Hello. Can someone explain how I should configure SuSEfirewall2 so that resulting NAT type would be Address-restricted cone rather than Port-restricted cone (that info I got from online NAT testing tool, so not 100% sure of current type exactly, but I need to punch external symmetric NAT and with current config I can’t do it, table here http://www.raknet.net/raknet/manual/natpunchthrough.html suggests I need to have Full-cone or Address-Restricted cone on my side.
Dumping current iptables rules, I guess these are most relevant:
-A POSTROUTING -o eth1 -j MASQUERADE
-A forward_ext -i eth1 -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A forward_int -i eth0 -o eth1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
(I skipped a bunch of other stuff).
Here’s how a guide describes creating generic Address-Restricted cone NAT:
iptables -t nat POSTROUTING -o eth1 -p tcp -j SNAT --to-source <public ip goes here>
iptables -t nat POSTROUTING -o eth1 -p udp -j SNAT --to-source <public ip goes here>
iptables -t nat PREROUTING -i eth1 -p tcp -j DNAT --to-destination <private ip goes here>
iptables -t nat PREROUTING -i eth1 -p udp -j DNAT --to-destination <private ip goes here>
iptables -A INPUT -i eth1 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m state --state NEW -j DROP
iptables -A INPUT -i eth1 -p udp -m state --state NEW -j DROP
My understanding of iptables is very limited, but I see that my current setup (generated by SuSEfirewall2 with minimal configuration) seems about as restrictive (in both cases RELATED and ESTABLISHED connections are allowed from outside). Is the difference between MASQUERADE and SNAT/DNAT produces more restrictions? Or is it conntrack’s fault? How do I even change these details with SuSEfirewall2? Is manually re-configuring iptables (I found SuSEfirewall2-custom which I guess is for that kind of thing) the only way?
P.S. OS is openSuSE 12.1 but I hope SuSEfirewall2 didn’t change all that much.
Although I don’t consider myself a neophyte around firewalls, I’d never heard of a NAT “cone” before… so something new to be learned today.
Although it seems that these types of NATs have been around for a long time (in my experience, NAT/PAT some combination of the two in combination with a firewall term that doesn’t come to mind immediately about session integrity) it seems that since approx 2011 these categories or “cones” were defined to define again these old configurations… http://think-like-a-computer.com/2011/09/16/types-of-nat/
From the above read,
It becomes clear that a “port restricted cone NAT” is more restrictive than a “Full cone NAT” (which is likely what your “address NAT” is).
In fact, a “Full Cone NAT” simply means only address translation with no other restriction or configuration, ie “allow all else”
From that, it should be simple to configure what you want using the YAST FW config tool…
Configure “Port Forwarding” which is actually inbound NAT (assuming you’re configuring inbound connections) with either a very big port range configured or with a wildcard. To be fully “Full cone NAT” you should place no restrictions on source address/port/protocol.
Yeah, but there’s the problem: there’s no specific restrictions set on NAT in either YaST GUI firewall config (there’s a single checkbox “network translation” enabled), or in config file. BTW, we have only one external port open on this machine, and I can’t find it in GUI, so i’m pretty sure someone edited SuSEfirewall2 config file. In fact, here it is, sans comments:
Hello,
Ran a little test in a VM and discovered that susefirewall requires (erroneously?) specifying an inbound port. IMO specifying a port is <normally> required, but not for the special configuration you’re requesting.
So, it appears that susefw cannot be used to create a Full Cone NAT iptables configuration.
First thing I noticed in any case is that your susefirewall config specifies a service and a port, so it’s not clean, those entries should be removed.