Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] SuSE Firewall & Reverse Masquerading
> -----Urspr√ľngliche Nachricht-----
> Von: Alexander Reach [mailto:newsletter@xxxxxxxx]
> Gesendet: Donnerstag, 13. Dezember 2001 13:57
> An: SuSE-Security
> Betreff: [suse-security] SuSE Firewall & Reverse Masquerading
>
>
> Hello,
>
> I want to do reverse masquerading with the SuSE firewall.
>

Okay! (I must admit that I only know SuSEfirewall2 with iptables, though
...)

> I know, that I can use the switch FW_FORWARD_MASQ_* to do this.
> The Syntax is "Source IP / Destination IP / Destination Port".
>

Right!

> The Problem is, that I want to redirect to more than one
> Computer in my
> local DMZ.
>
> How can I do it with this firewall ?

You can only forward to different hosts if they use different ports.
This is because the external client specifies the IP address of the external
interface of your fw gateway, so the protocol and port number is the only
criterion to differentiate the target hosts ...

Assuming your fw gateway looks like:

external/internet
!
!
eth1 (provider assigned address)
!
firewall
!
eth0 (192.168.1.x)
!
!
+--- 192.168.1.10 port 80
+--- 192.168.1.20 port 992
+--- ...

To reach an internal server e.g. on port 80 (192.168.1.10) and another on
port 992 (192.168.1.20) use something like the following in your
etc/rc.config.d/firewall2.rc.config:

FW_FORWARD_MASQ="0/0,192.168.1.10,tcp,80 0/0,192.168.1.20,tcp,992"

The "0/0" means _any_ external IP-Adress is allowed access to the internal
hosts!

To allow outgoing replies from your internal hosts use:

FW_MASQ_NETS="192.168.1.10 192.168.1.20"

That is: your hosts can do anything outgoing! You can narrow this if you
extend it with proto/port ...

You also have to provide the following ...

FW_ROUTE="yes"

This config works on my gateway - but not already behind a second fw gateway
which does no masquerading :-( ... try to solve this one in the moment ...

Hope that helps

Greetings
Roland
>
> Greetings,
> Alexander
>
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>

< Previous Next >
Follow Ups