Hi y'all, Im running suse9.2 on my server box connected via wireless to my desktop machine. Im trying to poke through certain ports from my suse box onto my desktop machine. When I use the firewall wizard in yast and use the "expert options" to open the ports (4000:4200) shields up! Lists them as "closed". When I run the command iptables -t nat -A PREROUTING -i $OUTIF -p tcp --dport 1000:1010 -j DNAT --to 193.168.0.2 iptables -A INPUT -i $OUTIF -d 0/0 -p tcp --dport 22 -j ACCEPT where $OUTIF is the the outside interface and where 193.168.0.2 is the address of my desktop machine, suse closes them off. Any ideas? If you want my iptables-L dump I can post that :-) djXtreme (newbie)
Anyone any ideas? Sorry to bump my own thread up but im really stuck and its soooo fustrating ----------------------------------------------- Sent by freemail.servebeer.com Signup for your free 100mb Mail account today! Full pop3/smtp accounts available!! ----------------------------------------------- -----Original Message----- From: Stephen Furlong [mailto:stephen@freemail.servebeer.com] Sent: 15 February 2005 22:49 To: Suse Mailing List Subject: [SLE] Problems with susefirewall2 Hi y'all, Im running suse9.2 on my server box connected via wireless to my desktop machine. Im trying to poke through certain ports from my suse box onto my desktop machine. When I use the firewall wizard in yast and use the "expert options" to open the ports (4000:4200) shields up! Lists them as "closed". When I run the command iptables -t nat -A PREROUTING -i $OUTIF -p tcp --dport 1000:1010 -j DNAT --to 193.168.0.2 iptables -A INPUT -i $OUTIF -d 0/0 -p tcp --dport 22 -j ACCEPT where $OUTIF is the the outside interface and where 193.168.0.2 is the address of my desktop machine, suse closes them off. Any ideas? If you want my iptables-L dump I can post that :-) djXtreme (newbie)
Needs another bump up as ive had no reply yet :( ----------------------------------------------- Sent by freemail.servebeer.com Signup for your free 100mb Mail account today! Full pop3/smtp accounts available!! ----------------------------------------------- -----Original Message----- Subject: [SLE] Problems with susefirewall2 Hi y'all, Im running suse9.2 on my server box connected via wireless to my desktop machine. Im trying to poke through certain ports from my suse box onto my desktop machine. When I use the firewall wizard in yast and use the "expert options" to open the ports (4000:4200) shields up! Lists them as "closed". When I run the command iptables -t nat -A PREROUTING -i $OUTIF -p tcp --dport 1000:1010 -j DNAT --to 193.168.0.2 iptables -A INPUT -i $OUTIF -d 0/0 -p tcp --dport 22 -j ACCEPT where $OUTIF is the the outside interface and where 193.168.0.2 is the address of my desktop machine, suse closes them off. Any ideas? If you want my iptables-L dump I can post that :-) djXtreme (newbie) -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
The Saturday 2005-02-26 at 00:07 -0000, Stephen Furlong wrote:
Needs another bump up as ive had no reply yet :(
I'm no firewall expert, but I'll try.
Im running suse9.2 on my server box connected via wireless to my desktop machine. Im trying to poke through certain ports from my suse box onto my desktop machine. When I use the firewall wizard in yast and use the "expert options" to open the ports (4000:4200) shields up! Lists them as "closed".
Opening a port in the firewall is not enough; there must be a service or daemon behind responding on that port. Till that moment, they should show up as "closed". Also, if your intention is that another (2nd) machine answers on those ports, simply opening them up in the firewall is not enough. -- Cheers, Carlos Robinson
That's where my problem is. I can open them up on the linux box, but the moment I put the forwarding rule in they close again. I know the program/server on the other side is listening to the connections because I plugged it directly into my router and port forwarded on that and it worked, it just doesn't work through my suse machine ----------------------------------------------- Sent by freemail.servebeer.com Signup for your free 100mb Mail account today! Full pop3/smtp accounts available!! ----------------------------------------------- -----Original Message----- From: Carlos E. R. [mailto:robin1.listas@tiscali.es] Sent: 26 February 2005 02:27 To: 'Suse Mailing List' Subject: RE: [SLE] Problems with susefirewall2 The Saturday 2005-02-26 at 00:07 -0000, Stephen Furlong wrote:
Needs another bump up as ive had no reply yet :(
I'm no firewall expert, but I'll try.
Im running suse9.2 on my server box connected via wireless to my desktop machine. Im trying to poke through certain ports from my suse box onto my desktop machine. When I use the firewall wizard in yast and use the "expert options" to open the ports (4000:4200) shields up! Lists them as "closed".
