On Monday 20 January 2003 20:26, Carlos Carrera wrote:
Hello friends, a question... Has somebody configured their SuSEfirewall2 with several servants that have addresses IP you publish each one?, How does the SuSEfirewall2 differentiate the packages that you/they go like destination to one or another servers if in the variable alone FW_FORWARD_MASQ the address source is placed, later the address private IP of the server inside your LAN?
thank you, I hope they respond me..... please.
Look at this old mail, that is that what I'm using. I thing SuSE (Marc) have to make an opensource product from SuSEfirewal2. There are few enhencement which I use and which are of interrests for other users. my problem was that I have a box with three interfaces (ext, dmz, int) and many IPs on the ext-interface and one (or more) server in the dmz. In the moment the SuSEfirewall2 (v2.1) on my SuSE 8.0 installation can't do that (look in the TODO file). So I spend some time in patching the SuSEfirewall2 script and it works well for me. The patch is very small: 1310c1310,1311 < ERROR=`echo $NETS | $AWK -F, '{print $6}'` ---
DEST=`echo $NETS | $AWK -F, '{print $6}'` ERROR=`echo $NETS | $AWK -F, '{print $7}'`
1337a1339
test -z "$DEST" || DEST="-d $DEST"
1339c1341 < $IPTABLES -A PREROUTING -j DNAT -t nat $PROTO $NET1 $PORT1 --to-destination ${NET2}${PORT2} -i $DEV ---
$IPTABLES -A PREROUTING -j DNAT -t nat $PROTO $NET1 $PORT1
$DEST --to-destination ${NET2}${PORT2} -i $DEV
Short description:
- edit the test of the arguments of FW_FORWARD_MASQ and add the variable
DEST for the IP adress on the firewall
- add line for test the variable DEST, if set add '-d ' for later use in the
iptables command
- edit the iptables command for PREROUTING; added the DEST variable
And the point 14 in /etc/sysconfig/SuSEfirewall2 gets a fifth argument: The
IP adress on that the firewall listen on the ext-interface, e.g. a
www-server:
FW_FORWARD_MASQ="0/0,192.168.13.130,tcp,80,80,<public IP adress on
ext-interface>"
Warning: With that parameter file u can't start the unpachted SuSEfirewall2
script because it controlls how many arguments are given.
btw. of cource you must configure the public IP adress on the firewall-box
(/etc/sysconfig/network ...)!
I test this config but maybe there are some points I can't see with my
config... Comments are welcome...
Greetings Kai
This was from "Kai-H. Weutzing"