Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Fwd: [suse-security] Virtual IP adress on the firewall, the dmz and DNAT / MASQUERADE
  • From: Harald Wallus <wallus@xxxxxxxxxxxxxxx>
  • Date: Mon, 12 Aug 2002 09:18:21 +0200
  • Message-id: <200208120918.21832.wallus@xxxxxxxxxxxxxxx>
High Kai,

your patch works great.
Only your patch in the email has lost some tabs, so I do the changes by hand
and not with patch.

Thank You

Harald Wallus

---------- Weitergeleitete Nachricht ----------

Subject: [suse-security] Virtual IP adress on the firewall, the dmz and DNAT /
MASQUERADE
Date: Mon, 27 May 2002 17:39:47 +0200
From: "Kai-H. Weutzing" <suse@xxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Cc: <marc@xxxxxxx>

Hi,

my problem was that I have a box with three interfaces (ext, dmz, int) and
many IPs on the ext-interface and one (or more) server in the dmz.
In the moment the SuSEfirewall2 (v2.1) on my SuSE 8.0 installation can't do
that (look in the TODO file). So I spend some time in patching the
SuSEfirewall2 script and it works well for me.
The patch is very small:

1310c1310,1311
< ERROR=`echo $NETS | $AWK -F, '{print $6}'`
---

> DEST=`echo $NETS | $AWK -F, '{print $6}'`
> ERROR=`echo $NETS | $AWK -F, '{print $7}'`

1337a1339

> test -z "$DEST" || DEST="-d $DEST"

1339c1341
< $IPTABLES -A PREROUTING -j DNAT -t nat $PROTO $NET1
$PORT1 --to-destination ${NET2}${PORT2} -i $DEV
---

> $IPTABLES -A PREROUTING -j DNAT -t nat $PROTO $NET1 $PORT1

$DEST --to-destination ${NET2}${PORT2} -i $DEV

Short description:
- edit the test of the arguments of FW_FORWARD_MASQ and add the variable
DEST for the IP adress on the firewall
- add line for test the variable DEST, if set add '-d ' for later use in the
iptables command
- edit the iptables command for PREROUTING; added the DEST variable

And the point 14 in /etc/sysconfig/SuSEfirewall2 gets a fifth argument: The
IP adress on that the firewall listen on the ext-interface, e.g. a
www-server:

FW_FORWARD_MASQ="0/0,192.168.13.130,tcp,80,80,<public IP adress on
ext-interface>"

Warning: With that parameter file u can't start the unpachted SuSEfirewall2
script because it controlls how many arguments are given.

btw. of cource you must configure the public IP adress on the firewall-box
(/etc/sysconfig/network ...)!

I test this config but maybe there are some points I can't see with my
config... Comments are welcome...

Greetings Kai


--
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here


netlike-gmbh
Am Listholze 78, D-30177 Hannover
Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 951-90
Email: wallus@xxxxxxxxxxxxxx
Internet: http://netlike-gmbh.de

< Previous Next >
This Thread
  • No further messages