I manage a gateway between a meeting room and the net (12.1 server). This gateway also hold a virtual machine with our LUG server (Le site web du CULTe - Main - HomePage).
With the standard config we can’t acces the http server (apache) from the inside of the network. I wonder what is the best way to make the server available during the meetings :-).
One of the LUG members wrote an iptable rule for the gateway that works:
I can add this to a boot.local script or similar, like the SuSEfirewall script itself, but wonder what is the best fitting thing to make this in SuSEfirewall2 (I don’t want to break any security thing).
There are two possible reasons why an Internet resource sitting on your edge may not be visible to your internal networks.
Networking. Typically a machine sitting on your edge which would be accessible to both internal and external clients should be configured in your DMZ, not external zone… But either way can be made to work. If your websites are database driven with the databases residing in your LAN, then you <must> deploy your webservers in the DMZ or expose your databases directly to external attacks. If your webserver is sitting on your edge whether as a VM or directly on hardware, then you’ll have to consider how your webserver/websites are configured… With only external or both internal and external addresses. If you configure only external addresses then you’ll need to test whether “hairpin routing” will work on your machine (External interface accessible through the machine’s internal interface). Some machines can do that, others can’t. Alternative is to configure both external and internal IP addresses for each resource to be accessed from external and internal networks.
Name Resolution. This relates of course to how you configured networking and whether you’re using external addresses only or combination internal and external addresses. If using only external addresses, make sure you don’t have a split DNS setup (same domain name internal and external) which could prevent your internal Users from obtaining Domain addresses from a public DNS. On the other hand, particularly if you configured both internal and external addresses for each resource, make sure each DNS is accessed and serves the proper records. Or, avoid the whole split DNS issue altogether and make sure everyone knows the internal name of a resource is different than the same resource accessed externally.
As for configuring SUSE Firewall, I’m pretty sure you should be able to configure anything you need from within YAST which should avoid various mistakes and organize your configuration better. If you ultimately need a really fancy firewall configuration, other configuration tools exist in the openSUSE repos (but should be considered only rarely).
As always, remember you may need to configure the firewall in your VM as well as on the Host.
On 2012-12-05 14:16, jdd wrote:
> I can add this to a boot.local script or similar, like the SuSEfirewall
> script itself, but wonder what is the best fitting thing to make this in
> SuSEfirewall2 (I don’t want to break any security thing).
There is a custom file where you add your own rules.
–
Cheers / Saludos,
Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)
On 12/5/2012 11:56 AM, jdd wrote:
>
> robin_listas;2508719 Wrote:
>>
>>
>> There is a custom file where you add your own rules.
>>
>> –
>> Cheers / Saludos,
>>
>> Carlos E. R.
>> (from 12.1 x86_64 “Asparagus” at Telcontar)
>
> somewhere around /etc/sysconfig/SuSEfirewall2.d/services/?
>
> thanks
> jdd
>
>
jdd;
An example script is at:
/etc/sysconfig/scripts/SuSEfirewall2-custom
This file contains the sum total of documentation on custom rules for
SusEfirewall2. See also: YaST > System >/etc/sysconfig Editor> Network >
Firewall > SuSEfirewall2
P.V.
“We’re all in this together, I’m pulling for you” Red Green