SuSEfirewall2 and NAT help : i am so lost!

SuSEfirewall2 and NAT help : i am so lost!

[David T-G]

[-- Attachment #1: Type: text/plain, Size: 2577 bytes --]

Hi, all --

From reviewing the archives I *believe* I'm in a good place to ask, but I
could be wrong.  Please be gentle in your redirection :-)

I am doing some work for a client who has finally switched from SCO UNIX
to SCO's version of Linux, which includes SuSEfirewall2 which, AIUI, is a
front-end to iptables and/or netfilter (I know I don't know about what
I'm talking!)

In any given location he has a static external interface and a 10.x.y.z
internal interface and would like to do NATting for his internal Windows
machines.  I am trying to write a script to configure and enable
SuSEfirewall2 for this so that he can do a hands-off install on his
literally thousands of clients.

SCO UNIX used ipf and ipnat, and I got those simple rules worked out.
Now I need to do the same thing for iptables and SuSEfirewall2 and I'm
pretty lost.  Maybe I don't even need to worry about that package but to
instead just talk to iptables directly; if that's the case, not only do I
need to work up a different config file but also startup scripts, right?

Recalling that this has to be a hands-off install, I have whipped up a
little script to identify the internal and external interfaces, and then
apply

  cat /etc/sysconfig/SuSEfirewall2.bak.$$ | \
    sed \
      -e "s/FW_DEV_EXT=.*/FW_DEV_EXT='$EXT'/" \
      -e "s/FW_DEV_INT=.*/FW_DEV_INT='$INT'/" \
      -e "s/FW_QUICKMODE=.*/FW_QUICKMODE='yes'/" \
      -e "s/FW_ROUTE=.*/FW_ROUTE='yes'/" \
      -e "s/FW_MASQUERADE=.*/FW_MASQUERADE='yes'/" \
      -e "s:FW_MASQ_NETS=.*:FW_MASQ_NETS='10.0.0.0/8':" \
      -e "s/FW_SERVICES_QUICK_TCP=.*/FW_SERVICES_QUICK_TCP='telnet ftp ssh www mysql'/" \
      -e "s:FW_TRUSTED_NETS=.*:FW_TRUSTED_NETS='10.0.0.0/8':" > \
    /etc/sysconfig/SuSEfirewall2

to set the variables accordingly and then create the rc?.d start and stop
symlinks for the three scripts.

Unfortunately, a client machine on the inside properly pointing to the
internal address as its default gateway cannot get through.  Having read
the example file, asked google for help, read through list archives, and
generally poked and prodded everywhere I can, I've come up with many "you
need to turn on NAT" but no pointers to how to do so!


TIA & HAND

:-D
-- 
David T-G                      * There is too much animal courage in 
(play) davidtg@justpickone.org * society and not sufficient moral courage.
(work) davidtgwork@justpickone.org  -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/      Shpx gur Pbzzhavpngvbaf Qrprapl Npg!


[-- Attachment #2: Type: application/pgp-signature, Size: 187 bytes --]

Re: SuSEfirewall2 and NAT help : i am so lost!

[Jeremy C. Reed]

On Thu, 15 May 2003, David T-G wrote:

> I am doing some work for a client who has finally switched from SCO UNIX
> to SCO's version of Linux, which includes SuSEfirewall2 which, AIUI, is a

I just read yesterday that SCO is officially not supporting Linux anymore.
Search for the news via Google :)

> generally poked and prodded everywhere I can, I've come up with many "you
> need to turn on NAT" but no pointers to how to do so!

Go to the netfilter webpage. Click on Documentation.

Then read the NAT HOWTO for your preferred language. A quick example is at
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-4.html

   Jeremy C. Reed
   http://bsd.reedmedia.net/

Re: SuSEfirewall2 and NAT help : i am so lost!

