Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: --->firewall masquerade with yast<--

  1. #1
    Join Date
    Jul 2009
    Location
    Germany
    Posts
    7

    Post --->firewall masquerade with yast<--

    hello =)

    normally, i use google to solve my problems with linux, but now, i found nothing helpful to solve my problem and all my trying worked not.

    first:
    - Linux 2.6.27.25-0.1-default i686
    - OpenSUSE 11.1
    - KDE 4.1.3

    i just want to host a game/maybe later program. i have the ports which i need to forward. it works, when i stop my openSUSE firewall with yast. i try to masquerade with yast, but it dont works. i have the speedport 700v router from t-online, theres a firewall inside too, but there is all forward allready. i read something about iptables, so thats why i want to masquerade with yast and not manual.

    all i want, is a helpful tutorial, how i can masquerade with yast.

    i hope you can help me

    thx at all

    mfg XaviaX

  2. #2
    Join Date
    Oct 2008
    Location
    Stuttgart - Germany
    Posts
    163

    Default Re: --->firewall masquerade with yast<--

    Which game do you want to pass through, which ports do thsi game use and how did you configure your SuSEFW?

  3. #3
    Join Date
    Jul 2009
    Location
    Germany
    Posts
    7

    Default Re: --->firewall masquerade with yast<--

    i want forward warcraft 3. ive done my eth0 card on extern, thats default too. than i made an eth1 on intern. i only have 1 card for internet, but i need this settings to activate masquerade.

    quell network = 0/0
    needed ip = 0/0
    forward to = 192.168.2.100 (my intern ip, i didnt use DHCP)

    - 6112-6119 TCP
    - 6112-6119 UDP

    when im writing this post, an idea came into my head. this one setting, needed ip or somthing. maybe i need to write the ip from my router in it, because its not logical to write my own ip into it, because a firewall didnt do the same like a router

    (sorry, my suse is german so my english is not the best and i dint know how it called in the english suse)

  4. #4
    Join Date
    Oct 2008
    Location
    Stuttgart - Germany
    Posts
    163

    Default Re: --->firewall masquerade with yast<--

    I puzzled. I thought you are connected with your box using eth0 to your router. Why do you have another interface eth1 defined?
    Pls post the results of
    Code:
    ifconfig -a
    ,
    Code:
    cat /etc/sysconfig/SuSEfirewall2 | grep -v "^#" | grep -v "^$"
    Code:
    route -n
    and let us know the IP address of your router.

  5. #5
    Join Date
    Jul 2009
    Location
    Germany
    Posts
    7

    Default Re: --->firewall masquerade with yast<--

    ip of my router: 192.168.2.1

    at the moment, masquerade is deaktivatet, because everything what i tryed goes wrong and i need 2 eth. one in extern, 1 in intern and i dont understand it.

    -----------------------------------------------------------------
    ipconfig -a
    -----------------------------------------------------------------
    eth0 Link encap:Ethernet Hardware Adresse 00:16:177:17:3C
    inet Adresse:192.168.2.100 Bcast:192.168.2.255 Maske:255.255.255.0
    inet6 Adresse: fe80::216:17ff:fed7:173c/64 Gültigkeitsbereich:Verbindung
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:41954 errors:0 dropped:0 overruns:0 frame:0
    TX packets:26504 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 Sendewarteschlangenlänge:1000
    RX bytes:13935481 (13.2 Mb) TX bytes:3036520 (2.8 Mb)
    Interrupt:218 Basisadresse:0x4000

    lo Link encap:Lokale Schleife
    inet Adresse:127.0.0.1 Maske:255.0.0.0
    inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:816 errors:0 dropped:0 overruns:0 frame:0
    TX packets:816 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 Sendewarteschlangenlänge:0
    RX bytes:46688 (45.5 Kb) TX bytes:46688 (45.5 Kb)



