[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] openSUSE 10.3 SuSEfirewall2 script help



Adsquaired wrote:
> I have been tasked with replacing an old Linux firewall. The person
> that built the firewall used Iptables. I want to use the SuSEfirewall2
> script. I can't change the requirement or the infrastructure because
> of existing services.
>
> I'm having some difficulties with the SuSEfirewall2 script. I can't
> seem to get traffic forwarded from the DMZ side to the internal
> network. Here is my layout and requirements.
>
> The new server has three interfaces and the OS is OpenSUSE 10.3.
>
>
>
> The external interface has a public IP address assigned to it.
>
> The internal interface connects to a private subnet where there are
> hosted services and a few employees (QA Lab).
>
> The other interface which I am labeling the DMZ is connected to
> another private network. This is the main employee network.
>
> The QA lab hosts a secure IMAP server, a public web server, four other
> web servers (accessible only to employees) and a public SMTP server.
>
> The QA employees need to have full unrestricted access to the Internet.
>
> The regular employees (DMZ) will not be allowed to use this firewall
> as their gateway, therefore they are restricted from using the DMZ
> interface to get to the Internet. The employees in front of this
> interface should only be allowed to access the four web servers and
> mail server. The key here is that services living on the on the
> employee network make calls to the web servers on the internal network
> using different ports. For example, http requests to port 83 on the
> DMZ interface will need to be redirected to port 80 on the internal
> web server. FYI. This is where I sit and access to the Firewall for
> administration purposes. The QALAB does not get access to the
> firewall.
>
> [This is what it would look like in IPTABLES]
> -A PREROUTING -s 10.2.2.0/255.0.0.0 -d 10.2.2.10 -i eth2 -p tcp -m tcp
> --dport 83 -j DNAT --to-destination 192.168.2.150:80
> -A PREROUTING -s 10.2.2.0/255.0.0.0 -d 10.2.2.10 -i eth2 -p tcp -m tcp
> --dport 82 -j DNAT --to-destination 192.168.2.150:80
> -A PREROUTING -s 10.2.2.0/255.0.0.0 -d 10.2.2.10 -i eth2 -p tcp -m tcp
> --dport 81 -j DNAT --to-destination 192.168.2.30:80
> -A PREROUTING -s 10.2.2.0/255.0.0.0 -d 10.2.2.10 -i eth2 -p tcp -m tcp
> --dport 80 -j DNAT --to-destination 192.168.2.20:80
> -A PREROUTING -s 10.2.2.0/255.0.0.0 -d 10.2.2.10 -i eth2 -p tcp -m tcp
> --dport 25 -j DNAT --to-destination 192.168.2.20:25
>
> Additionally, there is an SSL VPN connection and IPSEC traffic but
> that is for another post. My main problem is getting to the lab
> webservice from the DMZ interface. Here is what I have configured in
> the SuSEfirewall2 script.
>
> [Interfaces]
>
> FW_DEV_EXT='any eth5'
> FW_DEV_INT='eth4'
> FW_DEV_DMZ='eth1'
> FW_ROUTE="yes"
> FW_MASQUERADE="yes"
> FW_MASQ_DEV="zone:ext"
>
> [NAT lab Internet requests only]
> FW_MASQ_NETS="192.168.2.0/24"
>
> FW_PROTECT_FROM_INT="yes"
>
> [The only service listening on the external interface]
> FW_SERVICES_EXT_TCP="SSLVPNPORT"
>
> [Admin SSH access to the firewall from the DMZ netowrk]
> FW_SERVICES_DMZ_TCP="someSSHport"
>
> [Used for VPN]
> FW_FORWARD="192.168.20.0/24,192.168.2.0/24 192.168.2.0/24,192.168.20.0/24"
>
> [Allow Access from the Internet]
> FW_FORWARD_MASQ="0/0,192.168.2.20,tcp,80 0/0,192.168.2.30,tcp,80
> 0/0,192.168.2.150,tcp,80 0/0,192.168.2.20,tcp,25
> 0/0,192.168.2.20,tcp,995"
>
>
> I tried using FW_FORWARD_MASQ to open connections from the DMS to
> Internal but the firewall log shows the connections being dropped.
>
> How do I allow (without using IPTABLES commands in the custom script)
> the services in the DMZ to access the web services on the internal
> network (using redirection).
>
> I also tried FW_REDIRECT="" but I do not have open ports on the DMZ
> side of the firewall. Everything should be forwarded through.
>
> Thanks
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
> For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx
>
>   

I am NOT an iptables expert by any means and would trouble doing
something this complicated.  However, I would not be using SuSE firewall
either.  SuSE firewall is just a scripted frontend to iptables.  I have
setup two boxes with special purposes and quickly found limitations in
SuSE firewall scripts and dumped it.

The big one was by default incoming ports on the public interface being
forwarded to an internal address automatically carried rate limits on
those rules.  I have found on Novell's website a couple of excellent
articles t by David Mair on getting started with iptables and dumped
SuSE firewall.

Now those firewalls are easy to read and maintain.

Lyle Giese
LCR Computer Services, Inc.
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx