How to configure susefirewall2 for http (apache) server on separate box

I use OpenSUSE 13.2 as a firewall server. I currently have it allowing data through to a ftp server on the same box.

I have a need to open a non-standard port for http services to apache on a separate machine on the same network. So, I need to allow http packets from any external IP address on port 10001 (or another unused port) and use masquerading to allow the packets to go to a separate box with apache installed and set to listen on port 80. I also need to allow ftp packets to go to that other server on port 10001 and use masquerading to port 21 on the ftp server. The FTP server that is already working on the same box and port 21 need to keep working. Please help.

You can not use port 1001 to forward to post 80 on system A and to port 21 on system B (even if B is the same as A). So it should be 1001 for the HTTP service and 1002 for th FTP service (or others then 1002 and 1002 at your will, but tthey should differ).

Thank you for the reply but that doesn’t answer my question. Let me clarify.

The port is 10001 but I could use any port. System A is the firewall box. It also runs an FTP server on port 21 that needs to stay. I want to forward to system B, which is a web server and ftp server.

The GUI in YaST2 seems to only be able to open ports for services that are on the same server but I may be wrong about that. So, my question is how to get this to work either with YaST or by manually editing susefirewall2.

It does not answer your question, but imho you misunderstand something here. And as long as you have that misunderstanding, a solution will be difficult.

You could use any port, but using 10001 as example is fine.
System A has thus two ports open:

  1. 21, where an FTP server is listening;
  2. 10001, which should be forwarded to a port on system B (this is called IP and port forwarding).

On system B you have two ports open:

  1. port 21, where an FTP server is listening;
  2. port 80, where an HTTP server (Apache) is listening.

You can only forward port 10001 on system A to either port 80 or port 21 on system B. Not to both!

Thus when you want to offer both HTTP and FTP serving on system B to systems contacting system A, system A must have three ports open:

  1. 21, where the System A FTP server is listening;
  2. 10001, which is forwarded to port 80 on system B, where Apache is listening;
  3. 20002, which is forwarded to port 21 on system B, where an FTP server is listening.

I am not sure that the GUI in YaST is able to help you here. It is mainly designed to create IP-rules for configuring a so called “personal firewall”. That is already different from a firewall that protects a network (LAN), but I assume (never tried it) that using the different zones (external, internal and demilitarized, YaST might be of help for such a thing. I am not sure if IP adress and Port forwarding is fully understood by YaST, though the underlying IP rules can do this. So you might be forced to create those IP rules yourself. I might be wrong here and I hope others will jump in and explain how to create the IP rules you need using the YaST module.

Thank you, Henk van Velden. That is the type of information I am looking for.

Can you or someone else point me to manual instructions for configuring susefirewall2 manually to obtain the above described results or suggest a different GUI? I have used Firewall Builder successfully in the past with Ubuntu. Would I be able to use Firewall Builder with openSUSE 13.2?

Yes, you can use any tool to configure your iproute-based firewall.
But, SUSE FW itself is a “firewall builder” that for the most part only does common, simple configurations.
If you use a different tool to build, configure and manage your FW you should disable/uninstall SUSE FW to avoid conflicts.

What you’re describing is commonly called PAT (Port Address Translation) which is similar to the more commonly seen NAT but is translating the port instead of the ip address (and you may be doing both). It’s something I haven’t seen in SUSE FW so is probably beyond it’s capability.

Another possible solution is based on whether you really do need to translate ports, if you’re already doing NAT and filtering by protocol or port, do you really <also> need to translate ports as well? If you don’t see the need, then simply configure your web server to serve the website on the same port as what is seen on the publicly facing interface of the FW. In fact, you can typically configure websites to listen on multiple ports (eg both 80 and 10001).

TSU

Thank you. That’s the information I needed and the conclusion I was coming to on my own.

I don’t see how to mark the post as resolved.

We don’t typically do that here, although you could edit the thread title to state this as such.