Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
SuSEfirewall2 (?) and advanced routing problem.
  • From: Marcin Gryszczuk <marcing@xxxxxxxxxxxxxxxxx>
  • Date: Tue, 22 Jan 2002 11:58:09 +0100
  • Message-id: <5.1.0.14.2.20020122110512.02e7ed10@xxxxxxxxxxxxxxxxx>
Hi All...

1 - problem 1-st:
I have following problem that can not solve under SuSE 7.3 with SuSEfirewall2 - kernel 2.4.16, iptables 1.2.2.
Problem is that I have 2 public interfaces (eth1 - default and eth2) with 2 public IP addresses and 1 internal interface (eth0) with 192.168.0.x private class. On that last interface I have small private network which is MASUQREDED on my Linux box.
Problem is that I would like to forward part of the traffic (let say all squid proxy requests to my external server) via my 2-nd public interface (eth2). At the moment all traffic goes via default gateway (eth1).
I have tried the example I could find in Adv-routing HOWTO - routing all SQUID packets to be forwarded via eth2 :

iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 3128 -j MARK --set-mark 1

My rule table looks like:
#ip rule ls
0: from all lookup local
32765: from all fwmark 1 lookup ic.out
32766: from all lookup main
32767: from all lookup 253

#ip route ls table ic.out
default via y.y.y.97 dev eth2

- but it does not work. What is strange I have had SuSe 6.3 before and under ipchains it worked perfectly!
What I have realized is that during testing this connection packets try to goes via eth2 - I could see it on tcpdump - but only packets with S (SYN ?) flag set appears there... And nothing else.


What I have also realized is that I could see some (strange for me) lines in firewall log file like:

Jan 21 11:24:01 linux kernel: martian source 192.168.0.22 from z.z.z.z, on dev eth2
Jan 21 11:24:01 linux kernel: ll header: 00:00:c0:6a:65:d3:00:c0:df:b0:c2:a8:08:00

192.168.0.22 - is my comp in my private net., z.z.z.z is my proxy server IP address (what in fact I've just realized after the whole day yesterday looking at it).

Is there anybody who can help me with that? What should I turn on or off in firewall setting (or maybe somewhere else) to make it run (at the bottom there is more details about my system). As I mentioned before I have had it working perfectly on 6.3 box with ipchains.
Anyway - this does not looks like firewall problem as I could not force it to run also with SuSEfirewall2 stopped.

2. problem 2-nd.
I thing it is more to SuSEfirewall2 developers. I was just looking at the settings made by SuSEfirewall2 scripts based on my settings and I could realize that there are quite big section for dmz, when I have no DMZ set in SuSEfirewall2 rc.config at all. And also it is mentioned in iptabels -L that there is no references to forward_dmz and input_dmz section at all. So the question is what is it for. I thing it is quite easy to check if there is any DMZ set up or not and do not set all this not needed chains in iptables in "no" case. Just a small tip...

Thanx in advance for any help..

Best regards

Marcin Gryszczuk

Some info about my settings:
ifconfig:
eth0 Link encap:Ethernet HWaddr ...
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
...
eth1 Link encap:Ethernet HWaddr ...
inet addr:x.x.x.x Bcast:x.x.x.191 Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
...
eth2 Link encap:Ethernet HWaddr ...
inet addr:y.y.y.y Bcast:y.y.y.127 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
...
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
...

# ip rule ls
0: from all lookup local
32765: from all fwmark 1 lookup ic.out
32766: from all lookup main
32767: from all lookup 253

# ip route ls table ic.out
default via y.y.y.97 dev eth2

# ip route ls table main
y.y.y.96/27 dev eth2 proto kernel scope link src y.y.y.y
x.x.x.128/26 dev eth1 proto kernel scope link src x.x.x.x
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.100.100
default via x.x.x.129 dev eth1

SuSEfirewall2 settings:
FW_DEV_EXT="eth1 eth2"
FW_DEV_INT="eth0"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.0.0/24"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="smtp domain www ntp https"
FW_SERVICES_EXT_UDP="domain ntp" # Common: domain
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="ftp-data:telnet smtp domain www pop3 ntp 139 https"
FW_SERVICES_INT_UDP="domain syslog ntp"
FW_SERVICES_INT_IP=""
FW_TRUSTED_NETS="192.168.0.0/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="yes"
FW_SERVICE_SAMBA="yes"
FW_FORWARD="" # Beware to use this!
FW_FORWARD_MASQ="" # Beware to use this!
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="no"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="yes"
#FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"

SuSE 7.3 kernel 2.4.16 iptables 1.2.2

If anything else is needed to help me - please let me know...


< Previous Next >
Follow Ups