High Kai,
your patch works great.
Only your patch in the email has lost some tabs, so I do the changes by hand
and not with patch.
Thank You
Harald Wallus
---------- Weitergeleitete Nachricht ----------
Subject: [suse-security] Virtual IP adress on the firewall, the dmz and DNAT /
MASQUERADE
Date: Mon, 27 May 2002 17:39:47 +0200
From: "Kai-H. Weutzing"
DEST=`echo $NETS | $AWK -F, '{print $6}'` ERROR=`echo $NETS | $AWK -F, '{print $7}'`
1337a1339
test -z "$DEST" || DEST="-d $DEST"
1339c1341 < $IPTABLES -A PREROUTING -j DNAT -t nat $PROTO $NET1 $PORT1 --to-destination ${NET2}${PORT2} -i $DEV ---
$IPTABLES -A PREROUTING -j DNAT -t nat $PROTO $NET1 $PORT1
$DEST --to-destination ${NET2}${PORT2} -i $DEV Short description: - edit the test of the arguments of FW_FORWARD_MASQ and add the variable DEST for the IP adress on the firewall - add line for test the variable DEST, if set add '-d ' for later use in the iptables command - edit the iptables command for PREROUTING; added the DEST variable And the point 14 in /etc/sysconfig/SuSEfirewall2 gets a fifth argument: The IP adress on that the firewall listen on the ext-interface, e.g. a www-server: FW_FORWARD_MASQ="0/0,192.168.13.130,tcp,80,80,<public IP adress on ext-interface>" Warning: With that parameter file u can't start the unpachted SuSEfirewall2 script because it controlls how many arguments are given. btw. of cource you must configure the public IP adress on the firewall-box (/etc/sysconfig/network ...)! I test this config but maybe there are some points I can't see with my config... Comments are welcome... Greetings Kai -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here netlike-gmbh Am Listholze 78, D-30177 Hannover Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 951-90 Email: wallus@ntlike-gmbh.de Internet: http://netlike-gmbh.de