[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SuSEfirewall2 and NAT help : i am so lost!

On Thu, 15 May 2003, David T-G wrote:

> From reviewing the archives I *believe* I'm in a good place to ask, but I
> could be wrong.  Please be gentle in your redirection :-)

> I am a loyal :-) SuSE user and am doing some work for a client who has
> finally switched from SCO UNIX to SCO's version of Linux, which includes
> SuSEfirewall2 and otherwise looks quite a bit like a SuSE system (gee, go
> figure!).

I suppose that is the reason for the "UnitedLinux" sticker on the box :-)

> In any given location he has a static external interface and a 10.x.y.z
> internal interface and would like to do NATting for his internal windows
> machines.  I am trying to write a script to configure and enable
> SuSEfirewall2 for this so that he can do a hands-off install on his
> literally thousands of clients.

I really don't understand your architecture - I suppose your client
has thousands of NAT routers at convenience stores or metropolitan
schools or something

> little script to identify the internal and external interfaces, and then
> apply
>   cat /etc/sysconfig/SuSEfirewall2.bak.$$ | \
>     sed \
>       -e "s/FW_DEV_EXT=.*/FW_DEV_EXT='$EXT'/" \
>       -e "s/FW_DEV_INT=.*/FW_DEV_INT='$INT'/" \
>       -e "s/FW_QUICKMODE=.*/FW_QUICKMODE='yes'/" \
>       -e "s/FW_ROUTE=.*/FW_ROUTE='yes'/" \
>       -e "s/FW_MASQUERADE=.*/FW_MASQUERADE='yes'/" \
>       -e "s:FW_MASQ_NETS=.*:FW_MASQ_NETS='':" \
>       -e "s/FW_SERVICES_QUICK_TCP=.*/FW_SERVICES_QUICK_TCP='telnet ftp ssh www mysql'/" \
>       -e "s:FW_TRUSTED_NETS=.*:FW_TRUSTED_NETS='':" > \
>     /etc/sysconfig/SuSEfirewall2
> to set the variables accordingly and then create the rc?.d start and stop
> symlinks for the three scripts.
> Unfortunately, a client machine on the inside properly pointing to the
> internal address as its default gateway cannot get through.  Having read
> the example file, asked google for help, read through list archives, and
> generally poked and prodded everywhere I can, I've come up with many "you
> need to turn on NAT" but no pointers to how to do so!

I am not sure if your script is right but I know how to turn on NAT.

It is the same for all Linux :-
echo 1 > /proc/sys/net/ipv4/ip_forward

The canonical way to do this on SuSE is to set IP_FORWARD=yes in
/etc/sysconfig/sysctl and reboot (but double check your UnitedLinux
manual as I am reading the 8.2 manual)

(naturally google gives you trouble because the kernel hackers always
call their implementation of NAT 'masquerading')


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here