Hello,
I have a problem, which, at first look is handled by the FAQ, but the answer
there ist for Kernel 2.2
The Situation is like this.
I have a externel, fixed ip (193.254.21.55 @ eth0), (internal 192.168.2.1 @
eth1)and i am masqerading (nat) the lan (192.168.2/24) wich was my basic
need and wich was easy to enable with SuSE 8.0 and SuSEFirewall2
(assistant).
There is a W2k system with behind the firewall (192.168.2.2) for which i
want to set a destination nat.
Below I included my configuration files, with whom I did several tries, but
nothing worked.
Now to see is the version, wich should work as the comments in
/etc/sysconfig/SuSEfirewall2 suggest. It didn't worked, so I took the
FW_FORWARD_MASQ="0/0,192.168.2.2,80" To FW_REDIRECT, It didn't work, so I
tried to do costum iptables seen below, it didn't work, so i tried arround
with the Ports in FW_SERVICES_EXT_TCP.
Now I don't knowany further , where I have to set something strait to get it
to work.
Does anyone have any suggestions?
Greetings, Andreas
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Marc Heuse , 2001
# Please contact me directly if you find bugs.
#
# If you have problems getting this tool configures, please read this file
# carefuly and tTitel bitte Einfügenake also a look into
# -> /usr/share/doc/packages/SuSEfirewall2/EXAMPLES !
# -> /usr/share/doc/packages/SuSEfirewall2/FAQ !
# -> /usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.conf.EXAMPLE !
#
# /etc/sysconfig/SuSEfirewall2
#
# for use with /sbin/SuSEfirewall2 version 2.1 which is for 2.4 kernels!
#
# ------------------------------------------------------------------------
#
# PLEASE NOTE THE FOLLOWING:
#
# Just by configuring these settings and using the SuSEfirewall2 you are
# not secure per se! There is *not* such a thing you install and hence you
# are safed from all (security) hazards.
#
# To ensure your security, you need also:
#
# * Secure all services you are offering to untrusted networks (internet)
# You can do this by using software which has been designed with
# security in mind (like postfix, apop3d, ssh), setting these up without
# misconfiguration and praying, that they have got really no holes.
# SuSEcompartment can help in most circumstances to reduce the risk.
# * Do not run untrusted software. (philosophical question, can you trust
# SuSE or any other software distributor?)
# * Harden your server(s) with the harden_suse package/script
# * Recompile your kernel with the openwall-linux kernel patch
# (former secure-linux patch, from Solar Designer) www.openwall.com
# * Check the security of your server(s) regulary
# * If you are using this server as a firewall/bastion host to the
internet
# for an internal network, try to run proxy services for everything and
# disable routing on this machine.
# * If you run DNS on the firewall: disable untrusted zone transfers and
# either don't allow access to it from the internet or run it
split-brained.
#
# Good luck!
#
# Yours,
# SuSE Security Team
#
# ------------------------------------------------------------------------
#
# Configuration HELP:
#
# If you have got any problems configuring this file, take a look at
# /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example.
#
#
# All types have to set enable SuSEfirewall2 in the runlevel editor
#
# If you are a end-user who is NOT connected to two networks (read: you have
# got a single user system and are using a dialup to the internet) you just
# have to configure (all other settings are OK): 2) and maybe 9).
#
# If this server is a firewall, which should act like a proxy (no direct
# routing between both networks), or you are an end-user connected to the
# internet and to an internal network, you have to setup your proxys and
# reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 11), 14)
#
# If this server is a firewall, and should do routing/masquerading between
# the untrusted and the trusted network, you have to reconfigure (all other
# settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12), 13),
# 14), 20)
#
# If you want to run a DMZ in either of the above three standard setups, you
# just have to configure *additionally* 4), 9), 12), 13), 17), 19).
#
# If you know what you are doing, you may also change 8), 11), 15), 16)
# and the expert options 19), 20), 21), 22) and 23) at the far end, but you
# should NOT.
#
# If you use diald or ISDN autodialing, you might want to set 17).
#
# To get programs like traceroutes to your firewall to work is a bit tricky,
# you have to set the following options to "yes" : 11 (UDP only), 18 and 19.
#
# Please note that if you use service names, that they exist in
/etc/services.
# There is no service "dns", it's called "domain"; email is called "smtp"
etc.
