[opensuse] Public IP Webserver behind SuSEfirewall2 & FW_MASQUERADE
Hi all, I am setting up a SuSEfirewall2. I need external access to the internal/dmz for on specific machine and port. I read all I could find about using FW_FORWARD_MASQ="0/0,192.168.0.10,tcp,80 0/0,192.168.0.10,icmp,80" (also needing FW_ROUTE="yes" and FW_MASQUESRADE="yes"). I can ping the firewall IP on both NIC's (e.g. 192.168.0.1 internal NIC and 192.168.176.1 external NIC) from external IP 192.168.176.10 I cannot ping the internal machines (e.g. 192.168.0.10) from 192.168.176.10 I have the same problem on another FW for internet access on a web server with private IP in the dmz. What am I missing in the SuSEfirewall2 config? TIA Al -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 19 April 2009 16:42:31 LLLActive@GMX.Net wrote:
Hi all,
I am setting up a SuSEfirewall2. I need external access to the internal/dmz for on specific machine and port.
I read all I could find about using FW_FORWARD_MASQ="0/0,192.168.0.10,tcp,80 0/0,192.168.0.10,icmp,80"
icmp doesn't know about ports, so the second part of this is wrong.
(also needing FW_ROUTE="yes" and FW_MASQUESRADE="yes").
I can ping the firewall IP on both NIC's (e.g. 192.168.0.1 internal NIC and 192.168.176.1 external NIC) from external IP 192.168.176.10
192.168.176.1 and 192.168.176.10 are invalid "external" IP addresses. The 192.168.x.x network is reserved for internal use and may not be routed on the internet
I cannot ping the internal machines (e.g. 192.168.0.10) from 192.168.176.10
I have the same problem on another FW for internet access on a web server with private IP in the dmz.
What am I missing in the SuSEfirewall2 config?
In principle what you're doing should work, but you have to use real addresses on the internet side Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Sunday 19 April 2009 16:42:31 LLLActive@GMX.Net wrote:
Hi all,
I am setting up a SuSEfirewall2. I need external access to the internal/dmz for on specific machine and port.
I read all I could find about using FW_FORWARD_MASQ="0/0,192.168.0.10,tcp,80 0/0,192.168.0.10,icmp,80"
icmp doesn't know about ports, so the second part of this is wrong.
(also needing FW_ROUTE="yes" and FW_MASQUESRADE="yes").
I can ping the firewall IP on both NIC's (e.g. 192.168.0.1 internal NIC and 192.168.176.1 external NIC) from external IP 192.168.176.10
192.168.176.1 and 192.168.176.10 are invalid "external" IP addresses. The 192.168.x.x network is reserved for internal use and may not be routed on the internet
I cannot ping the internal machines (e.g. 192.168.0.10) from 192.168.176.10
I have the same problem on another FW for internet access on a web server with private IP in the dmz.
What am I missing in the SuSEfirewall2 config?
In principle what you're doing should work, but you have to use real addresses on the internet side
Anders
I do not have external (public) IP's. The SuSEfirewall allows reverse masquerading with private IP's as far as I read here: http://forgeftp.novell.com/susefirewall2/web/FAQ.html#id2480668 (*7. *What if my Server has a private IP address, how do I enable external access then?) :-) Al -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 19 April 2009 17:18:45 LLLActive@GMX.Net wrote:
I do not have external (public) IP's. The SuSEfirewall allows reverse masquerading with private IP's as far as I read here: http://forgeftp.novell.com/susefirewall2/web/FAQ.html#id2480668 (*7. *What if my Server has a private IP address, how do I enable external access then?)
