Mailinglist Archive: opensuse-security (3 mails)

< Previous Next >
[opensuse-security] Re: SuseFirewall2: Strange masquerading rule for port forwarding rules when both FW_MASQ_NETS and FW_FORWARD_MASQ are defined
No comments? :(


On Tue, Apr 30, 2013 at 6:06 PM, Juan Luis Baptiste
<juan.baptiste@xxxxxxxxx> wrote:
Hi,

I'm seeing something strange that I do not understand. According to
iptables documentation[1], port forwarding rules are defined on the
PREROUTING chain in the nat table, and masquerading rules are defined
on the POSTROUTING chain also in the nat table (plus the needed
additional rules in chain FORWARD in the filter table). I'm testing a
simple escenario:

An OpenSUSE 12.3 server with two interfaces, one connected to the
192.168.1.0/24 (external network) on eth0, and connected to
192.168.10.0/24 (internal network) on eth1:

FW_DEV_EXT="eth0"
FW_DEV_INT="eth1"
FW_ROUTE="yes"
FW_MASQUERADE="yes"


If I define:

FW_FORWARD_MASQ="192.168.1.102,192.168.10.111,tcp,2222,22"

I will correctly see rule created on PREROUTING:

Chain PREROUTING (policy ACCEPT 8 packets, 869 bytes)
pkts bytes target prot opt in out source
destination
1 60 DNAT tcp -- eth0 * 192.168.1.102
0.0.0.0/0 tcp dpt:2222 to:192.168.10.111:22


The same happens for masquerading for this rule:

FW_MASQ_NETS="192.168.10.0/24,0/0"

I will correctly see the rule created on POSTROUTING:

Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source
destination
6 395 MASQUERADE all -- * eth0 192.168.10.0/24 0.0.0.0/0

BUT, if both variables are defined at the same time, an additional
rule in the POSTROUTING chain will be created for the port forwarding
rule defined in FW_FORWARD_MASQ. Look at this:

Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source
destination
6 395 MASQUERADE all -- * eth0 192.168.10.0/24 0.0.0.0/0
0 0 MASQUERADE tcp -- * eth0 192.168.1.102
0.0.0.0/0 tcp dpt:22

Now there's an additional masquerading rule (the second one) for the
external host 192.168.1.102. Note that that host is on the network
connected to the firewall on eth0, and the output interface is also
eth0, with the destination port of the port forwading rule in
FW_FORWARD_MASQ. This doesn't make any sense to me, is this correct ?
why that rule appears only when both FW_MASQ_NETS and FW_FORWARD_MASQ
are defined and not when only the latter is defined ? both rules work
ok, I'm just wondering why that extra rule that doesn't seem to have
any use.

[1] http://netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html


Cheers,
--
JLB



--
JLB
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation
This Thread
  • No further messages