On Sunday 30 January 2005 11:17, Jure Koren wrote:
On Sunday 30 January 2005 11:06, Jürgen Mell wrote:
iptables -t nat -A POSTROUTING -o $EXT -p tcp \ --dport 8000:8006 -j SNAT --to-source <your static IP address>
This does not work here. I always get iptables: No chain/target/match by that name iptables -t nat -n -L shows: Chain PREROUTING (policy ACCEPT) target prot opt source destination
Chain POSTROUTING (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Do you have any idea what is wrong here?
Can you paste the exact iptables command you entered into the email?
This usually happens when iptables is unable to load the target module into the kernel, but SNAT and DNAT targets are part of the ip_conntrack module, anyway, but MASQUERADE target is in a separate module, ipt_MASQUERADE.
Yes, that is the problem. The ipt_MASQUERADE module was not loaded and the computer was not booted after the last automatic kernel update from SuSE. Sorry, this is my fault. But now everything seems to work fine.
Another thing I noted is that your 8000-8006 range is for a specific application that probably only connects to one server (or one remote network). It would be wise to limit the destination of these connections in the forward table to prevent users to use these ports to connect to other servers on the internet. You can do this by adding "-d <your elster server ip network>" to the outgoing FORWARD table entry.
Yes, that's a good idea. Only problem here: there are 5 different servers on 5 IP addresses (on different networks) - and who knows when they will change these addresses. They do not even use host names but have the IPs hard-coded in the software. Sigh. Jürgen
Not only hard-coded IPs , there is another hole . You need only for verification the Tax-No. and the Adress (you can find them on every bill)( IX Magazin No. 2 Feb 2005) Who cares Lars -----Ursprüngliche Nachricht----- Von: Jürgen Mell [mailto:Juergen.Mell@t-online.de] Gesendet: Sonntag, 30. Januar 2005 11:33 An: suse-security@suse.com Betreff: Re: [suse-security] SuSE firewall and Elster On Sunday 30 January 2005 11:17, Jure Koren wrote:
On Sunday 30 January 2005 11:06, Jürgen Mell wrote:
iptables -t nat -A POSTROUTING -o $EXT -p tcp \ --dport 8000:8006 -j SNAT --to-source <your static IP address>
This does not work here. I always get iptables: No chain/target/match by that name iptables -t nat -n -L shows: Chain PREROUTING (policy ACCEPT) target prot opt source destination
Chain POSTROUTING (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Do you have any idea what is wrong here?
Can you paste the exact iptables command you entered into the email?
This usually happens when iptables is unable to load the target module into the kernel, but SNAT and DNAT targets are part of the ip_conntrack module, anyway, but MASQUERADE target is in a separate module, ipt_MASQUERADE.
Yes, that is the problem. The ipt_MASQUERADE module was not loaded and the computer was not booted after the last automatic kernel update from SuSE. Sorry, this is my fault. But now everything seems to work fine.
Another thing I noted is that your 8000-8006 range is for a specific application that probably only connects to one server (or one remote network). It would be wise to limit the destination of these connections in the forward table to prevent users to use these ports to connect to other servers on the internet. You can do this by adding "-d <your elster server ip network>" to the outgoing FORWARD table entry.
Yes, that's a good idea. Only problem here: there are 5 different servers on 5 IP addresses (on different networks) - and who knows when they will change these addresses. They do not even use host names but have the IPs hard-coded in the software. Sigh. Jürgen
participants (2)
-
Juergen.Mell@t-online.de -
l.vaessen@telebel.de