Opening a port in the firewall is not enough; there must be a service or daemon behind responding on that port. Till that moment, they should show up as "closed". Also, if your intention is that another (2nd) machine answers on those ports, simply opening them up in the firewall is not enough. -- Cheers, Carlos Robinson -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
The Saturday 2005-02-26 at 09:13 -0000, Stephen Furlong wrote:
That's where my problem is. I can open them up on the linux box, but the moment I put the forwarding rule in they close again. I know the program/server on the other side is listening to the connections because I plugged it directly into my router and port forwarded on that and it worked, it just doesn't work through my suse machine
Then you will have to post your rules and hope that some firewall expert helps you: cat /etc/sysconfig/SuSEfirewall2 | egrep -v "^[[:space:]]*$|^#" My only guess for the moment is that you may have set FW_QUICKMODE to yes. Or perhaps FW_AUTOPROTECT_SERVICES. -- Cheers, Carlos Robinson
Ok here goes ; FW_QUICKMODE="no" FW_DEV_EXT="eth-id-00:02:b3:4b:fe:a0" FW_DEV_INT="wlan0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="4000:4200 5801 5901 8100 domain http https imap imaps microsoft-ds netbios-dgm netbios-ns netbios-ssn pop3 pop3s rsync smtp ssh tftp" FW_SERVICES_EXT_UDP="4000:4200 8100 bootps domain" FW_SERVICES_EXT_IP="49152:49159" FW_SERVICES_EXT_RPC="mountd nfs nfs_acl nlockmgr status" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_TCP="49152:49159" FW_SERVICES_INT_UDP="49152:49159" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC="" FW_SERVICES_DROP_EXT="" FW_SERVICES_REJECT_EXT="0/0,tcp,113" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="49152:49159" FW_ALLOW_INCOMING_HIGHPORTS_UDP="" FW_FORWARD="0/0,0/0,udp152:49159" FW_FORWARD_MASQ="192.168.0.0/49152:49159,192.168.0.10,tcp,49152:49159" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG_LIMIT="" FW_LOG="" FW_KERNEL_SECURITY="yes" FW_ANTISPOOF="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="int" FW_IGNORE_FW_BROADCAST="no" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="yes" FW_IPSEC_TRUST="no" Although it is disabled atm because im directly into my router (disabled because it would then block me access into it) Also tried a iptables-only config, ill post that too #!/bin/bash IPTABLES=/usr/sbin/iptables case "$1" in start) echo -n "Starting IP Firewall and NAT..." # Clear old rules $IPTABLES --flush $IPTABLES --delete-chain # Masquerading $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Loopback $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # Forward All Data From Internal To External $IPTABLES -A FORWARD -i wlan0 -o eth0 -j ACCEPT # Forward packets that are part of existing and related connections from external to internal, and visa versa $IPTABLES -A FORWARD -i eth0 -o wlan1 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i wlan1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all inputs to firewall from the internal network and local interfaces $IPTABLES -A INPUT -i wlan0 -s 0/0 -d 0/0 -j ACCEPT $IPTABLES -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT # Anti-Spoofing $IPTABLES -A INPUT -i eth0 -s 193.168.0.10 -j DROP $IPTABLES -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP # Port-Specific Rules $IPTABLES -A INPUT -i wlan0 -p tcp --dport 22 -j ACCEPT #SSH Connections $IPTABLES -A INPUT -i wlan0 -p tcp --dport 80 -j ACCEPT #HTTP Connections $IPTABLES -A INPUT -i wlan0 -p tcp --dport 443 -j ACCEPT #SSL Connections $IPTABLES -A INPUT -i wlan0 -p tcp --dport 5901 -j ACCEPT #VNC $IPTABLES -A INPUT -i wlan0 -p udp --dport 5901 -j ACCEPT $IPTABLES -A INPUT -i wlan0 -s 193.168.0.10 -d 193.168.0.1 -p tcp --dport 137 -j ACCEPT #SAMBA related ports $IPTABLES -A INPUT -i wlan0 -s 193.168.0.10 -d 193.168.0.1 -p tcp --dport 138 -j ACCEPT $IPTABLES -A INPUT -i wlan0 -s 193.168.0.10 -d 193.168.0.1 -p tcp --dport 139 -j ACCEPT $IPTABLES -A INPUT -i wlan0 -s 193.168.0.10 -d 193.168.0.1 -p udp --dport 137 -j ACCEPT $IPTABLES -A INPUT -i wlan0 -s 193.168.0.10 -d 193.168.0.1 -p udp --dport 138 -j ACCEPT $IPTABLES -A INPUT -i wlan0 -s 193.168.0.10 -d 193.168.0.1 -p udp --dport 139 -j ACCEPT # -- Allow external DC connection in to enable ACTIVE mode $IPTABLES -t nat -I PREROUTING -i eth0 -p tcp --dport 49158 -j DNAT --to 193.168.0.10:49158 $IPTABLES -t nat -I PREROUTING -i eth0 -p udp --dport 49158 -j DNAT --to 193.168.0.10:49158 $IPTABLES -I FORWARD -i eth0 -p tcp -s 0/0 -d 193.168.0.10 --dport 49158 -j ACCEPT $IPTABLES -I FORWARD -i eth0 -p udp -s 0/0 -d 193.168.0.10 --dport 49158 -j ACCEPT # Allow pings, but reject the rest $IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT $IPTABLES -A INPUT -i wlan0 -p icmp --icmp-type echo-request -j ACCEPT $IPTABLES -A INPUT -i eth0 -j DROP $IPTABLES -A INPUT -s 0/0 -d 0/0 -p udp -j DROP $IPTABLES -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP echo "done." ;; stop) echo -n "Stopping IP Firewall and NAT..." $IPTABLES -X $IPTABLES -F $IPTABLES -Z # Input Rules $IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,related -j ACCEPT $IPTABLES -A INPUT -i eth0 -j REJECT echo "done." ;; restart) echo -n "Restarting IP Firewall and NAT..." $0 stop > /dev/null sleep 1 $0 start > /dev/null ;; *) echo "Usage: $0 {start|stop|restart}" ;; esac the ports I was trying to forward on this occasion were 49152:49159, or single ports within that range. Basically any port range will do, as long as there are about 10-200 ports open (more the better) thanks in advance :) (sorry carlos for sending it to you twice)
On Sat, 26 Feb, 2005 at 22:49:30 -0000, Stephen Furlong wrote:
Ok here goes ;
<snip> Don't know SuSEfirewall, haven't been following the thread, but the "/" in this line looks kind of... odd?
FW_FORWARD_MASQ="192.168.0.0/49152:49159,192.168.0.10,tcp,49152:49159"
HTH /Jon -- YMMV
* Stephen Furlong; <stephen@freemail.servebeer.com> on 26 Feb, 2005 wrote:
Ok here goes ; FW_FORWARD="0/0,0/0,udp152:49159" FW_FORWARD_MASQ="192.168.0.0/49152:49159,192.168.0.10,tcp,49152:49159"
there can not be a netblock with this mask 192.168.0.0/49152:49159 A forward masquerade rule consists of 1) source IP/net, 2) destination IP (dmz/intern), 3) a protocol (tcp/udp only!) and 4) destination port, seperated by a comma (","), e.g. "4.0.0.0/8,1.1.1.1,tcp,80" Optional is a port after the destination port, to redirect the request to a different destination port on the destination IP, e.g. So you need to define the Source IP/net correctly depending on your configuration -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
To be honest it looks as though my susefirewall config file has got mashed, as im sure that was originally 192.168.0.0/255.255.255.0 Would that be correct? ----------------------------------------------- Sent by freemail.servebeer.com Signup for your free 100mb Mail account today! Full pop3/smtp accounts available!! ----------------------------------------------- -----Original Message----- From: Togan Muftuoglu [mailto:toganm@dinamizm.com] Sent: 27 February 2005 11:43 To: 'Suse Mailing List' Subject: Re: [SLE] Problems with susefirewall2 * Stephen Furlong; <stephen@freemail.servebeer.com> on 26 Feb, 2005 wrote:
Ok here goes ; FW_FORWARD="0/0,0/0,udp152:49159" FW_FORWARD_MASQ="192.168.0.0/49152:49159,192.168.0.10,tcp,49152:49159"
there can not be a netblock with this mask 192.168.0.0/49152:49159 A forward masquerade rule consists of 1) source IP/net, 2) destination IP (dmz/intern), 3) a protocol (tcp/udp only!) and 4) destination port, seperated by a comma (","), e.g. "4.0.0.0/8,1.1.1.1,tcp,80" Optional is a port after the destination port, to redirect the request to a different destination port on the destination IP, e.g. So you need to define the Source IP/net correctly depending on your configuration -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
* Stephen Furlong; <stephen@freemail.servebeer.com> on 27 Feb, 2005 wrote:
To be honest it looks as though my susefirewall config file has got mashed, as im sure that was originally 192.168.0.0/255.255.255.0 Would that be correct?
write is as 192.168.0.0/24 -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
participants (4)
-
Carlos E. R. -
Jon Clausen -
Stephen Furlong -
Togan Muftuoglu