#
# *Any* routing between interfaces except masquerading requires to set
FW_ROUTE
# to "yes" and use FW_FORWARD or FW_ALLOW_CLASS_ROUTING !
#
# If you just want to do masquerading without filtering, ignore this script
# and run this line (exchange "ippp0" "ppp0" if you use a modem, not isdn):
# iptables -A POSTROUTING -t nat -j MASQUERADE -o ippp0
# echo 1 > /proc/sys/net/ipv4/ip_forward
# and additionally the following lines to get at least a minimum of
security:
# iptables -A INPUT -j DROP -m state --state NEW,INVALID -i ippp0
# iptables -A FORWARD -j DROP -m state --state NEW,INVALID -i ippp0
# ------------------------------------------------------------------------
#
# 1.)
# Should the Firewall be started?
#
# This setting is done via the links in the /etc/init.d/rc?.d runlevel
# directories, which can be tweaked with a runlevel editor (or manually)
#
# 2.)
# Which is the interface that points to the internet/untrusted networks?
#
# Enter all the network devices here which are untrusted.
#
# Choice: any number of devices, seperated by a space
# e.g. "eth0", "ippp0 ippp1 eth0:1"
#
FW_DEV_EXT="eth0"
#
# 3.)
# Which is the interface that points to the internal network?
#
# Enter all the network devices here which are trusted.
# If you are not connected to a trusted network (e.g. you have just a
# dialup) leave this empty.
#
# Choice: leave empty or any number of devices, seperated by a space
# e.g. "tr0", "eth0 eth1 eth1:1" or ""
#
FW_DEV_INT="eth1"
#
# 4.)
# Which is the interface that points to the dmz or dialup network?
#
# Enter all the network devices here which point to the dmz/dialups.
# A "dmz" is a special, seperated network, which is only connected to the
# firewall, and should be reachable from the internet to provide services,
# e.g. WWW, Mail, etc. and hence are at risk from attacks.
# See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example.
#
# Special note: You have to configure FW_FORWARD to define the services
# which should be available to the internet and set FW_ROUTE to yes.
#
# Choice: leave empty or any number of devices, seperated by a space
# e.g. "tr0", "eth0 eth1 eth1:1" or ""
#
FW_DEV_DMZ=""
#
# 5.)
# Should routing between the internet, dmz and internal network be
activated?
# REQUIRES: FW_DEV_INT or FW_DEV_DMZ
#
# You need only set this to yes, if you either want to masquerade internal
# machines or allow access to the dmz (or internal machines, but this is not
# a good idea). This option supersedes IP_FORWARD from
# /etc/sysconfig/network/options
#
# Setting this option one alone doesn't do anything. Either activate
# massquerading with FW_MASQUERADE below if you want to masquerade your
# internal network to the internet, or configure FW_FORWARD to define
# what is allowed to be forwarded!
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ROUTE="yes"
#FW_ROUTE ="no"
#
# 6.)
# Do you want to masquerade internal networks to the outside?
# REQUIRES: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE
#
# "Masquerading" means that all your internal machines which use services on
# the internet seem to come from your firewall.
# Please note that it is more secure to communicate via proxies to the
# internet than masquerading. This option is required for FW_MASQ_NETS and
# FW_FORWARD_MASQ.
#
# Choice: "yes" or "no", defaults to "no"
#
FW_MASQUERADE="yes"
#
# You must also define on which interface(s) to masquerade on. This is
# normally your external device(s) to the internet.
# Most users can leave the default below.
#
# e.g. "ippp0" or "$FW_DEV_EXT"
FW_MASQ_DEV="$FW_DEV_EXT"
#
# Which internal computers/networks are allowed to access the internet
# directly (not via proxys on the firewall)?
# Only these networks will be allowed access and will be masqueraded!
#
# Choice: leave empty or any number of hosts/networks seperated by a space.
# Every host/network may get a list of allowed services, otherwise
everything
# is allowed. A target network, protocol and service is appended by a comma
to
# the host/network. e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with
# unrestricted access. "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0tcp,21" allows
# the 10.0.1.0 network to use www/ftp to the internet.
# "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too.
# Set this variable to "0/0" to allow unrestricted access to the internet.
#
FW_MASQ_NETS="192.168.2.0/24"
#
# 7.)
# Do you want to protect the firewall from the internal network?
# REQUIRES: FW_DEV_INT
#
# If you set this to "yes", internal machines may only access services on
# the machine you explicitly allow. They will be also affected from the
# FW_AUTOPROTECT_SERVICES option.
# If you set this to "no", any user can connect (and attack) any service on
# the firewall.
#
# Choice: "yes" or "no", defaults to "yes"
#
# "yes" is a good choice
FW_PROTECT_FROM_INTERNAL="no"
