Hello, i installed a openSUSE 11.3 32 as a router but i have a little problem with it.
the box has eth0 > 81.196.x.x as the ext zone and eth1 with 192.168.0.0/24 int zone and eth1:1 82.78.x.x/26 as the dmz zone. i have a little problem when form the int zone i’m trying to connect to the dmz ftp it give’s me errors (could not connect to host, no response time out) i think is a keep alive problem, the firewall loads nf_conntrack_netbios_ns.
If someone has a sugestion.
Thanks
On 2011-03-31 14:36, morbidwar wrote:
>
> Hello, i installed a openSUSE 11.3 32 as a router but i have a little
> problem with it.
> the box has eth0 > 81.196.x.x as the ext zone and eth1 with
> 192.168.0.0/24 int zone and eth1:1 82.78.x.x/26 as the dmz zone. i have
eth1 both int and dmz?
> a little problem when form the int zone i’m trying to connect to the dmz
> ftp it give’s me errors (could not connect to host, no response time
> out) i think is a keep alive problem, the firewall loads
> nf_conntrack_netbios_ns.
> If someone has a sugestion.
Other services connect alright? Then it is not a routing problem.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
eth1 both int and dmz?
eth1 is marked as int and in the firewall i insert FW_FORWARD=“0/0,82.78.x.x/26” with FW_ROUTE=“yes”
Other services connect alright? Then it is not a routing problem.
Other services like www works just fine, i have problems with cpanel and whm hosted on the 82.78.x.x/26
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)[/QUOTE]
On 2011-03-31 15:36, morbidwar wrote:
>
> eth1 both int and dmz?
>
> eth1 is marked as int and in the firewall i insert
> FW_FORWARD=“0/0,82.78.x.x/26” with FW_ROUTE=“yes”
I asked a different thing.
You said that:
eth0: ext, 81.196.x.x
eth1: int, 192.168.0.0
eth1: dmz, 82.78.x.x/
And I asked for verification that eth1 is both internal interface and dmz
interface, or if it is a typing error.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
I asked a different thing.
You said that:
eth0: ext, 81.196.x.x
eth1: int, 192.168.0.0
eth1: dmz, 82.78.x.x/
And I asked for verification that eth1 is both internal interface and dmz
interface, or if it is a typing error.
eth1:1 is not marked as dmz has only forward
On 2011-03-31 17:06, morbidwar wrote:
>
>> I asked a different thing.
>>
>> You said that:
>>
>> eth0: ext, 81.196.x.x
>> eth1: int, 192.168.0.0
>> eth1: dmz, 82.78.x.x/
>>
>> And I asked for verification that eth1 is both internal interface and
>> dmz
>> interface, or if it is a typing error.
>
> eth1:1 is not marked as dmz has only forward
You still are not answering my question. Until you do, I can not help you.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
You still are not answering my question. Until you do, I can not help you.
Dear Carlos, eth1:1 is NOT marked as ext.
And now i tested the ftp connection from outside and works perfectly.
On 2011-03-31 19:36, morbidwar wrote:
> Dear Carlos, eth1:1 is NOT marked as ext.
That was not my question.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
That was not my question.
ETH1=int only
On 2011-04-01 00:06, morbidwar wrote:
>
>> That was not my question.
> ETH1=int only
That was not the question.
Sigh… :-/
You wrote:
> the box has eth0 > 81.196.x.x as the ext zone and eth1 with
> 192.168.0.0/24 int zone and eth1:1 82.78.x.x/26 as the dmz zone.
In that text, you are using eth1 both for DMZ and INT. One interface for
two zones. Normally you should be using eth0, eth1 and eth2, three interfaces.
Now, explain why you are using one interface for two zones (it will not
work), or if it is a typo.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
Ok, let me explain. I’m using 2 nics eth0 and eth1, eth0 is set to ext zone in Yast > Firewall and has the ip 81.196.x.x , eth1 is set to int zone in Yast > Firewall and has the ip 192.168.0.0/24, eth1 has an alias eth1:1 that host 82.78.x.x which in Yast > Firewall is not in any zone i edit manually the /etc/sysconfig/SuSefirewall and modified FW_FORWARD=“0/0,82.78.x.x/26” and here is my firewall configuration SuSEfirewall - Pastebin.com
On 2011-04-01 09:06, morbidwar wrote:
> Ok, let me explain. I’m using 2 nics eth0 and eth1, eth0 is set to ext
> zone in Yast > Firewall and has the ip 81.196.x.x , eth1 is set to int
> zone in Yast > Firewall and has the ip 192.168.0.0/24, eth1 has an alias
> eth1:1 that host 82.78.x.x which in Yast > Firewall is not in any zone i
> edit manually the /etc/sysconfig/SuSefirewall and modified
> FW_FORWARD=“0/0,82.78.x.x/26” and here is my firewall configuration
> ‘SuSEfirewall - Pastebin.com’ (http://pastebin.com/Y6Qic7UA)
I’m not sure that configuration can work properly.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
Do you think vlans would be an alternative?
A curious but interesting (to me) problem, especially since I don’t consider myself an expert on IPTABLES.
If IPTABLES is fundamentally based on interfaces, the given problem can’t be solved.
If IPTABLES is fundamentally based on IPADDRESSES, then a solution probably exists. I’ve seen this type of configuration using different firewalling. It’s not considered to be the most secure because your internal and DMZ are both on the same physical network but because they are separated logically, it <can> work.
-
I assume but still needs to be verified that you bound both 192.168.x.y and 82.78.x.y to eth1?
-
Did you verify all IP addresses on every interface are working (ifconfig, route and ping tests)?
In fact, I don’t see that you posted those three tests, they would at least verify basic configuration and routing before you start firewalling.
Tony
SOLVED
After a while i realized that i didn’t configure the router properly… I have been in a hurry and I didn’t read the comments on SuSEfirewall so what i have done is:
- On FW_FORWARD
FW_FORWARD="0/0,82.78.x.x/26
the packages were forwarded from anywhere to the internal network
FW_FORWARD=“0/0,82.78.x.x/26
82.78.x.x/26,0/0”
now the packages are forwarded from anywhere to the internal network and vice versa
2 and on the FW_NOMASQ_NETS
FW_NOMASQ_NETS=“0/0,82.78.x.x/26”
the packages were not masqueraded when they come form anywhere to the network
FW_NOMASQ_NETS=“0/0,82.78.x.x/26
82.78.x.x/26,0/0”
and now the packages that are going from the network to anywhere are not masqueraded
After that i made a bridge in the FW_FORWARD
192.168.0.0/24,82.78.x.x/26
82.78.x.x/26,192.168.0.0/24
so that 82.78 would have acces to 192.168
i hope this will help someone oneday…
Have a nice day