[David T-G]

[-- Attachment #1: Type: text/plain, Size: 1937 bytes --]

Jeremy, et al --

...and then Jeremy C. Reed said...
% 
% On Thu, 15 May 2003, David T-G wrote:
% 
% > I am doing some work for a client who has finally switched from SCO UNIX
% > to SCO's version of Linux, which includes SuSEfirewall2 which, AIUI, is a
% 
% I just read yesterday that SCO is officially not supporting Linux anymore.
% Search for the news via Google :)

Heh.  I'm not particularly worried; it was he who insisted on staying
with SCO, despite my clear illustration that it wasn't effective, and it
was only when his investors noted the cost of SCO licenses versus Linux
licenses and support and how that affected *their* bottom line that he
switched...  Personally I'm a SuSE man for production Linux (good service
contract support in a robust distro), though I like OpenBSD for secure
servers and I've heard good things about Debian but haven't tried it
again in the past few years (that free time thing).  But I'm obviously
just the dumb programmer ;-)


% 
% > generally poked and prodded everywhere I can, I've come up with many "you
% > need to turn on NAT" but no pointers to how to do so!
% 
% Go to the netfilter webpage. Click on Documentation.

OK.


% 
% Then read the NAT HOWTO for your preferred language. A quick example is at
% http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-4.html

Oooh, perfect.  It actually sounds like I need

  Packet Filtering HOWTO: 'Mixing NAT and Packet Filtering'

but I'll find that -- unless some kind soul points me to it first :-)


% 
%    Jeremy C. Reed
%    http://bsd.reedmedia.net/


Thanks & HAND

:-D
-- 
David T-G                      * There is too much animal courage in 
(play) davidtg@justpickone.org * society and not sufficient moral courage.
(work) davidtgwork@justpickone.org  -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/      Shpx gur Pbzzhavpngvbaf Qrprapl Npg!


[-- Attachment #2: Type: application/pgp-signature, Size: 187 bytes --]

Re: SuSEfirewall2 and NAT help : i am so lost!

[David T-G]

[-- Attachment #1.1: Type: text/plain, Size: 1399 bytes --]

Hi again, all --

...and then David T-G said...
% 
% ...and then Jeremy C. Reed said...
% % 
% % On Thu, 15 May 2003, David T-G wrote:
% % 
...
% % > generally poked and prodded everywhere I can, I've come up with many "you
% % > need to turn on NAT" but no pointers to how to do so!
% % 
% % Go to the netfilter webpage. Click on Documentation.
...
% % Then read the NAT HOWTO for your preferred language. A quick example is at
% % http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-4.html
% 
% Oooh, perfect.  It actually sounds like I need
% 
%   Packet Filtering HOWTO: 'Mixing NAT and Packet Filtering'
% 
% but I'll find that -- unless some kind soul points me to it first :-)

I looked at tldp.org before I realized that it's on the netfilter page as
referred above :-)

I believe I've done the simple setup, but it still doesn't work for me.
I checked and found

  linux:~ # cat /proc/sys/net/ipv4/ip_forward
  1

so that should be fine.

I've attached `iptables -L` so that you can see if anything looks wrong.
Thanks again!


HAND

:-D
-- 
David T-G                      * There is too much animal courage in 
(play) davidtg@justpickone.org * society and not sufficient moral courage.
(work) davidtgwork@justpickone.org  -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/      Shpx gur Pbzzhavpngvbaf Qrprapl Npg!


[-- Attachment #1.2: iptables-L --]
[-- Type: text/plain, Size: 2690 bytes --]

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             255.255.255.255    udp spt:bootps dpt:bootpc 
ACCEPT     icmp --  anywhere             anywhere           icmp echo-request 
ACCEPT     udp  --  dns1.rcsntx.sbcglobal.net  anywhere           state NEW udp spt:domain dpts:1024:65535 
ACCEPT     udp  --  dns1.snfcca.sbcglobal.net  anywhere           state NEW udp spt:domain dpts:1024:65535 
LOG        tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-NEW-CONNECT ' 
ACCEPT     udp  --  anywhere             anywhere           state ESTABLISHED udp dpts:61000:65095 
input_ext  all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
TCPMSS     tcp  --  anywhere             anywhere           tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
reject_func  all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           state NEW,RELATED,ESTABLISHED 

Chain input_ext (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere           state NEW,RELATED,ESTABLISHED tcp dpt:mysql 
ACCEPT     tcp  --  anywhere             anywhere           state NEW,RELATED,ESTABLISHED tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere           state NEW,RELATED,ESTABLISHED tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere           state NEW,RELATED,ESTABLISHED tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere           state NEW,RELATED,ESTABLISHED tcp dpt:telnet 
reject_func  tcp  --  anywhere             anywhere           tcp dpt:ident flags:SYN,RST,ACK/SYN 
reject_func  all  --  anywhere             anywhere           

Chain reject_func (3 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere           reject-with tcp-reset 
REJECT     udp  --  anywhere             anywhere           reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere           reject-with icmp-proto-unreachable 

[-- Attachment #2: Type: application/pgp-signature, Size: 187 bytes --]

Re: SuSEfirewall2 and NAT help : i am so lost!

[Aide Florent]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le Vendredi 16 Mai 2003 00:45, David T-G a écrit :
> Hi again, all --
> "you % % > need to turn on NAT" but no pointers to how to do so!

snip 8<------------

> %   Packet Filtering HOWTO: 'Mixing NAT and Packet Filtering'

snip 8<------------

> I've attached `iptables -L` so that you can see if anything looks wrong.

you should try

iptables -t nat -nvL

if you want to see what is "NATed" by your machine.

Hope it helps.

Florent AIDE
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+xN5YQe8gCED8yYERAtgkAJ4lXltzUv4ie9HjeJtflWQJ9OXWTgCfZ5B3
Kz5In1xJzzrbUMPz/porghg=
=a2hL
-----END PGP SIGNATURE-----

Re: SuSEfirewall2 and NAT help : i am so lost!

[David T-G]

[-- Attachment #1.1: Type: text/plain, Size: 893 bytes --]

Florent, et al --

...and then Aide Florent said...
% 
% Le Vendredi 16 Mai 2003 00:45, David T-G a écrit :
% > Hi again, all --
...
% > I've attached `iptables -L` so that you can see if anything looks wrong.
% 
% you should try
% 
% iptables -t nat -nvL
% 
% if you want to see what is "NATed" by your machine.

Ah.  Oops!  Now *that* is attached.


% 
% Hope it helps.

I don't really know what I'm reading, but I admit that it looks somewhat
sparse.  I hope someone can tell me what pieces I'm missing!


% 
% Florent AIDE


Thanks again & HAND

:-D
-- 
David T-G                      * There is too much animal courage in 
(play) davidtg@justpickone.org * society and not sufficient moral courage.
(work) davidtgwork@justpickone.org  -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/      Shpx gur Pbzzhavpngvbaf Qrprapl Npg!


[-- Attachment #1.2: iptables-tnat-nvL --]
[-- Type: text/plain, Size: 534 bytes --]

Chain PREROUTING (policy ACCEPT 326 packets, 31713 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 5 packets, 260 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  384 22065 MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0          

Chain OUTPUT (policy ACCEPT 221 packets, 13301 bytes)
 pkts bytes target     prot opt in     out     source               destination         

[-- Attachment #2: Type: application/pgp-signature, Size: 187 bytes --]

Re: SuSEfirewall2 and NAT help : i am so lost!

