Virtual IP adress on the firewall, the dmz and DNAT / MASQUERADE
Hi, my problem was that I have a box with three interfaces (ext, dmz, int) and many IPs on the ext-interface and one (or more) server in the dmz. In the moment the SuSEfirewall2 (v2.1) on my SuSE 8.0 installation can't do that (look in the TODO file). So I spend some time in patching the SuSEfirewall2 script and it works well for me. The patch is very small: 1310c1310,1311 < ERROR=`echo $NETS | $AWK -F, '{print $6}'` ---
DEST=`echo $NETS | $AWK -F, '{print $6}'` ERROR=`echo $NETS | $AWK -F, '{print $7}'` 1337a1339 test -z "$DEST" || DEST="-d $DEST" 1339c1341 < $IPTABLES -A PREROUTING -j DNAT -t nat $PROTO $NET1 $PORT1 --to-destination ${NET2}${PORT2} -i $DEV
$IPTABLES -A PREROUTING -j DNAT -t nat $PROTO $NET1 $PORT1 $DEST --to-destination ${NET2}${PORT2} -i $DEV
Short description: - edit the test of the arguments of FW_FORWARD_MASQ and add the variable DEST for the IP adress on the firewall - add line for test the variable DEST, if set add '-d ' for later use in the iptables command - edit the iptables command for PREROUTING; added the DEST variable And the point 14 in /etc/sysconfig/SuSEfirewall2 gets a fifth argument: The IP adress on that the firewall listen on the ext-interface, e.g. a www-server: FW_FORWARD_MASQ="0/0,192.168.13.130,tcp,80,80,<public IP adress on ext-interface>" Warning: With that parameter file u can't start the unpachted SuSEfirewall2 script because it controlls how many arguments are given. btw. of cource you must configure the public IP adress on the firewall-box (/etc/sysconfig/network ...)! I test this config but maybe there are some points I can't see with my config... Comments are welcome... Greetings Kai
participants (1)
-
Kai-H. Weutzing