This is possible using IPMASQADM to reverse masquerade the incoming http connections. (sorta like nat on one port only) Of course you could use one of the port redirectors like rinetd but then you apache logs would show up as haveing all connections from your firewall. This is obviously NOT what you want. b4 u use ipmasqadm, make sure you have normal outbound masq working. If you don't, then it will never work. The setup of this is quite simple, and I have done almost exactly this on SuSE 6.4 for a client. It was 6 months ago, and it's 4:15 am and I've just got back to my hotel after going clubbing/drinking since 10pm, so email me back if this is unclear, or you can't figure this out from the docs... Note: You will have to dl ipmasqadm i think, or maybe it comes with suse... not sure... Cheers Nix At 11:06 AM 22/11/2000 +0100, you wrote:
Hi, All :)
I hope sombody can help me with my configuration.
Following scenario:
public Internet | | | | | eth0 - only one official Internet Address | which is directly connected | to the internet leased line modem. | <firewall> -- eth2 -- DMZ 192.168.0.0/24 ----------
| | eth1 -- 192.168.30.0/24, 192.168.31.0/24 ... | | | <internal private networks> I use the <firewall> to allow accessing the Internet from the internal networks.
This part is functioning well :)
Now I like to configure a www.server with an private IP number which is reachable from public Internet (only http should be allowed).
I can Ping the www.server successfully from the firewall pc but i'm not able to get a http: connection with netscape. Also it's not possible to get a connetion from the public internet.
My SuSE Firewall Settings are :
FW_DEV_WORLD="eth0" FW_DEV_INT="eth1" FW_DEV_DMZ="eth2"
FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.30.0/24 192.168.31.0/24" FW_MASQ_DEV="$FW_DEV_WORLD" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_GLOBAL_SERVICES="no" FW_SERVICES_EXTERNAL_TCP="smtp domain nntp http" FW_SERVICES_EXTERNAL_UDP="domain" FW_SERVICES_DMZ_TCP="http" FW_SERVICES_DMZ_UDP="domain" FW_SERVICES_INTERNAL_TCP="smtp domain ftp http nntp" FW_SERVICES_INTERNAL_UDP="domain" FW_TRUSTED_NETS="" FW_SERVICES_TRUSTED_TCP="" FW_SERVICES_TRUSTED_UDP="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SAMBA="no" FW_FORWARD_TCP="" FW_FORWARD_UDP="" FW_FORWARD_MASQ_TCP="0/0,192.168.0.111,80" FW_FORWARD_MASQ_UDP="" FW_REDIRECT_TCP="" FW_REDIRECT_UDP="" FW_LOG_DENY_CRIT="yes" FW_LOG_DENY_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user vdolive"
This is the output from
tcpdump -i eth2
when trying to connet with netscape to the www.server from the firewall.pc
10:19:21.570488 arp who-has 192.168.0.111 tell firewall.pc (0:10:5a:49:52:7) 10:19:21.570719 arp reply 192.168.0.111 is-at 0:50:fc:22:44:12 (0:10:5a:49:52:7) 10:19:21.570750 firewall.pc.rkb-oscs > 192.168.0.111.http: S 3675399427:3675399427(0) win 32120
(DF) 10:19:21.571016 192.168.0.111.http > firewall.pc.rkb-oscs: S 3200249163:3200249163(0) ack 3675399428 win 17520 (DF) 10:19:24.563563 firewall.pc.rkb-oscs > 192.168.0.111.http: S 3675399427:3675399427(0) win 32120 (DF) 10:19:24.563823 192.168.0.111.http > firewall.pc.rkb-oscs: . 1:1(0) ack 1 win 17520 (DF)10:19:24.806624 192.168.0.111.http > firewall.pc.rkb-oscs: S 3200249163:3200249163(0) ack 3675399428 win 17520 (DF) 10:19:30.563561 firewall.pc.rkb-oscs > 192.168.0.111.http: S 3675399427:3675399427(0) win 32120 (DF) 10:19:30.563822 192.168.0.111.http > firewall.pc.rkb-oscs: . 1:1(0) ack 1 win 17520 (DF) 10:19:31.368814 192.168.0.111.http > firewall.pc.rkb-oscs: S 3200249163:3200249163(0) ack 3675399428 win 17520 (DF) --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com