SuSE firewall and Elster
Hi List, I have a problem with our current firewall setup and the German ELSTER tax program: I use SuSE 9.2 on our internet gateway. Right now, any direct traffic from the internal network to the internet is blocked by SuSE firewall and I have squid and postfix running on the gateway to allow web and e-mail traffic. As the elster program uses a propriatary protocol which cannot be fed through a proxy I now have to open the ports 8000 to 8006 which are used by this program for connections from the internal network to the internet. From what I found, this can be done with the iptables commands iptables -A FORWARD -i $INT -o $EXT -p TCP --dport 8000:8006 \ -j ACCEPT and iptables -A FORWARD -i $EXT -o $INT -m state \ --state ESTABLISHED,RELATED -p TCP --sport 8000 -j ACCEPT ($INT and $EXT are the internal resp. external interfaces) So far - so good. But what I am missing now is the masquerading of the IP address of the computer on the internal network (it gets a dynamic IP from the private address range 192.168.x.y). In the firewall script I have disabled masquerading (FW_MASQUERADE="no") to prevent any packets going out without using the squid proxy. Is there any way to open direct connections from the internal network _only_ for destination ports 8000 to 8006 without opening everything else (file-sharing networks etc.)? What iptables commands do I need for this purpose? Is there any better way to get this wounderful piece of software to work? Thank you for your help! Jürgen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 30 January 2005 10:36, Jürgen Mell wrote:
iptables -A FORWARD -i $INT -o $EXT -p TCP --dport 8000:8006 \ -j ACCEPT
and
iptables -A FORWARD -i $EXT -o $INT -m state \ --state ESTABLISHED,RELATED -p TCP --sport 8000 -j ACCEPT ($INT and $EXT are the internal resp. external interfaces)
The second rule only allows established TCP connection packets to pass when they are coming in from port 8000. You should fix this if they will also be coming from other ports in your 8000-8006 range.
So far - so good. But what I am missing now is the masquerading of the IP address of the computer on the internal network (it gets a dynamic IP from the private address range 192.168.x.y). In the firewall script I have disabled masquerading (FW_MASQUERADE="no") to prevent any packets going out without using the squid proxy. Is there any way to open direct connections from the internal network _only_ for destination ports 8000 to 8006 without opening everything else (file-sharing networks etc.)? What iptables commands do I need for this purpose? Is there any better way to get this wounderful piece of software to work?
Yes, and it isn't very complicated. iptables -t nat -A POSTROUTING -o $EXT -p tcp \ --dport 8000:8006 -j MASQUERADE Or, if you have a static IP address on $EXT interface, you'll be better off with iptables -t nat -A POSTROUTING -o $EXT -p tcp \ --dport 8000:8006 -j SNAT --to-source <your static IP address> This way, when the $EXT link goes down, the connection tracking information is preserved and when it comes back up, TCP connections will continue to function without being broken. But this only works when $EXT gets the same IP address it had before going down, if it doesn't you'll have to use MASQUERADE. For inbound packets, connection tracking will do all the magic, the rule in the FORWARD table you set up yourself is all you need for it to work. - -- Jure Koren, n.i. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iD8DBQFB/K119iFCvmuhrCIRAtH6AKCa4k1sqg/XbGNQuIHbcHcvbPQ2BwCfdXld 1YY1dXPfB9wZdWAH1g+L40c= =IFXG -----END PGP SIGNATURE-----
Thank you for your fast reply! On Sunday 30 January 2005 10:48, Jure Koren wrote:
On Sunday 30 January 2005 10:36, Jürgen Mell wrote:
iptables -A FORWARD -i $INT -o $EXT -p TCP --dport 8000:8006 \ -j ACCEPT
and
iptables -A FORWARD -i $EXT -o $INT -m state \ --state ESTABLISHED,RELATED -p TCP --sport 8000 -j ACCEPT ($INT and $EXT are the internal resp. external interfaces)
The second rule only allows established TCP connection packets to pass when they are coming in from port 8000. You should fix this if they will also be coming from other ports in your 8000-8006 range.
