[suse-security] SuSEfirewall2: external ip aliases with forward / masq?

["Howard, Neal" <nhoward@xxxxxxxxx>]

Hello all,

I've searched thru FAQs & archives for a couple days now and haven't
found anything exactly like my problem, so I will describe it and maybe
someone here can offer good advice.  I have installed a SuSE 8.0 machine to
be an Internet firewall. I have a whole Internet-routable public class C
address range to work with on my external interface. I am running only
private RFC1918 addresses on my interior network. I have some Windows PCs on
the internal network that I need to allow a vendor on the outside to
remotely manage via PCAnywhere. Thanks to Togan Muftuoglu's most excellent
"Understanding and Using SuSE Firewall2" document, I have been able to
configure SuSEfirewall2 to perform the FW_FORWARD_MASQ to make this work for
one single internal Windows PC. Now I need to be able to have ip aliases on
the external interface eth0 (let's call them A.B.C.100 as the primary
address and A.B.C.101 and A.B.C.102 as the ip aliases on the external
interface). The internal interface (eth1) of the firewall is 192.168.1.1
and there are no aliases on that one. My internal Windows machines are
192.168.1.10 , 192.168.1.11 and 192.168.1.12 and PCAnywhere is listening on
the normal 5631/tcp and 5632/udp ports on each of these machines.  I also
need to be able to limit the inbound PCAnywhere connection requests to a
specific source address. Let's call the vendor's address X.Y.Z.123. To get
the firewall to work for the one PCA machine, I used these rules in the
/etc/sysconfig/SuSEfirewall2 file:

[mundane config stuff that's normally self-explanatory left out]
FW_SERVICES_EXT_TCP="5631"
FW_SERVICES_EXT_UDP="5632"
FW_TRUSTED_NETS="X.Y.Z.123"
FW_FORWARD_MASQ="X.Y.Z.123,192.168.1.10,tcp,5631 \
                                      X.Y.Z .123,192.168.1.10,udp,5632"

This work great for PCAnywhere to get thru to the one machine. Now I need to
set up a similar forward/masq deal happening for some external ip aliases to
get forwarded and masqueraded to the other two machines on these tcp/udp
ports like:

A.B.C.101 -> 192.168.1.11   (both 5631/tcp and 5632/udp) 
A.B.C.102 -> 192.168.1.12   (both 5631/tcp and 5632/udp)

Also only allow X.Y.Z.123 from the outside to be permitted to use these
services.

In Togan's document, he mentions how to do this using alternative tcp and
udp port numbers for multiple internal PCAnywhere machines (i.e. 5631/5632
for first pc, 5633/5634 for second, 5635/5636 for the third one, etc) and
only one ip address on the SuSEfirewall2's external address, but my vendor
is stubbornly demanding that I provide separate ip addresses for each
machine and stick with the standard PCAnywhere port numbers. 

I already have the aliased external ip addreses on eth0, that part was easy.
Does anyone know how to make SuSEfirewall2 scripts support them for my need?
Or am I going to have to make an entire script of raw iptables commands from
scratch to accomplish such an animal. If so, is there a way of getting the
raw list of iptables commands that the SuSEfirewall2 startup processes
generates into one big textfile so I may be able to see all that it is
doing, and all in correct order, so that I may use it as a learn-by-example
script?

Thanks,
Neal    


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here