    -----------------------------------------------------------------
    cat /etc/sysconfig/SuSEfirewall2 | grep -v "^#" | grep -v "^$"
    -----------------------------------------------------------------
    FW_DEV_EXT="any eth0"
    FW_DEV_INT=""
    FW_DEV_DMZ=""
    FW_ROUTE="yes"
    FW_MASQUERADE="no"
    FW_MASQ_DEV="zone:ext"
    FW_MASQ_NETS="0/0"
    FW_NOMASQ_NETS=""
    FW_PROTECT_FROM_INT="no"
    FW_SERVICES_EXT_TCP=""
    FW_SERVICES_EXT_UDP=""
    FW_SERVICES_EXT_IP=""
    FW_SERVICES_EXT_RPC=""
    FW_CONFIGURATIONS_EXT=""
    FW_SERVICES_DMZ_TCP=""
    FW_SERVICES_DMZ_UDP=""
    FW_SERVICES_DMZ_IP=""
    FW_SERVICES_DMZ_RPC=""
    FW_CONFIGURATIONS_DMZ=""
    FW_SERVICES_INT_TCP=""
    FW_SERVICES_INT_UDP=""
    FW_SERVICES_INT_IP=""
    FW_SERVICES_INT_RPC=""
    FW_CONFIGURATIONS_INT=""
    FW_SERVICES_DROP_EXT=""
    FW_SERVICES_DROP_DMZ=""
    FW_SERVICES_DROP_INT=""
    FW_SERVICES_REJECT_EXT=""
    FW_SERVICES_REJECT_DMZ=""
    FW_SERVICES_REJECT_INT=""
    FW_SERVICES_ACCEPT_EXT=""
    FW_SERVICES_ACCEPT_DMZ=""
    FW_SERVICES_ACCEPT_INT=""
    FW_SERVICES_ACCEPT_RELATED_EXT=""
    FW_SERVICES_ACCEPT_RELATED_DMZ=""
    FW_SERVICES_ACCEPT_RELATED_INT=""
    FW_TRUSTED_NETS=""
    FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
    FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
    FW_FORWARD=""
    FW_FORWARD_REJECT=""
    FW_FORWARD_DROP=""
    FW_FORWARD_MASQ="0/0,192.168.2.100,tcp,6112,,0/0
    0/0,192.168.2.100,tcp,6113,,0/0
    0/0,192.168.2.100,tcp,6114,,0/0
    0/0,192.168.2.100,tcp,6115,,0/0
    0/0,192.168.2.100,tcp,6116,,0/0
    0/0,192.168.2.100,tcp,6117,,0/0
    0/0,192.168.2.100,tcp,6118,,0/0
    0/0,192.168.2.100,tcp,6119,,0/0
    0/0,192.168.2.100,udp,6112,,0/0
    0/0,192.168.2.100,udp,6113,,0/0
    0/0,192.168.2.100,udp,6114,,0/0
    0/0,192.168.2.100,udp,6115,,0/0
    0/0,192.168.2.100,udp,6116,,0/0
    0/0,192.168.2.100,udp,6118,,0/0
    0/0,192.168.2.100,udp,6117,,0/0
    0/0,192.168.2.100,udp,6119,,0/0"
    FW_REDIRECT=""
    FW_LOG_DROP_CRIT="yes"
    FW_LOG_DROP_ALL="no"
    FW_LOG_ACCEPT_CRIT="yes"
    FW_LOG_ACCEPT_ALL="no"
    FW_LOG_LIMIT=""
    FW_LOG=""
    FW_KERNEL_SECURITY="yes"
    FW_STOP_KEEP_ROUTING_STATE="no"
    FW_ALLOW_PING_FW="yes"
    FW_ALLOW_PING_DMZ="no"
    FW_ALLOW_PING_EXT="no"
    FW_ALLOW_FW_SOURCEQUENCH=""
    FW_ALLOW_FW_BROADCAST_EXT="no"
    FW_ALLOW_FW_BROADCAST_INT="no"
    FW_ALLOW_FW_BROADCAST_DMZ="no"
    FW_IGNORE_FW_BROADCAST_EXT="yes"
    FW_IGNORE_FW_BROADCAST_INT="no"
    FW_IGNORE_FW_BROADCAST_DMZ="no"
    FW_ALLOW_CLASS_ROUTING=""
    FW_CUSTOMRULES=""
    FW_REJECT=""
    FW_REJECT_INT="yes"
    FW_HTB_TUNE_DEV=""
    FW_IPv6=""
    FW_IPv6_REJECT_OUTGOING=""
    FW_IPSEC_TRUST="no"
    FW_ZONES=""
    FW_USE_IPTABLES_BATCH=""
    FW_LOAD_MODULES="nf_conntrack_netbios_ns"
    FW_FORWARD_ALWAYS_INOUT_DEV=""
    FW_FORWARD_ALLOW_BRIDGING=""



