Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
Re: [suse-security] SuSEfirewall2 and NAT help : i am so lost!
  • From: dproc@xxxxxxx
  • Date: Thu, 15 May 2003 18:50:43 -0500
  • Message-id: <20030515185043.A32488@xxxxxxxxxxxxxxx>
On Thu, 15 May 2003, David T-G wrote:

> From reviewing the archives I *believe* I'm in a good place to ask, but I
> could be wrong. Please be gentle in your redirection :-)

> I am a loyal :-) SuSE user and am doing some work for a client who has
> finally switched from SCO UNIX to SCO's version of Linux, which includes
> SuSEfirewall2 and otherwise looks quite a bit like a SuSE system (gee, go
> figure!).

I suppose that is the reason for the "UnitedLinux" sticker on the box :-)

>
> In any given location he has a static external interface and a 10.x.y.z
> internal interface and would like to do NATting for his internal windows
> machines. I am trying to write a script to configure and enable
> SuSEfirewall2 for this so that he can do a hands-off install on his
> literally thousands of clients.

I really don't understand your architecture - I suppose your client
has thousands of NAT routers at convenience stores or metropolitan
schools or something

> little script to identify the internal and external interfaces, and then
> apply
>
> cat /etc/sysconfig/SuSEfirewall2.bak.$$ | \
> sed \
> -e "s/FW_DEV_EXT=.*/FW_DEV_EXT='$EXT'/" \
> -e "s/FW_DEV_INT=.*/FW_DEV_INT='$INT'/" \
> -e "s/FW_QUICKMODE=.*/FW_QUICKMODE='yes'/" \
> -e "s/FW_ROUTE=.*/FW_ROUTE='yes'/" \
> -e "s/FW_MASQUERADE=.*/FW_MASQUERADE='yes'/" \
> -e "s:FW_MASQ_NETS=.*:FW_MASQ_NETS='10.0.0.0/8':" \
> -e "s/FW_SERVICES_QUICK_TCP=.*/FW_SERVICES_QUICK_TCP='telnet ftp ssh www mysql'/" \
> -e "s:FW_TRUSTED_NETS=.*:FW_TRUSTED_NETS='10.0.0.0/8':" > \
> /etc/sysconfig/SuSEfirewall2
>
> to set the variables accordingly and then create the rc?.d start and stop
> symlinks for the three scripts.
>
> Unfortunately, a client machine on the inside properly pointing to the
> internal address as its default gateway cannot get through. Having read
> the example file, asked google for help, read through list archives, and
> generally poked and prodded everywhere I can, I've come up with many "you
> need to turn on NAT" but no pointers to how to do so!

I am not sure if your script is right but I know how to turn on NAT.

It is the same for all Linux :-
echo 1 > /proc/sys/net/ipv4/ip_forward

The canonical way to do this on SuSE is to set IP_FORWARD=yes in
/etc/sysconfig/sysctl and reboot (but double check your UnitedLinux
manual as I am reading the 8.2 manual)

(naturally google gives you trouble because the kernel hackers always
call their implementation of NAT 'masquerading')

dproc


< Previous Next >
This Thread
References