![](https://seccdn.libravatar.org/avatar/da97dfa812a91dc773eed335ab447d9c.jpg?s=120&d=mm&r=g)
i have installed opensuse 10 on the gateway of a medium-sized network. i want the gateway to be able to do packet forwarding and ip masquerading for only some hosts of the internal network (172.16.0.0/16). in other words, i want to share the internet connection with only those clients that i select. using acl-s in squid in not the answer, because i want to control *all* traffic, not only http or ftp. can this be done using free/opensource software? i am not an advanced net admin, so if the answer involves advanced topics, please try to provide some tutorial links too. thanks. - t. -- cogito, ergo es.
![](https://seccdn.libravatar.org/avatar/ba86f283d614d2cd9b6116140eaddded.jpg?s=120&d=mm&r=g)
Tathagata Banerjee wrote:
i have installed opensuse 10 on the gateway of a medium-sized network. i want the gateway to be able to do packet forwarding and ip masquerading for only some hosts of the internal network (172.16.0.0/16). in other words, i want to share the internet connection with only those clients that i select. using acl-s in squid in not the answer, because i want to control *all* traffic, not only http or ftp. can this be done using free/opensource software? i am not an advanced net admin, so if the answer involves advanced topics, please try to provide some tutorial links too. thanks.
You could filter on IP address. Set up your DHCP server, so that it reserves specific addresses for those computers and block the rest. You could also give those computers a static alias address, which is permitted to pass through the firewall.
![](https://seccdn.libravatar.org/avatar/da97dfa812a91dc773eed335ab447d9c.jpg?s=120&d=mm&r=g)
James Knott wrote:
i have installed opensuse 10 on the gateway of a medium-sized network. i want the gateway to be able to do packet forwarding and ip masquerading for only some hosts of the internal network (172.16.0.0/16). in other words, i want to share the internet connection with only those clients that i select. using acl-s in squid in not the answer, because i want to control *all* traffic, not only http or ftp. can this be done using free/opensource software? i am not an advanced net admin, so if the answer involves advanced topics, please try to provide some tutorial links too. thanks.
You could filter on IP address. Set up your DHCP server, so that it reserves specific addresses for those computers and block the rest.
You could also give those computers a static alias address, which is permitted to pass through the firewall.
thanks for your answer. dhcp isn't involved in this case - all hosts have static ip-s. but dhcp or static, the problem remains the same. you have talked about permitting certain ip-s to pass through the firewall. but how exactly do i implement this filtering scheme? what iptables options do i need? what parameters do i add to the SuSEfirewall script? suppose i want to share the connection with 172.16.0.5 and 172.16.0.10, but not with any other machine on the network. what do i do to implement this? thanks. - t. -- cogito, ergo es.
![](https://seccdn.libravatar.org/avatar/5e70f769092f3372f14b4f2df58a17e1.jpg?s=120&d=mm&r=g)
On 30/03/06 03:28, Tathagata Banerjee wrote:
i have installed opensuse 10 on the gateway of a medium-sized network. i want the gateway to be able to do packet forwarding and ip masquerading for only some hosts of the internal network (172.16.0.0/16). in other words, i want to share the internet connection with only those clients that i select. using acl-s in squid in not the answer, because i want to control *all* traffic, not only http or ftp. can this be done using free/opensource software? i am not an advanced net admin, so if the answer involves advanced topics, please try to provide some tutorial links too. You can set up masquerading in the firewall, but this is no substitute for use of proxies. I assume you have a basic firewall running already, and only have to add in the configuration needed to do masquerading.
This is for 9.3. 10.0 should not differ greatly, if at all, but if it does, the explanations in the config file are rather good, and you should be able to quickly find exactly what needs to be set. In the sysconfig editor (Yast/System), look under network/firewall/SuSEfirewall2 for the following variables, and set them as stated: FW_ROUTE yes FW_MASQUERADE yes FW_MASQ_DEV $FW_DEV_EXT (this will substitute the value of FW_DEV_EXT, which is already set if you have a running firewall already) FW_PROTECT_FROM_INT no, to allow unrestricted access to the internet. leave FW_FORWARD_MASQ blank, since this is used to allow the internet to access servers you have running on masqueraded systems These are sufficient to enable masquerading for all systems in your internal network. To restrict which of those systems can actually access the internet, you also need FW_MASQ_NETS set it equal to the desired net/mask, here 172.16.0.0/16.
![](https://seccdn.libravatar.org/avatar/da97dfa812a91dc773eed335ab447d9c.jpg?s=120&d=mm&r=g)
Darryl Gregorash wrote:
These are sufficient to enable masquerading for all systems in your internal network. To restrict which of those systems can actually access the internet, you also need
FW_MASQ_NETS set it equal to the desired net/mask, here 172.16.0.0/16.
so suppose i want to do NAT only for 172.16.0.5 and 172.16.2.10, and block the rest of the network. do i set the value of the FW_MASQ_NETS field to 172.16.0.5/32 and 172.16.2.10/32 ? additionally, the gateway also serves the 192.168.0.0/24 network, on which there is no sharing restriction. so there are 3 network interfaces: o 1 external and connected to the internet o 1 internal with restrictions (172.16.0.0/16, on which i want to serve only 172.16.0.5 and 172.16.2.10) and o another internal with no restriction (192.168.0.0/24) could you please give me the syntax of the FW_MASQ_NETS field that would fit the above scenario? thanks. - t. -- cogito, ergo es.
![](https://seccdn.libravatar.org/avatar/5e70f769092f3372f14b4f2df58a17e1.jpg?s=120&d=mm&r=g)
On 30/03/06 10:50, Tathagata Banerjee wrote:
Darryl Gregorash wrote:
These are sufficient to enable masquerading for all systems in your internal network. To restrict which of those systems can actually access the internet, you also need
FW_MASQ_NETS set it equal to the desired net/mask, here 172.16.0.0/16.
so suppose i want to do NAT only for 172.16.0.5 and 172.16.2.10, and block the rest of the network.
do i set the value of the FW_MASQ_NETS field to 172.16.0.5/32 and 172.16.2.10/32 ?
additionally, the gateway also serves the 192.168.0.0/24 network, on which there is no sharing restriction.
so there are 3 network interfaces:
o 1 external and connected to the internet
o 1 internal with restrictions (172.16.0.0/16, on which i want to serve only 172.16.0.5 and 172.16.2.10)
and
o another internal with no restriction (192.168.0.0/24)
could you please give me the syntax of the FW_MASQ_NETS field that would fit the above scenario?
192.168.0.0/24 172.16.0.5 172.16.2.10 You will also enter both internal device ids in FW_DEV_INT, eg "eth-id-00:e0:4c:9f:61:9a eth-id-00:b4:e2:5a:43:81" The descriptions of the variables in /etc/sysconfig/SuSEfirewall2 (which is what you are editing in the sysconfig editor) really are quite descriptive. Read carefully, and they will help you to figure out exactly what you need to do.
![](https://seccdn.libravatar.org/avatar/da97dfa812a91dc773eed335ab447d9c.jpg?s=120&d=mm&r=g)
Darryl Gregorash wrote:
192.168.0.0/24 172.16.0.5 172.16.2.10
You will also enter both internal device ids in FW_DEV_INT, eg "eth-id-00:e0:4c:9f:61:9a eth-id-00:b4:e2:5a:43:81"
The descriptions of the variables in /etc/sysconfig/SuSEfirewall2 (which is what you are editing in the sysconfig editor) really are quite descriptive. Read carefully, and they will help you to figure out exactly what you need to do.
thanks a lot. i'll try this and let you know. - t. -- cogito, ergo es.
participants (3)
-
Darryl Gregorash
-
James Knott
-
Tathagata Banerjee