Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] firewall2 and portforwarding
  • From: "Argentium G. Tiger" <agtiger@xxxxxxxxx>
  • Date: Sun, 20 Jan 2002 08:42:32 -0600
  • Message-id: <5.1.0.14.2.20020120082810.03b9aab0@xxxxxxxxxxxxxxxxxxxx>

Then is this exsample correct?
FW_FORWARD_MASQ="0.0.0.0/0,192.168.0.15,tcp,5600"
So everybody will get access to the 192.168.0.15 mashine on port 5600 per
tcp, right?

I do a fair amount of Port Forwarding using SuSEFirewall2, with a 2.4
kernel.

Here's some examples I cooked up for you, using your example of an internal
network of 192.168.0.[whatever]

Let's say I wanted to allow the internet addresses of "1.2.3.[whatever]"
through to 192.168.0.15 on tcp AND udp ports 5631 and 5632 so I could
connect to pcanywhere running on a windohs box.

FW_FORWARD_MASQ="1.2.3.0/24,192.168.0.15,tcp,5631 \
1.2.3.0/24,192.168.0.15,udp,5631 \
1.2.3.0/24,192.168.0.15,tcp,5632 \
1.2.3.0/24,192.168.0.15,udp,5632"


Let's add to that: Let's say that I have *another* pcanywhere windows box
on the inside, at 192.168.0.30, and I want to be able to reach it as well.
Just for fun, I'd also only like to access the .30 machine from one
different external IP address: 5.6.7.8, but none of the other
5.6.7.[whatever] machines other than .8 should get access.

Obviously, we can't use ports 5631 and 5632 on the firewall, those are
now port-forwarded to the 192.168.0.15 machine. So... We'll pick a different
pair (5633, and 5634), and forward them to 5631 and 5632 on 192.168.0.30.

Now our forward statement will look like this:

FW_FORWARD_MASQ="1.2.3.0/24,192.168.0.15,tcp,5631 \
1.2.3.0/24,192.168.0.15,udp,5631 \
1.2.3.0/24,192.168.0.15,tcp,5632 \
1.2.3.0/24,192.168.0.15,udp,5632 \
5.6.7.8/32,192.168.0.30,tcp,5633,5631 \
5.6.7.8/32,192.168.0.30,udp,5633,5631 \
5.6.7.8/32,192.168.0.30,tcp,5634,5632 \
5.6.7.8/32,192.168.0.30,udp,5634,5632"


Finally, to accomplish your specific request:

FW_FORWARD_MASQ="0/0,192.168.0.15,tcp,5600"

And if you wanted to use a different port to bring something in to port
5600 on the .15 machine:

FW_FORWARD_MASQ="0/0,192.168.0.15,tcp,[port on firewall],5600"

Have fun!

Argentium



< Previous Next >
References