[P.Italiaander]

>Op vrijdag 16 mei 2003 17:16, schreef David T-G:
> Florent, et al --
>
> ...and then Aide Florent said...
> %
> % Le Vendredi 16 Mai 2003 00:45, David T-G a écrit :
> % > Hi again, all --
> ...
> % > I've attached `iptables -L` so that you can see if anything looks
> wrong. %
> % you should try
> %
> % iptables -t nat -nvL
> %
> % if you want to see what is "NATed" by your machine.
>
> Ah.  Oops!  Now *that* is attached.
>
>
> %
> % Hope it helps.
>
> I don't really know what I'm reading, but I admit that it looks somewhat
> sparse.  I hope someone can tell me what pieces I'm missing!
>
>
> %
> % Florent AIDE
>
>
> Thanks again & HAND
>
> :-D


At first I thought somebody would notice ,but you have a hugh hole in your 
firewall :
so you do:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state 
RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             255.255.255.255    udp spt:bootps 
dpt:bootpc
ACCEPT     icmp --  anywhere             anywhere           icmp echo-request
ACCEPT     udp  --  dns1.rcsntx.sbcglobal.net  anywhere           state NEW 
udp spt:domain dpts:1024:65535
ACCEPT     udp  --  dns1.snfcca.sbcglobal.net  anywhere           state NEW 
udp spt:domain dpts:1024:65535
LOG        tcp  --  anywhere             anywhere           tcp 
flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix 
`SuSE-FW-DROP-NEW-CONNECT '
ACCEPT     udp  --  anywhere             anywhere           state ESTABLISHED 
udp dpts:61000:65095
input_ext  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Iptables behaviour is , the first match counts !!
so if you set the first rule  INPUT chain : ACCEPT all -- anywhere   anywhere 
it means that all traffic both ways may pass.This behaviour is not acceptable.
Actualy ALL the other rules 2,3,4 enz. of the INPUT chain are not matched.
You could be more filtering by interface.
 
Then the FORWARD chain: 

Chain FORWARD (policy DROP)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere           tcp 
flags:SYN,RST/SYN TCPMSS clamp to PMTU
reject_func  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

it seems you have an ppp adapter , but only a clamp to PMTU is not enough to 
get it working.it only corrects the PMTU value .
Your Policy says DROP , but your reject_func , rejects furder traffic , so the 
ACCEPT   all -- anywhere   anywhere is not matched , you override your own 
POLICY  if it did. 

So you have to make a rule with an state NEW , before the reject_func, and let 
everything pass from 
intern network to WWW .

example:      
iptables -A FORWARD -m state --state NEW -i $int_if -o $ext_if -j ACCEPT

Now the firewall knows how to forward between interfaces.

this should do the job , let us know !!

Pascal

Re: is forwarding compiled in? (was "Re: SuSEfirewall2 and NAT ...")

[David T-G]

[-- Attachment #1: Type: text/plain, Size: 1564 bytes --]

Pascal, et al --

...and then P.Italiaander said...
% 
...
% At first I thought somebody would notice ,but you have a hugh hole in your 
% firewall :
% so you do:
% 
% Chain INPUT (policy DROP)
% target     prot opt source               destination
% ACCEPT     all  --  anywhere             anywhere
% ACCEPT     all  --  anywhere             anywhere           state 
% RELATED,ESTABLISHED

Hmmm...  Yes, now that you've pointed it out I see that :-)

At this point I don't actually care, because I'm having so much trouble
trying to get NATting to work.  But I certainly don't want to stick with
this!

I've decided to give up on the SuSEfirewall2 front end and write the
rules myself.  For one thing, I *don't* have a ppp interface; I use eth0
and eth1!

I wonder if I even have forwarding compiled into the kernel, though.  Per
the 'Masqerading Made Simple' HOWTO I tried

  linux:~ #modprobe ipt_MASQERADE
  modprobe: Can't locate module ipt_MASQERADE

so it isn't a module and yet forwarding doesn't seem to work.  For a last
try (before starting over completely) I will try your


% iptables -A FORWARD -m state --state NEW -i $int_if -o $ext_if -j ACCEPT

suggestion as well.


Thanks a bunch & HAND

:-D
-- 
David T-G                      * There is too much animal courage in 
(play) davidtg@justpickone.org * society and not sufficient moral courage.
(work) davidtgwork@justpickone.org  -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/      Shpx gur Pbzzhavpngvbaf Qrprapl Npg!


[-- Attachment #2: Type: application/pgp-signature, Size: 187 bytes --]