenario working. I planned one day to establish it with SuSE80, but now, after almost two weeks, I'm not a bit progressing. Excuse my babbling, but I am desperate.
Peter. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
On Sunday 01 December 2002 14:44, Steffen Dettmer wrote:
* Using SuSE wrote on Sat, Nov 30, 2002 at 19:20 -0800:
First, I was intrigued by the fact that although I can ping everything outside, I cannot ping this dyn IP nor my domain (translated to correct IP) from my internal, masqueraded network.
<snip>
I undeerstand it to be some anti-spoofing feature of FW to protect it from internal network.
anti-spoofing acts on source, not on destination addresses. There is nothing like "spoofing destination addresses" :)
The spoofing that SuSE applies blocks all internal ip addresses from being able to access the external IP address of the server, regardless of the fact that they are received from inside. At least this is what I have seen from SuSEfirewall2. I noticed the anti-spoofing info in my logs and finally found something that works for me, though I can't guarantee how safe this is. From what I can tell this should allow my internal computers to access the external interface using there IPs, but the outter spoofing would still be blocked as it is coming from the external and not the internal interface. This is from SuSE 8.1, so the filename or directories may be different for you. I edited the /etc/sysconfig/SuSEfirewall2 first and at the bottom added a filename into the FW_CUSTOMRULES line pointing to the SuSEfirewall2-custom (I also moved this into the main /etc/sysconfig directory from the /etc/sysconfig/scripts directory as it is easier to find that way.) FW_CUSTOMRULES="/etc/sysconfig/SuSEfirewall2-custom" In this file I added two lines: The first line I added at the top after the comments: EXT_IP=`ifconfig | grep -A 1 ppp0 | grep inet | awk '{ print $2 }' | awk -F : '{ print $2 }'` This all being on one line. This is a quick script that I threw together to pull the ip address from the external interface. There is also the possibility of accessing this via the route command, however that does not give me my actual IP. And the second line that I add is in the fw_custom_before_antispoofing() section: iptables -A INPUT -i eth0 -s 192.168.1.0/24 -d $EXT_IP -j ACCEPT This will allow all input from eth0 (the ethernet card for my internal network) with IP addresses in the 192.168.1.0 network to access the external IP address. Now this has been working nicely for me, however if anyone has some more suggestions on what might work better please let me know. Hope that might help someone because I haven't really seen any information on accessing the external ip with the SuSEfirewall2 from the internal network (other than people saying it isn't good because of spoofing...) Justin T
Hello Justin, --- "Justin T." <justint@gmx.net> wrote:
The spoofing that SuSE applies blocks all internal ip addresses from being able to access the external IP address of the server, regardless of the fact that they are received from inside. At least this is what I have seen from SuSEfirewall2. I would suspect such a feature already got some excitement around here, but I'm not able to find references to it anywhere, as the SuSE mailing list archives on their own are not indexed and for worldwide (meta)search I'm probably missing proper keywords.
be blocked as it is coming from the external and not the internal interface. Then I would ask why not allow internal masqueraded network to access router with no limitations in general configuration of FW2 for great majority of home users who are in control? Is the reason for it to be protected from malicious employees in small company networks?
FW_CUSTOMRULES="/etc/sysconfig/SuSEfirewall2-custom" EXT_IP=`ifconfig | grep -A 1 ppp0 | grep inet | awk '{ print $2 }' | awk -F : '{ print $2 }'` possibility of accessing this via the route command, however that does not give me my actual IP. You mean according your way it is also suitable in situation when IP from DSL provider changes because the network disconects after some time and new IP is provided on dial-in?
And the second line that I add is in the fw_custom_before_antispoofing() section: iptables -A INPUT -i eth0 -s 192.168.1.0/24 -d $EXT_IP -j ACCEPT Thanks, I will surely try it out right now and report.
suggestions on what might work better please let me know. Me too. Nevertheless, I am happy to get it working at least as you did.
really seen any information on accessing the external ip with the SuSEfirewall2 from the internal network (other than people saying it isn't good because of spoofing...) Same for me, but I think something like that is good to have.
Time flies, Peter. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Heya :) On Sunday 01 December 2002 23:01, Using SuSE wrote:
Hello Justin,
--- "Justin T." <justint@gmx.net> wrote:
The spoofing that SuSE applies blocks all internal ip addresses from being able to access the external IP address of the server, regardless of the fact that they are received from inside. At least this is what I have seen from SuSEfirewall2.
