[suse-security] WAS Help: Port Forwarding using SuSEfirewall2
Problem solved with much thanks to Nadeem Hassan. Wasn't a port forwarding problem - it's just that FW_MASQ_NETS needs to be set to allow the DNS server in the DMZ to be able to talk to all port numbers or the firewall will drop all return packets to the external queryer. Luke -----Original Message----- From: nhasan@nadmm.com [mailto:nhasan@nadmm.com] Sent: Wednesday, January 02, 2002 1:12 PM To: Luke Loh Subject: Re: [suse-security] Help: Port Forwarding using SuSEfirewall2 Good. I guess you wanna post the whole thread to the list too. Someone else may need this in the future :) Luke Loh wrote:
Nadeem
Thank you for your help:) Yes, the firewall was dropping the reply packets
I had to explicitly set FW_MASQ_NETS to allow my DNS server to connect to high port numbers in order for the replies to go through:)
Wish I'd thought of this first before assuming it was a pfw problem. Argh.
Again, many thanks.
Luke
-----Original Message----- From: nhasan@nadmm.com [mailto:nhasan@nadmm.com] Sent: Wednesday, January 02, 2002 11:36 AM To: Luke Loh Subject: Re: [suse-security] Help: Port Forwarding using SuSEfirewall2
Luke Loh wrote:
Nadeem
Thanks for replying. Yes, I'm using the external IP address of my
firewall
as my DNS IP address. Doesn't seem to work. I assume then that this line is correct?
FW_FORWARD_MASQ="0/0,192.168.1.2,tcp,53 0/0,192.168.1.2,udp,53"
That line looks correct to me.
I don't get much in error logs, all I know is that when I try to do an nslookup using my firewall's external IP address as my server (I use a seperate dial-up to test external-to-internal connectivity) I get a
timeout.
Looks like a firewall issue. Your firewall seems to be dropping the reply packets. Try running tcpdump on both the EXT and DMZ interfaces to look at whats going through.
Try in one session (for EXT):
# tcpdump -i eth2 host your-dialup-ip
and in onother session (for DMZ):
# tcpdimp -i eth1 host your-dialup-ip
and then try to run nslookup like before. You should now see what is going on :)
What I did try was to telnet to port 53 to see if it would forward the packet.
From /var/log/firewall:
Jan 2 10:29:48 zeus kernel: SuSE-FW-ACCEPT-REVERSE_MASQIN=eth2 OUT=eth1 SRC=211 .28.77.195 DST=192.168.1.2 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=1075 DF PROTO=TC P SPT=3467 DPT=53 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Does this mean that portforwarding *has* worked and the problem might
- lie
with my DNS server? Which is odd, because it works fine internally, and once it's pfwed it's already a private ip address ...
Thanks again.
Luke
-- Nadeem Hasan nhasan@nadmm.com http://www.nadmm.com/
-- Nadeem Hasan nhasan@nadmm.com http://www.nadmm.com/
participants (1)
-
Luke Loh