Mailinglist Archive: opensuse-security (50 mails)

< Previous Next >
[opensuse-security] SFW2-IN-ILL-TARGET IN=vmnet1 prevents my RDP Nat from working
  • From: peter.burkard@xxxxxxxxxx
  • Date: Wed, 2 Jul 2008 14:43:19 +0200
  • Message-id: <OF98ECEA42.42072E85-ONC125747A.0045C10E-C125747A.0045E22A@xxxxxxxxxx>
Hi there.

My environment:

* SLES 10.1 with patches

* VMWare Server 1.05

* some virtual XP's

* SuseFirewall2 with iptables/nat for rdp session


My config:

# ifconfig

eth0 Link encap:Ethernet HWaddr 00:E0:81:44:89:82
inet addr:10.193.28.1 Bcast:10.193.28.127 Mask:255.255.255.128
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:169

eth1 Link encap:Ethernet HWaddr 00:E0:81:44:89:83
inet addr:192.168.73.1 Bcast:192.168.73.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:169

eth2 Link encap:Ethernet HWaddr 00:0E:0C:AA:AC:32
inet addr:10.49.26.82 Bcast:10.49.27.255 Mask:255.255.252.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:82197 errors:0 dropped:0 overruns:0 frame:0
TX packets:8840 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6646116 (6.3 Mb) TX bytes:10600143 (10.1 Mb)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:15972 errors:0 dropped:0 overruns:0 frame:0
TX packets:15972 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8837810 (8.4 Mb) TX bytes:8837810 (8.4 Mb)

vmnet1 Link encap:Ethernet HWaddr 00:50:56:C0:00:01
inet addr:192.168.74.1 Bcast:192.168.74.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

# iptables -L -t nat

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:mrt
to:192.168.74.100:3389
DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50001
to:192.168.74.101:3389
DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50002
to:192.168.74.102:3389
DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50003
to:192.168.74.103:3389
DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50004
to:192.168.74.104:3389

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Some settings of my firewall:

* FW_DEV_EXT="eth2"
* FW_DEV_INT="vmnet1"
* FW_ROUTE="yes"
* FW_MASQUERADE="yes"
* FW_MASQ_DEV="$FW_DEV_EXT"
* FW_MASQ_NETS="0/0"
* FW_PROTECT_FROM_INT="no"
* FW_SERVICES_REJECT_EXT="0/0,tcp,113"
* FW_SERVICES_EXT_TCP="8080 8222 8333 904 5801 5901 http https ssh"
* FW_FORWARD_MASQ="0/0,192.168.74.100,tcp,50000,3389,10.49.26.181
0/0,192.168.74.101,tcp,50001,3389,10.49.26.181
0/0,192.168.74.102,tcp,50002,3389,10.49.26.181
0/0,192.168.74.103,tcp,50003,3389,10.49.26.181
0/0,192.168.74.104,tcp,50004,3389,10.49.26.181"

My problem:

Can 't connect to the vXP's via RDP over NAT because of this error message
from SuseFirewall:

Jul 2 11:08:24 baust-vmsrv01 kernel: SFW2-IN-ILL-TARGET IN=vmnet1 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0c:29:1f:32:b3:08:00 SRC=192.168.74.100
DST=192.168.74.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=130 PROTO=UDP
SPT=138 DPT=138 LEN=209

Any ideas out there to fix this?!

I hope so :-)

Thanks in advance.

Regards / Mit freundlichen Grüßen

Peter Burkard

ABB AG
ABB/PTSP-O12
Kallstadter Str. 1
D-68309-Mannheim

Phone: +49 621 381 2012
Mobile: +49 621 381 2013
email: peter.burkard@xxxxxxxxxx
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >