Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: [suse-security] SuSE-FW-NO_ACCESS_INT->FWEXT (last attempt)
  • From: Johan Stäring <johan@xxxxxxxxxxx>
  • Date: Thu, 1 Aug 2002 12:04:11 +0200 (CEST)
  • Message-id: <Pine.LNX.4.33.0208011141570.19562-100000@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>


On Thu, 1 Aug 2002, j0nas wrote:

> I'm going to make one last attempt at getting some answers to my problem
> before I leave this list.

Leaving? No.... :)

> My problem is that I can access all resources from the inside using the
> internal ip-adress of the firewall,
> ie I can view the web pages when calling http://192.168.0.1/ from any other
> machine on the internal network.
> It also works when I try to access the web server from the outside (using
> the external ip), BUT when I try
> to access the web server using the external ip (or the domain pointing to
> my firewall) nothing happens and

This is a "feature"... :) It has been discussed to some extent before on
this list I think, so maybe you can find something interesting by reading
through the archives at the SuSE web site.

Anyway, there are probably a number of ways to solve this. The reason your
requests fail is that the external interface is protected from your
internal network, so any packages with your external IP as destination
coming in through your internal interface will be dropped with a log
message similar to the one below.

In order to resolve this, you need to explicitly allow traffic from the
internal network to your external IP. This can be done by using tailored
ipchains commands, either inserted into an appropriate hook in the
firewall2-custom.rc.config or executed somewhere else, like in a bootup
script.

Anyway, I use the brutal method of opening everything from my internal
network, but that is because I'm the only one there and I sort of trust
myself.

iptables -I INPUT 1 -j ACCEPT -p all -i eth1 -d abc.def.ghi.jkl/32 -s
192.168.0.0/24

You might want to use the -A flag instead, and most likely you'd like to
use one line for each of your external services and with the additional
--dport <whatever> to specify just which services your internal users are
supposed to be able to reach. Maybe you'd like to restrict the protocols
as well, so look at the -p flag too.

You'd also need to change 'eth1' above to 'eth0' in your case.

All in all, man iptables is your friend. :-)

> i get this logged in /var/log/firewall:
> Jul 27 14:25:22 linux kernel: SuSE-FW-NO_ACCESS_INT->FWEXT IN=eth0 OUT=
> MAC=00:50:8b:03:d1:60:00:c0:26:59:d9:56:08:00 SRC=192.168.0.5
> DST=213.66.148.171 LEN=64 TOS=0x08 PREC=0x00 TTL=128 ID=33688 DF PROTO=TCP
> SPT=3802 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
> (020405B4010303000101080A000000000000000001010402)

It's seldom a good idea to send log entries without mangling the
external IP address. :)

Hope it helps somewhat.

/Johan


< Previous Next >
References