#
# 8.)
# Do you want to autoprotect all running network services on the firewall?
#
# If set to "yes", all network access to services TCP and UDP on this
machine
# will be prevented (except to those which you explicitly allow, see below:
# FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP})
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_AUTOPROTECT_SERVICES="no"
#
# 9.)
# Which services ON THE FIREWALL should be accessible from either the
internet
# (or other untrusted networks), the dmz or internal (trusted networks)?
# (see no.13 & 14 if you want to route traffic through the firewall) XXX
#
# Enter all ports or known portnames below, seperated by a space.
# TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
# UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
# e.g. if a webserver on the firewall should be accessible from the
internet:
# FW_SERVICES_EXT_TCP="www"
# e.g. if the firewall should receive syslog messages from the dmz:
# FW_SERVICES_DMZ_UDP="syslog"
# For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set
# FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols)
#
# Choice: leave empty or any number of ports, known portnames (from
# /etc/services) and port ranges seperated by a space. Port ranges are
# written like this: allow port 1 to 10 -> "1:10"
# e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514"
# For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2")
#
# Common: smtp domain
FW_SERVICES_EXT_TCP="https imap ssh"
# Common: domain
FW_SERVICES_EXT_UDP=""
# Common: domain
# For VPN/Routing which END at the firewall!!
FW_SERVICES_EXT_IP=""
#
# Common: smtp domain
FW_SERVICES_DMZ_TCP=""
# Common: domain
FW_SERVICES_DMZ_UDP=""
# For VPN/Routing which END at the firewall!!
FW_SERVICES_DMZ_IP=""
#
# Common: ssh smtp domain
FW_SERVICES_INT_TCP=""
# Common: domain syslog
FW_SERVICES_INT_UDP=""
# For VPN/Routing which END at the firewall!!
FW_SERVICES_INT_IP=""
#
# 10.)
# Which services should be accessible from trusted hosts/nets?
#
# Define trusted hosts/networks (doesnt matter if they are internal or
# external) and the TCP and/or UDP services they are allowed to use.
# Please note that a trusted host/net is *not* allowed to ping the firewall
# until you set it to allow also icmp!
#
# Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or
# networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16"
# Optional, enter a protocol after a comma, e.g. "1.1.1.1,icmp"
# Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22"
#
FW_TRUSTED_NETS=""
#
# 11.)
# How is access allowed to high (unpriviliged [above 1023]) ports?
#
# You may either allow everyone from anyport access to your highports
("yes"),
# disallow anyone ("no"), anyone who comes from a defined port (portnumber
or
# known portname) [note that this is easy to circumvent!], or just your
# defined nameservers ("DNS").
# Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root
# from a firewall using this script (well, you can if you include range
# 600:1023 in FW_SERVICES_EXT_UDP ...).
# Please note that with v2.1 "yes" is not mandatory for active FTP from
# the firewall anymore.
#
# Choice: "yes", "no", "DNS", portnumber or known portname, defaults to "no"
# if not set
#
# Common: "ftp-data", better is "yes" to be sure that everything else works
:-(
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
# Common: "DNS" or "domain ntp", better is "yes" to be sure ...
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
#
# 12.)
# Are you running some of the services below?
# They need special attention - otherwise they wont work!
#
# Set services you are running to "yes", all others to "no", defaults to
"no"
# if not set.
#
FW_SERVICE_AUTODETECT="yes"
# Autodetect the services below when starting
#
# If you are running bind/named set to yes. Remember that you have to open
# port 53 (or "domain") as udp/tcp to allow incoming queries.
# Also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes"
FW_SERVICE_DNS="no"
#
# if you use dhclient to get an ip address you have to set this to "yes" !
FW_SERVICE_DHCLIENT="no"
#
# set to "yes" if this server is a DHCP server
FW_SERVICE_DHCPD="no"
#
# set to "yes" if this server is running squid. You still have to open the
# tcp port 3128 to allow remote access to the squid proxy service.
FW_SERVICE_SQUID="no"
#
# set to "yes" if this server is running a samba server. You still have to
open
# the tcp port 139 to allow remote access to SAMBA.
FW_SERVICE_SAMBA="no"
#
# 13.)
# Which services accessed from the internet should be allowed to the
# dmz (or internal network - if it is not masqueraded)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must have valid, non-private, IP addresses which were assigned to
# you by your ISP. This opens a direct link to your network, so only use
# this option for access to your dmz!!!!
#
# Choice: leave empty (good choice!) or use the following explained syntax
# of forwarding rules, seperated each by a space.
# A forwarding rule consists of 1) source IP/net and 2) destination IP
# seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24"
# Optional is a protocol, seperated by a comma, e.g. "5.5.5.5,6.6.6.6,igmp"
# Optional is a port after the protocol with a comma, e.g. "0/0,0/0,udp,514"
#
FW_FORWARD=""
# Beware to use this!
#
# 14.)
# Which services accessed from the internet should be allowed to masqueraded
# servers (on the internal network or dmz)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public IP
addesses!