That item talks about the IP address of your web server, which may be private. But the IP address of your firewall must be reachable. Otherwise no one will be able to access it. Now, if you only get a private IP address from your ISP, then there is no way that you will ever be able to run a public web server there. Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 19 April 2009 16:42:31 LLLActive@GMX.Net wrote:
I cannot ping the internal machines (e.g. 192.168.0.10) from 192.168.176.10
btw, if the problem is only with pinging, then note that you can't forward icmp packets at all with SuSEfirewall2 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Sunday 19 April 2009 16:42:31 LLLActive@GMX.Net wrote:
I cannot ping the internal machines (e.g. 192.168.0.10) from 192.168.176.10
btw, if the problem is only with pinging, then note that you can't forward icmp packets at all with SuSEfirewall2
I only added icmp for pining, but actually cannot access a website in the private IP DMZ as described here: http://forgeftp.novell.com/susefirewall2/web/FAQ.html#id2480668 (*7. *What if my Server has a private IP address, how do I enable external access then?) icmp will be removed, cause it is wrong in my config (I'm a novice). :-) Al -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 19 April 2009 17:23:42 LLLActive@GMX.Net wrote:
Anders Johansson wrote:
On Sunday 19 April 2009 16:42:31 LLLActive@GMX.Net wrote:
I cannot ping the internal machines (e.g. 192.168.0.10) from 192.168.176.10
btw, if the problem is only with pinging, then note that you can't forward icmp packets at all with SuSEfirewall2
I only added icmp for pining, but actually cannot access a website in the private IP DMZ as described here:
So you mean that when you try to access the external IP of your firewall with something like http://192.168.176.1/ you get nothing? Do you get anything in the logs, /var/log/messages or (perhaps more relevant) /var/log/firewall Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
LLLActive@GMX.Net wrote:
Anders Johansson wrote:
On Sunday 19 April 2009 16:42:31 LLLActive@GMX.Net wrote:
I cannot ping the internal machines (e.g. 192.168.0.10) from 192.168.176.10
btw, if the problem is only with pinging, then note that you can't forward icmp packets at all with SuSEfirewall2
I only added icmp for pining, but actually cannot access a website in the private IP DMZ as described here:
http://forgeftp.novell.com/susefirewall2/web/FAQ.html#id2480668 (*7. *What if my Server has a private IP address, how do I enable external access then?)
icmp will be removed, cause it is wrong in my config (I'm a novice).
:-) Al
Actually, my problem is as follows: I have DynDNS to a SuSEfirewall2 running Apache2. I have a webpage on it. I now want to put a link in this webpage to a machine with a private IP in the DMZ, that should open up in a browser. The other system in the DMZ is a webserver that needs a sql database access for data it presents on the webserver (with a software gateway from the webserver to the database, eg. used by SAP appserver & Oracle database server and cache from Intersystems.) :-) Al -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 19 April 2009 17:36:59 LLLActive@GMX.Net wrote:
Actually, my problem is as follows:
I have DynDNS to a SuSEfirewall2 running Apache2. I have a webpage on it. I now want to put a link in this webpage to a machine with a private IP in the DMZ, that should open up in a browser.
OK, I think I see your problem. You can't use the internal IP address in the DMZ from an external machine. What FW_FORWARD_MASQ does is transparently forward requests to internal machines that arrive on the firewall. So with the rule 0/0,192.168.176.10,tcp,80 if you access port 80 on the firewall machine, it will send it on to 192.168.176.10 as it if was handling it itself. If you have two web servers, one directly on the firewall and the other in the DMZ, then the only way to do this is to use a different port. Say a rule like 0/0,192.168.176.10,tcp,81,80 This will forward requests made to the firewall IP on port 81 to the machine in the DMZ on port 80. Any links you have then will have to be to the firewall machine's port 81 Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Sunday 19 April 2009 17:36:59 LLLActive@GMX.Net wrote:
Actually, my problem is as follows:
I have DynDNS to a SuSEfirewall2 running Apache2. I have a webpage on it. I now want to put a link in this webpage to a machine with a private IP in the DMZ, that should open up in a browser.
OK, I think I see your problem.
You can't use the internal IP address in the DMZ from an external machine. What FW_FORWARD_MASQ does is transparently forward requests to internal machines that arrive on the firewall. So with the rule
0/0,192.168.176.10,tcp,80
if you access port 80 on the firewall machine, it will send it on to 192.168.176.10 as it if was handling it itself.
