SuSEfirewall 2 - redirect ports on internal interface to DMZ

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

SuSEfirewall 2 - redirect ports on internal interface to DMZ

Dirk Enrique Seiffert
I am moving a Mailserver from the internal network to the DMZ. This move
should be invisible for the enduser. Lat but not least: Some hundred mail
clients are configured to consult an IP, not a name: I can't solve the
issue by configuring my DNS server.

This is my configuration:


200.x.x.x (public IP)
       |
 SuSEfirewall-192.168.254.1--------192.168.254.2 MailServer
       |
 192.168.0.249
       |
internal network


I have to access the mailserver by an IP in the 192.168.0.0/24 range.
External traffic I can easily redirect with FW_FORWARD_MASQ= to an IP in
the DMZ. Internal traffic I can redirect to a local port on the firewall
with FW_REDIRECT.

Is it possible to redirect all traffic coming on the internal interface
for 192.168.0.249 to 192.168.254.2 ?

Any Custom rule? I was googling quite a while to, didn't find any rule
doing a forward on the internal interface.

Any idea is appreciated!

Thanks

Enrique



--
Dirk Enrique Seiffert - Lintec S.A.
Ed. Torre del Reloj - Of. 401
Plaza de los Coches, Centro
Cartagena - Colombia
http://www.lintecsa.com

--
Este mensaje ha sido analizado por MailScanner
en busca de viruses y otros contenidos peligrosos,
y se considera que est limpio.


--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here

Reply | Threaded
Open this post in threaded view
|

Re: SuSEfirewall 2 - redirect ports on internal interface to DMZ

Dirk Schreiner
Hi Dirk,

checkout rinetd.
It should solve youre Problems.

Dirk


Dirk Enrique Seiffert schrieb:

> I am moving a Mailserver from the internal network to the DMZ. This move
> should be invisible for the enduser. Lat but not least: Some hundred mail
> clients are configured to consult an IP, not a name: I can't solve the
> issue by configuring my DNS server.
>
> This is my configuration:
>
>
> 200.x.x.x (public IP)
>        |
>  SuSEfirewall-192.168.254.1--------192.168.254.2 MailServer
>        |
>  192.168.0.249
>        |
> internal network
>
>
> I have to access the mailserver by an IP in the 192.168.0.0/24 range.
> External traffic I can easily redirect with FW_FORWARD_MASQ= to an IP in
> the DMZ. Internal traffic I can redirect to a local port on the firewall
> with FW_REDIRECT.
>
> Is it possible to redirect all traffic coming on the internal interface
> for 192.168.0.249 to 192.168.254.2 ?
>
> Any Custom rule? I was googling quite a while to, didn't find any rule
> doing a forward on the internal interface.
>
> Any idea is appreciated!
>
> Thanks
>
> Enrique
>
>
>

--
There are 10 sorts of people in this World.
Those who understand binary, and those who don`t.  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
TRIA IT-consulting GmbH
Joseph-Wild-Straße 20
81829 München
Germany
Tel: +49 (89) 92907-0
Fax: +49 (89) 92907-100  
http://www.tria.de 
 
 
Registergericht München HRB 113466
USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600
Geschäftsführer: Rosa Igl
--------------------------------------------------------
Nachricht von: [hidden email]
Nachricht an: [hidden email], [hidden email]
# Dateianhänge: 0
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here

Reply | Threaded
Open this post in threaded view
|

Re: SuSEfirewall 2 - redirect ports on internal interface to DMZ

Ariel Guerrero
You could try with this rule.
I'm not an expert in SuSEfirewall2....

FW_FORDWARD_MASQ="192.168.0.0/24,192.168.0.249,tcp,110,110,192.168.254.2/
192.168.0.0/24,192.168.0.249,tcp,25,25,192.168.254.2"

I use your configuration to make the example, and this is the syntax:
<source network>.<ip to forward to>,<protocol>,<port>[redirect
port,[destination ip]]

I use it to redirect my local webserver and it work it.

Sorry for my english, i'm Paraguayan..

Greetz

2006/9/27, Dirk Schreiner <[hidden email]>:

> Hi Dirk,
>
> checkout rinetd.
> It should solve youre Problems.
>
> Dirk
>
>
> Dirk Enrique Seiffert schrieb:
> > I am moving a Mailserver from the internal network to the DMZ. This move
> > should be invisible for the enduser. Lat but not least: Some hundred mail
> > clients are configured to consult an IP, not a name: I can't solve the
> > issue by configuring my DNS server.
> >
> > This is my configuration:
> >
> >
> > 200.x.x.x (public IP)
> >        |
> >  SuSEfirewall-192.168.254.1--------192.168.254.2 MailServer
> >        |
> >  192.168.0.249
> >        |
> > internal network
> >
> >
> > I have to access the mailserver by an IP in the 192.168.0.0/24 range.
> > External traffic I can easily redirect with FW_FORWARD_MASQ= to an IP in
> > the DMZ. Internal traffic I can redirect to a local port on the firewall
> > with FW_REDIRECT.
> >
> > Is it possible to redirect all traffic coming on the internal interface
> > for 192.168.0.249 to 192.168.254.2 ?
> >
> > Any Custom rule? I was googling quite a while to, didn't find any rule
> > doing a forward on the internal interface.
> >
> > Any idea is appreciated!
> >
> > Thanks
> >
> > Enrique
> >
> >
> >
>
> --
> There are 10 sorts of people in this World.
> Those who understand binary, and those who don`t.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> TRIA IT-consulting GmbH
> Joseph-Wild-Straße 20
> 81829 München
> Germany
> Tel: +49 (89) 92907-0
> Fax: +49 (89) 92907-100
> http://www.tria.de
>
>
> Registergericht München HRB 113466
> USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600
> Geschäftsführer: Rosa Igl
> --------------------------------------------------------
> Nachricht von: [hidden email]
> Nachricht an: [hidden email], [hidden email]
> # Dateianhänge: 0
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: [hidden email]
> Security-related bug reports go to [hidden email], not here
>
>


--
---------------------------------------------------------
Ing. Ariel Guerrero
Mailto: [hidden email]
Fone: +595 981 425040
Asunción - Paraguay

--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here

Reply | Threaded
Open this post in threaded view
|

Re: Re: SuSEfirewall 2 - redirect ports on internal interface to DMZ

mail-53
In reply to this post by Dirk Enrique Seiffert
Good day,

I was recently fiddling around with this port forwarding issue myself.
Using Susefirewall2 on a Suse 9.3 Pro allowed me to forward a port on my external IP to another port on a machine behind my firewall. However, using the same script on Novell OES (=SLES9) resulted in nothing.
I then tried rinetd but dropped that again because it only forwards tcp ports, not udp.
Anyway, would someone have any hints about this difference in behaviour between Suse Pro 9.3 and SLES9?

Regards,
Peter

____________________________
PV consulting
Maria van Bourgondiëlaan 18 - B-8000 Brugge

GSM +32 478 317 657 - fax +32 50 34 61 60 - skype peter.vynck
e-mail [hidden email]  -  http://www.pv-consulting.com

-----"Ariel Guerrero" <[hidden email]> wrote: -----

To: "Dirk Schreiner" <[hidden email]>
From: "Ariel Guerrero" <[hidden email]>
Date: 28/09/2006 00:30
cc: "Dirk Enrique Seiffert" <[hidden email]>, [hidden email]
Subject: [suse-security] Re: SuSEfirewall 2 - redirect ports on internal interface to DMZ

You could try with this rule.
I'm not an expert in SuSEfirewall2....

FW_FORDWARD_MASQ="192.168.0.0/24,192.168.0.249,tcp,110,110,192.168.254.2/
192.168.0.0/24,192.168.0.249,tcp,25,25,192.168.254.2"

I use your configuration to make the example, and this is the syntax:
<source network>.<ip to forward to>,<protocol>,<port>[redirect
port,[destination ip]]

I use it to redirect my local webserver and it work it.

Sorry for my english, i'm Paraguayan..

Greetz

2006/9/27, Dirk Schreiner <[hidden email]>:

