O.K. I'm about to give up. I've been messing with the setup for
SuSEfirewall2 which is a niced up front end to IPTABLES. I'm trying to
get a DMZ up so when I have to fix something on our renderfarm at 3 AM I
can do it from home through ssh. currently the firewall works with 2
NICs dividing my local net from the big bad ugly WWW. it is functioning
properly and dropping everything that it should. now on to the DMZ.
I've read a ton of stuff on how to set up internal DMZ's through
FW_FORWARD_MASQ="0/0,10.0.1.2,tcp,80" which basically Masquerades and
uses an inside IP on a third NIC that's not a "real world" IP. I can't
get it working. Then there's the preferred method of having a second
ISP issued "real world" IP on the DMZ and It again resides on the third
NIC but there is no masquerading obviously and it uses
FW_FORWARD="127.0.0.1,127.0.0.2,tcp,1".
The FW lines are straight out of the EXAMPLE included with SuSE so they
really don't apply to me. let me sum up what I have and maybe somebody
can point me in the right direction.
Firewall box:
FW_DEV_INT="eth0"
FW_DEV_EXT="eth1"
FW_DEV_DMZ="eth2"
the external has my first ISP assigned IP. the internal is the generic
192.168.0.0 network. what I'm not sure of is what IP needs to be on
eth2 and any custom routing. I've tried everything I can think of.
including a same and different internal IP, another of my real world
IP's you name it.
DMZ box
eth0 tried internal IP, real world IP......all in pairs because AFAIK if
the subnet isn't the same and the networks are different they wont ping.
the only life out there I get is when I use and internal IP like
192.168.0.1 on eth2 for the firewall and 192.168.0.2 on the DMZ. then I
can ping from firewall to DMZ and vice versa. but when I go from there
to try and use the FW_FORWARD_MASQ, I still can't get in from home on
the outside. the only reason I'm pursuing the masq setup is I can't get
anything else to ping. I'd prefer to do it the other way but it's not
getting anywhere. so here's the snip from the masq field:
# Which services accessed from the internet should be allowed to
masqueraded
# servers (on the internal network or dmz)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public IP
addesses!
# Hint: if FW_DEV_MASQ is set to the external interface you have to set
# FW_FORWARD from internal to DMZ for the service as well to allow
access
# from internal!
#
# Please note that this should *not* be used for security reasons! You
are
# opening a hole to your precious internal network. If e.g. the
webserver there
# is compromised - your full internal network is compromised!!
#
# Choice: leave empty (good choice!) or use the following explained
syntax
# of forward masquerade rules, seperated each by a space.
# A forward masquerade rule consists of 1) source IP/net, 2) destination
IP
# (dmz/intern), 3) a protocol (tcp/udp only!) and 4) destination port,
# seperated by a comma (","), e.g. "4.0.0.0/8,1.1.1.1,tcp,80"
# Optional is a port after the destination port, to redirect the request
to
# a different destination port on the destination IP, e.g.
# "4.0.0.0/8,1.1.1.1,tcp,80,81"
#
FW_FORWARD_MASQ="0/0,10.0.1.2,tcp,80" # Beware to use this!
Any help would be appreciated. I'm feeling beat up by what should be so
simple... :^(
Mike Branda
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:03:49 EDT