If you have two web servers, one directly on the firewall and the other in the DMZ, then the only way to do this is to use a different port. Say a rule like
0/0,192.168.176.10,tcp,81,80
This will forward requests made to the firewall IP on port 81 to the machine in the DMZ on port 80. Any links you have then will have to be to the firewall machine's port 81
Anders
OK, looks what I need. I take it I can direct the requests to the DynDNS firewall port 80 to the webserver in the DMZ on port 81 with 0/0,192.168.176.10,tcp,80,81 This can also be done with the webserver in the DMZ wanting the data (through its own gateway) over the internal network firewall (asking at port 1927) to be directed to the private IP 192.168.0.10 on port 1972? :-? Al -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
LLLActive@GMX.Net wrote: > LLLActive@GMX.Net wrote: > >> Anders Johansson wrote: >> >> >>> On Sunday 19 April 2009 16:42:31 LLLActive@GMX.Net wrote: >>> >>> >>> >>>> I cannot ping the internal machines (e.g. 192.168.0.10) from 192.168.176.10 >>>> >>>> >>>> >>> btw, if the problem is only with pinging, then note that you can't forward >>> icmp packets at all with SuSEfirewall2 >>> >>> >>> >> I only added icmp for pining, but actually cannot access a website in >> the private IP DMZ as described here: >> >> http://forgeftp.novell.com/susefirewall2/web/FAQ.html#id2480668 (*7. >> *What if my Server has a private IP address, how do I enable external >> access then?) >> >> icmp will be removed, cause it is wrong in my config (I'm a novice). >> >> :-) >> Al >> >> > Actually, my problem is as follows: > > I have DynDNS to a SuSEfirewall2 running Apache2. I have a webpage on > it. I now want to put a link in this webpage to a machine with a private > IP in the DMZ, that should open up in a browser. > > The other system in the DMZ is a webserver that needs a sql database > access - over the internal firewall in the private network - It's a 2 firewall machine setup with a dmz between them - > for data it presents on the webserver (with a software gateway > from the webserver to the database, eg. used by SAP appserver & Oracle > database server and cache from Intersystems.) > > :-) > Al > > your reply: Anders Johansson wrote: > > > So you mean that when you try to access the external IP of your firewall with > something like http://192.168.176.1/ you get nothing? > no, I ping from the external firewall to the internal firewall's internal NIC. That works, but not the machines on the same side as the NIC. > Do you get anything in the logs, /var/log/messages or (perhaps more relevant) > /var/log/firewall > > I had a look with verbose protocolling on. Nothing about dropping anything. > Anders > Thanx, Al -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 19 April 2009 17:49:10 LLLActive@GMX.Net wrote:
So you mean that when you try to access the external IP of your firewall with something like http://192.168.176.1/ you get nothing?
no, I ping from the external firewall to the internal firewall's internal NIC. That works, but not the machines on the same side as the NIC.
As I said, you can't use ping. Try using actual http requests to try things out instead. You cannot access the internal machine's IP addresses directly. This is not how FW_FORWARD_MASQ works. Everything you do is with the external IP of the firewall machine Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Sunday 19 April 2009 17:49:10 LLLActive@GMX.Net wrote:
So you mean that when you try to access the external IP of your firewall with something like http://192.168.176.1/ you get nothing?
no, I ping from the external firewall to the internal firewall's internal NIC. That works, but not the machines on the same side as the NIC.
As I said, you can't use ping.
Try using actual http requests to try things out instead.
OK, I will just set up the ports as you suggest and try with http.
You cannot access the internal machine's IP addresses directly. This is not how FW_FORWARD_MASQ works. Everything you do is with the external IP of the firewall machine
Anders
Not sure how the database gateway works with its requests. In the setup it uses the IP and Port with some authentication (if needed). Will have to do that when the webserver port redirect works. :-) Al -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
LLLActive@GMX.Net wrote:
Hi all,
I am setting up a SuSEfirewall2. I need external access to the internal/dmz for on specific machine and port.
I read all I could find about using FW_FORWARD_MASQ="0/0,192.168.0.10,tcp,80 0/0,192.168.0.10,icmp,80" (also needing FW_ROUTE="yes" and FW_MASQUESRADE="yes").
I can ping the firewall IP on both NIC's (e.g. 192.168.0.1 internal NIC and 192.168.176.1 external NIC) from external IP 192.168.176.10
I cannot ping the internal machines (e.g. 192.168.0.10) from 192.168.176.10
I have the same problem on another FW for internet access on a web server with private IP in the dmz.
What am I missing in the SuSEfirewall2 config?
TIA Al
Uh, How are you getting your internet?? If you have a router, why not just set the WAN IP as the public IP, and then configure the port forwarding to forward ports 80 & 443 to the machine in question. That way all addresses inside the router are local/internal IPs. On your apache box, I would still configure you NIC on an "external zone" as far as SuSEFirewall2 is concerned and allow only ssh and http and https access. The router gets around all the internal/external problems you are dealing with. I run a setup like this: WAN/Public IP | | internet router | <--------->[66.76.63.120] | LAN/Private IP Gateway IP | (192.168.0.0/24) [192.168.0.13] | | | ______________ | | port 80 | | |--------+------------>| Apache2 | | | port 443 | Server | |--------+------------>| | | | | | -------------- | If you don't have a configurable router $40 goes a long way... -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Anders Johansson -
David C. Rankin -
LLLActive@GMX.Net