I would suspect such a feature already got some excitement around here, but I'm not able to find references to it anywhere, as the SuSE mailing list archives on their own are not indexed and for worldwide (meta)search I'm probably missing proper keywords.
I guess that might be why I couldn't really find anything on this then.
be blocked as it is coming from the external and not the internal interface.
Then I would ask why not allow internal masqueraded network to access router with no limitations in general configuration of FW2 for great majority of home users who are in control? Is the reason for it to be protected from malicious employees in small company networks?
On most firewalls when you tell them that the internal net is trusted then it will do that and allow them full control. I'm not sure why SuSE doesn't allow this, though I can see if it is set to be used in a more office environment, but for a general home network or trusted office this really can cause some problems.
FW_CUSTOMRULES="/etc/sysconfig/SuSEfirewall2-custom" EXT_IP=`ifconfig | grep -A 1 ppp0 | grep inet | awk '{ print $2 }' | awk -F : '{ print $2 }'` possibility of accessing this via the route command, however that does not give me my actual IP.
You mean according your way it is also suitable in situation when IP from DSL provider changes because the network disconects after some time and new IP is provided on dial-in?
Yup. It takes the external IP address that is given by the ISP and uses it, so that won't be a problem (I had seen some setups, but they were all for static IPs, this one however is good for dynamic IPs.)
And the second line that I add is in the fw_custom_before_antispoofing() section: iptables -A INPUT -i eth0 -s 192.168.1.0/24 -d $EXT_IP -j ACCEPT
Thanks, I will surely try it out right now and report.
I hope it helps, even if it doesn't work, maybe it is a step in the right direction. Justin T
On Sunday 01 December 2002 23.15, Justin T. wrote:
Yup. It takes the external IP address that is given by the ISP and uses it, so that won't be a problem (I had seen some setups, but they were all for static IPs, this one however is good for dynamic IPs.)
Why do you have the target IP in the rule at all? Why not just iptables -I INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT ?
Hello, On Sunday 01 December 2002 23:39, Anders Johansson wrote:
On Sunday 01 December 2002 23.15, Justin T. wrote:
Yup. It takes the external IP address that is given by the ISP and uses it, so that won't be a problem (I had seen some setups, but they were all for static IPs, this one however is good for dynamic IPs.)
Why do you have the target IP in the rule at all? Why not just
iptables -I INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
Hmmm.... Like I said, I'm not a firewall expert, just someone who found something and warped it to his needs. As for this I tried and it works fine with the destination. Thanks :) That would be something that would be nice to have in the comments on the Custom firewall config page. Justin T
--- "Justin T." <justint@gmx.net> wrote:
Yup. It takes the external IP address that is Why not just iptables -I INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT tried and it works fine with the destination. Thanks :) That would be something that would be nice to have in the comments on the Custom firewall config page.
Both solutions work, thanks guys. I also tried to add ',icmp', ',tcp,80' (and other ports I need) after the source internal IP netmask to restrict it little bit only to services I really need. And yes, it would be nice to have this hack listed in custom conf file. Peter. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Justin said,
I guess that might be why I couldn't really find anything on this then. I'm still having about 30 websites found to read on, but I've already went through far more than that and did not find a specific answer.
On most firewalls when you tell them that the internal net is trusted then it will do that and allow them full control. I'm not sure why SuSE doesn't allow this, though I can see if it is set to be used in a more office environment, but for a general home network or trusted office this really can cause some problems. It's alright with me if SuSE chooses this policy, but the documentation should at least mention it is not suitable for more complicated networks, that"s all. I'll somehow find how to get through this, but I'm sad when so many others ought to have bad luck trying to figure out what's going on in the same way.
so that won't be a problem (I had seen some setups, but they were all for static IPs, this one however is good for dynamic IPs.) Let me restart my firewall, stop smppd, start it again, register new IP by dynamic DNS and then try to ping. If this succeeds, you made me happy.
I hope it helps, even if it doesn't work, maybe it is a step in the right direction. Thank you again, now I know a little bit more on how to hack on SuSE FW2.
Peter. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
participants (4)
-
Anders Johansson -
Justin T. -
Steffen Dettmer -
Using SuSE