Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Fwd: Re: [suse-security] problem with suse 7.2 and susefirewall
Date: Thu, 6 Dec 2001 15:51:21 +0100
To: "Klaus Riggart" <studentenkopp@xxxxxx>
From: Pablo Zubasti <pablo@xxxxxxxxxxx>
Subject: Re: [suse-security] problem with suse 7.2 and susefirewall
Cc:
Bcc:
X-Attachments:

hi folks,
im using suse prof 7.2.
as a first step i want the linuxbox turn into a firewall which protects and masquerades my private lan and forwards http-requests to my internal webserver.
running susefirewall i always got
Warning: FTP/IRC/Realaudio etc. masquerading does not work with ipchains and
the 2.4 kernel. Either move to a stable 2.2 kernel or use SuSEfirewall2!
but masquerading partially worked (internal workstations came successfully through the firewall). external web-requests did not come through the firewall although FW_FORWARD_MASQ was enabled.
so i downloaded, installed and configured susefirewall2-2.0 from marcs site. now it says
/sbin/SuSEfirewall2: /usr/sbin/iptables: No such file or directory
a hundred times. no routing/masquerading at all!
i seem to miss a little thing. please help, i'm getting mad on this!
many thanx in advance!
--
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx


--

Hello,
I had this problem and i moved to 2.2 kernel and make a little change to the SuSEfirewall script:

Please make a copy of the original /sbin/SuSEfirewall before make changes.

In the script, in the loop:

for i in $FW_FORWARD_MASQ_TCP; do
.
.
.
.
$IPCHAINS -A input -p tcp -d $PARAM1 -s $PARAM2 $PARAM3 -j ACCEPT '!' -y
$IPCHAINS -A forward -p tcp -d $PARAM1 -s $PARAM2 $PARAM3 -j MASQ '!' -y
$IPMASQADM mfw -A -m "$COUNTER" -r $PARAM2 $PARAM3
.
done

change this 3 lines with this 2 ones:

$IPCHAINS -I forward -p tcp -d $PARAM1 -s $PARAM2 $PARAM3 -j MASQ '!' -y
$IPMASQADM portfw -a -P tcp -L a.b.c.d $PARAM3 -R $PARAM2 $PARAM3
----
And udp part:
for i in $FW_FORWARD_MASQ_UDP; do
.
.
.
.
$IPCHAINS -A input -p udp -d $PARAM1 -s $PARAM2 $PARAM3 -j ACCEPT
$IPCHAINS -A forward -p udp -d $PARAM1 -s $PARAM2 $PARAM3 -j MASQ
$IPMASQADM mfw -A -m "$COUNTER" -r $PARAM2 $PARAM3
.
done

change this 3 lines with this 2 ones:
$IPCHAINS -I forward -p udp -d $PARAM1 -s $PARAM2 $PARAM3 -j MASQ
$IPMASQADM portfw -a -P udp -L a.b.c.d $PARAM3 -R $PARAM2 $PARAM3

where a.b.c.d represents the public IP of the DEV_WORLD interface.

And the Suseconfig variables $FW_FORWARD_MASQ_TCP and $FW_FORWARD_MASQ_UDP takes a new format:

o.o.o.o/om,i.i.i.i,ppp
where:
- o.o.o.o/om represents the network origin p.e. 0/0 (all the internet)
- i.i.i.i represent the private masquerading ip where we want to redirect to p.e. 192.168.0.23
- ppp port of the packets to redirect

You can redirect any port as you need separated with spaces.

an example configuration

$FW_FORWARD_MASQ_TCP : 0/0,192.168.0.23/80 0/0,192.168.0.2/23

redirects all the packets coming from internet to web to internal server 192,168,0,23 and all to telnet to 192.168.0.2.

Works.


--
< Previous Next >