Yes, I will correct that.
So far - so good. But what I am missing now is the masquerading of the IP address of the computer on the internal network (it gets a dynamic IP from the private address range 192.168.x.y). In the firewall script I have disabled masquerading (FW_MASQUERADE="no") to prevent any packets going out without using the squid proxy. Is there any way to open direct connections from the internal network _only_ for destination ports 8000 to 8006 without opening everything else (file-sharing networks etc.)? What iptables commands do I need for this purpose? Is there any better way to get this wounderful piece of software to work?
Yes, and it isn't very complicated.
iptables -t nat -A POSTROUTING -o $EXT -p tcp \ --dport 8000:8006 -j MASQUERADE
Or, if you have a static IP address on $EXT interface, you'll be better off with
iptables -t nat -A POSTROUTING -o $EXT -p tcp \ --dport 8000:8006 -j SNAT --to-source <your static IP address>
This does not work here. I always get iptables: No chain/target/match by that name iptables -t nat -n -L shows: Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Do you have any idea what is wrong here? Jürgen
On Sunday 30 January 2005 11:06, Jürgen Mell wrote:
So far - so good. But what I am missing now is the masquerading of the IP address of the computer on the internal network (it gets a dynamic IP from the private address range 192.168.x.y). In the firewall script I have disabled masquerading (FW_MASQUERADE="no") to prevent any packets going out without using the squid proxy. Is there any way to open direct connections from the internal network _only_ for destination ports 8000 to 8006 without opening everything else (file-sharing networks etc.)? What iptables commands do I need for this purpose? Is there any better way to get this wounderful piece of software to work?
Yes, and it isn't very complicated.
iptables -t nat -A POSTROUTING -o $EXT -p tcp \ --dport 8000:8006 -j MASQUERADE
Or, if you have a static IP address on $EXT interface, you'll be better off with
iptables -t nat -A POSTROUTING -o $EXT -p tcp \ --dport 8000:8006 -j SNAT --to-source <your static IP address>
This does not work here. I always get
iptables: No chain/target/match by that name
Now I have found it: the second command does the trick! If you have an interface with a static IP it seems that you _must_ use this form. Thank you again! Jürgen
iptables -t nat -A POSTROUTING -o $EXT -p tcp \ --dport 8000:8006 -j MASQUERADE
Or, if you have a static IP address on $EXT interface, you'll be better off with
iptables -t nat -A POSTROUTING -o $EXT -p tcp \ --dport 8000:8006 -j SNAT --to-source <your static IP address>
This does not work here. I always get
iptables: No chain/target/match by that name
Now I have found it: the second command does the trick! If you have an interface with a static IP it seems that you _must_ use this form.
"Must" is wrong! You can always use MASQUERADE - maybe the required module is missing (ipt_MASQUERADE AFAIK)
Thank you again!
Jürgen
Christian -- Christian Eisendle mailto:nospam@eisendle.net
Jürgen Mell wrote:
[...] So far - so good. But what I am missing now is the masquerading of the IP address of the computer on the internal network (it gets a dynamic IP from the private address range 192.168.x.y). In the firewall script I have disabled masquerading (FW_MASQUERADE="no") to prevent any packets going out without using the squid proxy.
Is there any way to open direct connections from the internal network _only_ for destination ports 8000 to 8006 without opening everything else (file-sharing networks etc.)? What iptables commands do I need for this purpose? Is there any better way to get this wounderful piece of software to work?
FW_MASQUERADE=yes FW_MASQ_NETS="192.168.0.0/24,0/0,tcp,8000:8006" It defeats the whole purpose of your proxy setup as one can run anything at port 8000 though. So it's probably a good idea to further restrict both IP ranges. Maybe elster also works with a socks proxy or can be tricked to use one with socksify. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
participants (4)
-
Christian Eisendle -
Juergen.Mell@t-online.de -
Jure Koren -
Ludwig Nussel