> Hi Dirk,
>
> checkout rinetd.
> It should solve youre Problems.
>
> Dirk
>
>
> Dirk Enrique Seiffert schrieb:
> > I am moving a Mailserver from the internal network to the DMZ. This move
> > should be invisible for the enduser. Lat but not least: Some hundred mail
> > clients are configured to consult an IP, not a name: I can't solve the
> > issue by configuring my DNS server.
> >
> > This is my configuration:
> >
> >
> > 200.x.x.x (public IP)
> >        |
> >  SuSEfirewall-192.168.254.1--------192.168.254.2 MailServer
> >        |
> >  192.168.0.249
> >        |
> > internal network
> >
> >
> > I have to access the mailserver by an IP in the 192.168.0.0/24 range.
> > External traffic I can easily redirect with FW_FORWARD_MASQ= to an IP in
> > the DMZ. Internal traffic I can redirect to a local port on the firewall
> > with FW_REDIRECT.
> >
> > Is it possible to redirect all traffic coming on the internal interface
> > for 192.168.0.249 to 192.168.254.2 ?
> >
> > Any Custom rule? I was googling quite a while to, didn't find any rule
> > doing a forward on the internal interface.
> >
> > Any idea is appreciated!
> >
> > Thanks
> >
> > Enrique
> >
> >
> >
>
> --
> There are 10 sorts of people in this World.
> Those who understand binary, and those who don`t.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> TRIA IT-consulting GmbH
> Joseph-Wild-Straße 20
> 81829 München
> Germany
> Tel: +49 (89) 92907-0
> Fax: +49 (89) 92907-100
> http://www.tria.de
>
>
> Registergericht München HRB 113466
> USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600
> Geschäftsführer: Rosa Igl
> --------------------------------------------------------
> Nachricht von: [hidden email]
> Nachricht an: [hidden email], [hidden email]
> # Dateianhänge: 0
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: [hidden email]
> Security-related bug reports go to [hidden email], not here
>
>


--
---------------------------------------------------------
Ing. Ariel Guerrero
Mailto: [hidden email]
Fone: +595 981 425040
Asunción - Paraguay

--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here


Reply | Threaded
Open this post in threaded view
|

Re: Re: SuSEfirewall 2 - redirect ports on internal interface to DMZ

Graham Smith-9
I suggest you have a look at this site
http://forge.novell.com/modules/xfmod/project/?susefirewall2

and browse the examples given
http://forgeftp.novell.com//susefirewall2/web/EXAMPLES.html

--
Regards,

Graham Smith

--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here

Reply | Threaded
Open this post in threaded view
|

Re: SuSEfirewall 2 - redirect ports on internal

Dirk Enrique Seiffert
In reply to this post by Dirk Schreiner

> checkout rinetd.
> It should solve youre Problems.

Right, this was the quick and easy solution! Thanks a lot. - (A
"FW_FORWARD_MASQ" only will work on the masqueraded interface.)

> Dirk Enrique Seiffert schrieb:
>> I am moving a Mailserver from the internal network to the DMZ. This move
>> should be invisible for the enduser. Lat but not least: Some hundred
>> mail
>> clients are configured to consult an IP, not a name: I can't solve the
>> issue by configuring my DNS server.
>>
>> This is my configuration:
>>
>>
>> 200.x.x.x (public IP)
>>        |
>>  SuSEfirewall-192.168.254.1--------192.168.254.2 MailServer
>>        |
>>  192.168.0.249
>>        |
>> internal network
>>
>>
>> I have to access the mailserver by an IP in the 192.168.0.0/24 range.
>> External traffic I can easily redirect with FW_FORWARD_MASQ= to an IP in
>> the DMZ. Internal traffic I can redirect to a local port on the firewall
>> with FW_REDIRECT.
>>
>> Is it possible to redirect all traffic coming on the internal interface
>> for 192.168.0.249 to 192.168.254.2 ?
>>
>> Any Custom rule? I was googling quite a while to, didn't find any rule
>> doing a forward on the internal interface.
>>
>> Any idea is appreciated!
>>
>> Thanks
>>
>> Enrique
>>
>>
>>
>
> --
> There are 10 sorts of people in this World.
> Those who understand binary, and those who don`t.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> TRIA IT-consulting GmbH
> Joseph-Wild-Straße 20
> 81829 München
> Germany
> Tel: +49 (89) 92907-0
> Fax: +49 (89) 92907-100
> http://www.tria.de
>
>
> Registergericht München HRB 113466
> USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600
> Geschäftsführer: Rosa Igl
> --------------------------------------------------------
> Nachricht von: [hidden email]
> Nachricht an: [hidden email], [hidden email]
> # Dateianhänge: 0
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Este mensaje ha sido analizado por MailScanner
> en busca de viruses y otros contenidos peligrosos,
> y se considera que est limpio.
>
>


--
Dirk Enrique Seiffert - Lintec S.A.
Ed. Torre del Reloj - Of. 401
Plaza de los Coches, Centro
Cartagena - Colombia
http://www.lintecsa.com

--
Este mensaje ha sido analizado por MailScanner
en busca de viruses y otros contenidos peligrosos,
y se considera que est limpio.


--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here