Fwd: Re: [suse-security] problem with suse 7.2 and susefirewall

Date: Thu, 6 Dec 2001 15:51:21 +0100 To: "Klaus Riggart" From: Pablo Zubasti Subject: Re: [suse-security] problem with suse 7.2 and susefirewall Cc: Bcc: X-Attachments:

...

hi folks, im using suse prof 7.2. as a first step i want the linuxbox turn into a firewall which protects and masquerades my private lan and forwards http-requests to my internal webserver. running susefirewall i always got Warning: FTP/IRC/Realaudio etc. masquerading does not work with ipchains and the 2.4 kernel. Either move to a stable 2.2 kernel or use SuSEfirewall2! but masquerading partially worked (internal workstations came successfully through the firewall). external web-requests did not come through the firewall although FW_FORWARD_MASQ was enabled. so i downloaded, installed and configured susefirewall2-2.0 from marcs site. now it says /sbin/SuSEfirewall2: /usr/sbin/iptables: No such file or directory a hundred times. no routing/masquerading at all! i seem to miss a little thing. please help, i'm getting mad on this! many thanx in advance! -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

--

Hello, I had this problem and i moved to 2.2 kernel and make a little change to the SuSEfirewall script:

Please make a copy of the original /sbin/SuSEfirewall before make changes.

In the script, in the loop:

for i in $FW_FORWARD_MASQ_TCP; do . . . . $IPCHAINS -A input -p tcp -d $PARAM1 -s $PARAM2 $PARAM3 -j ACCEPT '!' -y $IPCHAINS -A forward -p tcp -d $PARAM1 -s $PARAM2 $PARAM3 -j MASQ '!' -y $IPMASQADM mfw -A -m "$COUNTER" -r $PARAM2 $PARAM3 . done

change this 3 lines with this 2 ones:

$IPCHAINS -I forward -p tcp -d $PARAM1 -s $PARAM2 $PARAM3 -j MASQ '!' -y $IPMASQADM portfw -a -P tcp -L a.b.c.d $PARAM3 -R $PARAM2 $PARAM3 ---- And udp part: for i in $FW_FORWARD_MASQ_UDP; do . . . . $IPCHAINS -A input -p udp -d $PARAM1 -s $PARAM2 $PARAM3 -j ACCEPT $IPCHAINS -A forward -p udp -d $PARAM1 -s $PARAM2 $PARAM3 -j MASQ $IPMASQADM mfw -A -m "$COUNTER" -r $PARAM2 $PARAM3 . done

change this 3 lines with this 2 ones: $IPCHAINS -I forward -p udp -d $PARAM1 -s $PARAM2 $PARAM3 -j MASQ $IPMASQADM portfw -a -P udp -L a.b.c.d $PARAM3 -R $PARAM2 $PARAM3

where a.b.c.d represents the public IP of the DEV_WORLD interface.

And the Suseconfig variables $FW_FORWARD_MASQ_TCP and $FW_FORWARD_MASQ_UDP takes a new format:

o.o.o.o/om,i.i.i.i,ppp where: - o.o.o.o/om represents the network origin p.e. 0/0 (all the internet) - i.i.i.i represent the private masquerading ip where we want to redirect to p.e. 192.168.0.23 - ppp port of the packets to redirect

You can redirect any port as you need separated with spaces.

an example configuration

$FW_FORWARD_MASQ_TCP : 0/0,192.168.0.23/80 0/0,192.168.0.2/23

redirects all the packets coming from internet to web to internal server 192,168,0,23 and all to telnet to 192.168.0.2.

Works.

--