# Hint: if FW_DEV_MASQ is set to the external interface you have to set
# FW_FORWARD from internal to DMZ for the service as well to allow access
# from internal!
#
# Please note that this should *not* be used for security reasons! You are
# opening a hole to your precious internal network. If e.g. the webserver
there
# is compromised - your full internal network is compromised!!
#
# Choice: leave empty (good choice!) or use the following explained syntax
# of forward masquerade rules, seperated each by a space.
# A forward masquerade rule consists of 1) source IP/net, 2) destination IP
# (dmz/intern), 3) a protocol (tcp/udp only!) and 4) destination port,
# seperated by a comma (","), e.g. "4.0.0.0/8,1.1.1.1,tcp,80"
# Optional is a port after the destination port, to redirect the request to
# a different destination port on the destination IP, e.g.
# "4.0.0.0/8,1.1.1.1,tcp,80,81"
#
FW_FORWARD_MASQ="0/0,192.168.2.2,80"
# Beware to use this!
#
# 15.)
# Which accesses to services should be redirected to a localport on the
# firewall machine?
#
# This can be used to force all internal users to surf via your squid proxy,
# or transparently redirect incoming webtraffic to a secure webserver.
#
# Choice: leave empty or use the following explained syntax of redirecting
# rules, seperated by a space.
# A redirecting rule consists of 1) source IP/net, 2) destination IP/net,
# 3) protocol (tcp or udp) 3) original destination port and 4) local port to
# redirect the traffic to, seperated by a colon. e.g.:
# "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
#
FW_REDIRECT=""
#
# 16.)
# Which logging level should be enforced?
# You can define to log packets which were accepted or denied.
# You can also the set log level, the critical stuff or everything.
# Note that logging *_ALL is only for debugging purpose ...
#
# Choice: "yes" or "no", FW_LOG_*_CRIT defaults to "yes",
# FW_LOG_*_ALL defaults to "no"
#
FW_LOG_DROP_CRIT="yes"
#
FW_LOG_DROP_ALL="no"
#
FW_LOG_ACCEPT_CRIT="yes"
#
FW_LOG_ACCEPT_ALL="no"
#
# only change/activate this if you know what you are doing!
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"
#
# 17.)
# Do you want to enable additional kernel TCP/IP security features?
# If set to yes, some obscure kernel options are set.
# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
# icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
# ip_local_port_range, log_martians, mc_forwarding, mc_forwarding,
# rp_filter, routing flush)
# Tip: Set this to "no" until you have verified that you have got a
# configuration which works for you. Then set this to "yes" and keep it
# if everything still works. (It should!) ;-)
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_KERNEL_SECURITY="yes"
#
# 18.)
# Keep the routing set on, if the firewall rules are unloaded?
# REQUIRES: FW_ROUTE
#
# If you are using diald, or automatic dialing via ISDN, if packets need
# to be sent to the internet, you need to turn this on. The script will then
# not turn off routing and masquerading when stopped.
# You *might* also need this if you have got a DMZ.
# Please note that this is *insecure*! If you unload the rules, but are
still
# connected, you might your internal network open to attacks!
# The better solution is to remove "/sbin/SuSEfirewall2 stop" or
# "/sbin/init.d/firewall stop" from the ip-down script!
#
#
# Choices "yes" or "no", defaults to "no"
#
FW_STOP_KEEP_ROUTING_STATE="no"
#
# 19.)
# Allow (or don't) ICMP echo pings on either the firewall or the dmz from
# the internet? The internet option is for allowing the DMZ and the internal
# network to ping the internet.
# REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ and FW_ALLOW_PING_EXT
#
# Choice: "yes" or "no", defaults to "no" if not set
#
FW_ALLOW_PING_FW="yes"
#
FW_ALLOW_PING_DMZ="yes"
#
FW_ALLOW_PING_EXT="yes"
##
# END of rc.firewall
##
# #
#-------------------------------------------------------------------------#
# #
# EXPERT OPTIONS - all others please don't change these! #
# #
#-------------------------------------------------------------------------#
# #
#
# 20.)
# Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall.
