[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] SuSEfirewall2 and NAT help : i am so lost!



Hi, all --

From reviewing the archives I *believe* I'm in a good place to ask, but I
could be wrong.  Please be gentle in your redirection :-)

I am a loyal :-) SuSE user and am doing some work for a client who has
finally switched from SCO UNIX to SCO's version of Linux, which includes
SuSEfirewall2 and otherwise looks quite a bit like a SuSE system (gee, go
figure!).

In any given location he has a static external interface and a 10.x.y.z
internal interface and would like to do NATting for his internal windows
machines.  I am trying to write a script to configure and enable
SuSEfirewall2 for this so that he can do a hands-off install on his
literally thousands of clients.

SCO UNIX used ipf and ipnat, and I got those simple rules worked out.
Now I need to do the same thing for iptables and SuSEfirewall2 and I'm
pretty lost.

Recalling that this has to be a hands-off install, I have whipped up a
little script to identify the internal and external interfaces, and then
apply

  cat /etc/sysconfig/SuSEfirewall2.bak.$$ | \
    sed \
      -e "s/FW_DEV_EXT=.*/FW_DEV_EXT='$EXT'/" \
      -e "s/FW_DEV_INT=.*/FW_DEV_INT='$INT'/" \
      -e "s/FW_QUICKMODE=.*/FW_QUICKMODE='yes'/" \
      -e "s/FW_ROUTE=.*/FW_ROUTE='yes'/" \
      -e "s/FW_MASQUERADE=.*/FW_MASQUERADE='yes'/" \
      -e "s:FW_MASQ_NETS=.*:FW_MASQ_NETS='10.0.0.0/8':" \
      -e "s/FW_SERVICES_QUICK_TCP=.*/FW_SERVICES_QUICK_TCP='telnet ftp ssh www mysql'/" \
      -e "s:FW_TRUSTED_NETS=.*:FW_TRUSTED_NETS='10.0.0.0/8':" > \
    /etc/sysconfig/SuSEfirewall2

to set the variables accordingly and then create the rc?.d start and stop
symlinks for the three scripts.

Unfortunately, a client machine on the inside properly pointing to the
internal address as its default gateway cannot get through.  Having read
the example file, asked google for help, read through list archives, and
generally poked and prodded everywhere I can, I've come up with many "you
need to turn on NAT" but no pointers to how to do so!


TIA & HAND

:-D
-- 
David T-G                      * There is too much animal courage in 
(play) davidtg@xxxxxxxxxxxxxxx * society and not sufficient moral courage.
(work) davidtgwork@xxxxxxxxxxxxxxx  -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/      Shpx gur Pbzzhavpngvbaf Qrprapl Npg!

Attachment: pgpXmUWucnzlz.pgp
Description: PGP signature