SuSEfirewall2 and Reverse Masq HELP !
I want to reverse masquerade on port 25 from the internet to a DMZ address. The problem is when I reverse masquerade to the DMZ, it appears to connect (SuSE-FW-ACCEPT-REVERSE-MASQ) but nothing happens (there is a postfix box running on the DMZ). If I make the reverse-masq to something on the internal network, it connects no problem, anything on the DMZ does not and no failures in syslog. What am I missing here ? I am running SuSE 7.3 and iptables 1.2.8 Below is my firewall2.rc.config : FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_DEV_DMZ="eth2" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="xxx.xx.x.x/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="123 25" FW_SERVICES_EXT_UDP="123" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="25" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="22 123 25 10000" FW_SERVICES_INT_UDP="123" FW_SERVICES_INT_IP=""FW_TRUSTED_NETS="xxx.xx.x.x/24" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="0/0,y.y.y.y,tcp,25" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="no" FW_ALLOW_PING_INT="yes" # END of rc.firewall # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # # # 20.) # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall. # This is used for traceroutes to your firewall (or traceroute like tools). # # Please note that the unix traceroute only works if you say "yes" to # FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say # additionally "yes" to FW_ALLOW_PING_FW # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_FW_TRACEROUTE="yes" # # 21.) # Allow ICMP sourcequench from your ISP? # # If set to yes, the firewall will notice when connection is choking, however # this opens yourself to a denial of service attack. Choose your poison. # # Choice: "yes" or "no", defaults to "yes" # FW_ALLOW_FW_SOURCEQUENCH="yes" # # 22.) # Allow/Ignore IP Broadcasts? # # If set to yes, the firewall will not filter broadcasts by default. # This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast # option is used. # If you do not want to allow them however ignore the annoying log entries, # set FW_IGNORE_FW_BROADCAST to yes. # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_FW_BROADCAST="no" # FW_IGNORE_FW_BROADCAST="yes" # # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="yes"
On Mon, 15 Sep 2003, Chris de Orla wrote:
I want to reverse masquerade on port 25 from the internet to a DMZ address.
[...]
If I make the reverse-masq to something on the internal network, it connects no problem, anything on the DMZ does not and no failures in syslog.
What am I missing here ?
I am running SuSE 7.3 and iptables 1.2.8
Below is my firewall2.rc.config :
FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_DEV_DMZ="eth2"
eth2: Is it a private net-address? (e. g. 192.168.0.1 = yyy.yyy.yyy.yyy)
FW_ROUTE="yes" FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="xxx.xx.x.x/24"
I asume xxx.xxx.xxx.xxx as your private LAN net-address? (e. g. 192.168.1.1) You should include yyy.yyy.yyy.yyy/aa or at least the ports the DMZ should reach in the internet.
FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="123 25" ^^^^ You don't need this, because the service (smtpd) is not running on the firewall.
FW_SERVICES_EXT_UDP="123" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="25" ^^^^ Here the same. You don't need this.
FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="22 123 25 10000" ^^^^ And again.
FW_SERVICES_INT_UDP="123" FW_SERVICES_INT_IP=""FW_TRUSTED_NETS="xxx.xx.x.x/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no"
FW_FORWARD=""
Here you have to put in the services which should be routed from LAN to DMZ (in general packets from private network to private network or from official IPs to official IPs which don't need NAT oder DNAT)
FW_FORWARD_MASQ="0/0,y.y.y.y,tcp,25"
This should be ok, if y.y.y.y is a private IP-address in the DMZ. All the FW_*_*-parameters are just for this case, if the services are running _ON_ the firewall.
# # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # #
[...] Best regards, Thomas Schweiger
participants (2)
-
Chris de Orla
-
Thomas Schweiger