# This is used for traceroutes to your firewall (or traceroute like tools).
#
# Please note that the unix traceroute only works if you say "yes" to
# FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say
# additionally "yes" to FW_ALLOW_PING_FW
#
# Choice: "yes" or "no", defaults to "no" if not set.
#
FW_ALLOW_FW_TRACEROUTE="yes"
#
# 21.)
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking,
however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_ALLOW_FW_SOURCEQUENCH="yes"
#
# 22.)
# Allow/Ignore IP Broadcasts?
#
# If set to yes, the firewall will not filter broadcasts by default.
# This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast
# option is used.
# If you do not want to allow them however ignore the annoying log entries,
# set FW_IGNORE_FW_BROADCAST to yes.
#
# Choice: "yes" or "no", defaults to "no" if not set.
#
FW_ALLOW_FW_BROADCAST="no"
#
FW_IGNORE_FW_BROADCAST="yes"
#
# 23.)
# Allow same class routing per default?
# REQUIRES: FW_ROUTE
#
# Do you want to allow routing between interfaces of the same class
# (e.g. between all internet interfaces, or all internal network interfaces)
# be default (so without the need setting up FW_FORWARD definitions)?
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_CLASS_ROUTING="no"
#
# 25.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT
/etc/sysconfig/scripts/SuSEfirewall2-custom
#
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-weiterleitung"
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Authors: Marc Heuse ,
# Volker Kuhlmann
#
# /etc/sysconfig/scripts/SuSEfirewall2-custom
#
# ------------------------------------------------------------------------
#
# This is file is for SuSEfirewall2 and is an example for using
# the hooks which are supplied to load customized ipchains rules.
#
# THERE IS NO HELP FOR USING HOOKS EXCEPT THIS FILE ! SO READ CAREFULLY !
# IT IS USEFUL TO CROSS-READ /sbin/SuSEfirewall2 TO SEE HOW HOOKS WORK !
#
# ------------------------------------------------------------------------
fw_custom_before_antispoofing() {
# these rules will be loaded before any anti spoofing rules will be
# loaded. Effectively the only filter lists already effective are
# 1) allow any traffic via the loopback interface, 2) allow DHCP stuff,
# 3) allow SAMBA stuff [2 and 3 only if FW_SERVICE_... are set to "yes"]
# You can use this hook to prevent logging of uninteresting broadcast
# packets or to allow certain packet through the anti-spoofing
mechanism.
#example: allow incoming multicast packets for any routing protocol
#iptables -A INPUT -j ACCEPT -d 224.0.0.0/24
true
}
fw_custom_before_port_handling() { # could also be named
"after_antispoofing()"
# these rules will be loaded after the anti-spoofing and icmp handling
# but before any IP protocol or TCP/UDP port allow/protection rules
# will be set.
# You can use this hook to allow/deny certain IP protocols or TCP/UDP
# ports before the SuSEfirewall2 generated rules are hit.
#example: always filter backorifice/netbus trojan connect requests and log
them.
#for target in LOG DROP; do
# for chain in input_ext input_dmz input_int forward_int forward_ext
forward_dmz; do
# iptables -A $chain -j $target -p tcp --dport 31337
# iptables -A $chain -j $target -p udp --dport 31337
# iptables -A $chain -j $target -p tcp --dport 12345:12346
# iptables -A $chain -j $target -p udp --dport 12345:12346
# done
#done
true
}
fw_custom_before_masq() { # could also be named "after_port_handling()"
# these rules will be loaded after the IP protocol and TCP/UDP port
# handling, but before any IP forwarding (routing), masquerading
# will be done.
# NOTE: reverse masquerading is before directly after
# fw_custom_before_port_handling !!!!
# You can use this hook to ... hmmm ... I'm sure you'll find a use for
# this ...
true
}
fw_custom_before_denyall() { # could also be named "after_forwardmasq()"
# these are the rules to be loaded after IP forwarding and masquerading
# but before the logging and deny all section is set by SuSEfirewall2.
# You can use this hook to prevent the logging of annoying packets.
#example: prevent logging of talk requests from anywhere
#for chain in input_ext input_dmz input_int forward_int forward_ext
forward_dmz; do
# iptables -A $chain -j DENY -p udp --dport 517:518
#done
iptables -t nat -A PREROUTING -i eth0 -p tcp \--sport 1024:65535 -d
193.254.21.55 --dport 80 \-j DNAT --to-destination 192.168.2.2
iptables -A FORWARD -i eth0 -o eth1 -p tcp \--sport 1024:65535 -d
192.168.2.2 --dport 80 \-m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 \-m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A FORWARD -i eth0 -o eth1 \-m state --state ESTABLISHED,RELATED -j
ACCEPT
true
}