    -----------------------------------------------------------------
    route -n
    -----------------------------------------------------------------
    Kernel IP Routentabelle
    Ziel Router Genmask Flags Metric Ref Use Iface
    192.168.2.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0

  6. #6
    Join Date
    Jan 2009
    Location
    Switzerland
    Posts
    1,529

    Default Re: --->firewall masquerade with yast<--

    Hi

    As it seems, you have one ethernet card installed, which is eth0 and this one is connected to your router. For masquerading you need another physical ethernet device, which will be eth1 (intern). Then eth1 will have a different subnet, let's say 192.168.3.0 and there is another (masqueraded) box with IP 192.168.3.99 in my example.

    The relevant firewall settings would be:

    Code:
    FW_DEV_INT="eth1"
    FW_ROUTE="yes"
    FW_MASQUERADE="yes"
    FW_MASQ_DEV="zone:ext"
    FW_MASQ_NETS="192.168.3.0/24"
    FW_FORWARD_MASQ="0/0,192.168.3.99,tcp,6112 0/0,192.168.3.99,udp,6112 ..."
    As you can see your FW_FORWARD_MASQ= is completely broken. It has to be all on ONE line separated by spaces. You have to give the target IP of the masqueraded box you are forwarding to and it will forward to just one computer within the masqueraded network. In addition to this you would open a lot of ports for all kind of intruders. You shouldn't do this, really not. My advice is to rethink your setup and explain to the list what you want to achieve at the end.

  7. #7
    Join Date
    Oct 2008
    Location
    Stuttgart - Germany
    Posts
    163

    Default Re: --->firewall masquerade with yast<--

    Why do you want to masquerade on your Linux box? Just enable forwarding of all the warcraft3 port on your HW router (who is already masquerading your traffic) and allow these ports to go into your Linux box. Use
    Code:
    FW_SERVICES_ACCEPT_EXT=""
    for this.

    Hint: Set
    Code:
    FW_LOG_DROP_ALL="yes"
    . Then you get messages in /var/log/messages for every dropped IP request. BUT: Don't forget to set it back to no when you're done.

  8. #8
    Join Date
    Jul 2009
    Location
    Germany
    Posts
    7

    Default Re: --->firewall masquerade with yast<--

    okay. i understand why it is really idiot to forward xD. masquerade is off, so there is no secure problem anymore. but i didnt understand, what this command "FW_LOG_DROP_ALL="yes"" does and why i must set it back on off if im out of game. i will try to open the ports with yast.

    i was on a lan days before, and there it doesnt help, so that i deaktivated firewall. i does my linux new with more mb(space) xD! so another question: which ports/ips what ever, must be open to play over lan?

    and thx to all posts of you two guys, you really helped me =)

  9. #9
    Join Date
    Oct 2008
    Location
    Stuttgart - Germany
    Posts
    163

    Default Re: --->firewall masquerade with yast<--

    Quote Originally Posted by XaviaX View Post
    --- but i didnt understand, what this command "FW_LOG_DROP_ALL="yes"" does and why i must set it back on off if im out of game.
    That just speeds up to find out which ports are blocked ? => /var/log/messages . But if you don't turn it off your logs may explode.

  10. #10
    Join Date
    Jul 2009
    Location
    Germany
    Posts
    7

    Default Re: --->firewall masquerade with yast<--

    it doesnt work. i open the ports with yast, tryed to host, doesnt work.

    with the command "FW_LOG_DROP_ALL="yes"" i see only logged with firewall:

    Jul 27 23:10:28 linux-c1xd SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
    Jul 27 23:10:29 linux-c1xd SuSEfirewall2: batch committing...
    Jul 27 23:10:29 linux-c1xd SuSEfirewall2: Firewall rules successfully set

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •