Internet Connection Sharing - limit access?

Got a couple of servers on a building LAN, and only one of these machines has internet access (one internal nic, one external one). ICS itself is easy enough (just turn on network masquerading at the firewall settings), but even though nothing of the sort is listed in the allowed services for the internal zone (internal zone: NFS client, NFS server service, SSH and courier-imapd), this seems to open up ICS for everyone on the local network (with hundreds of other users)!

I tend to close everything down unless necessary (although I did add a couple of servers to eachothers TRUSTED_NETS list - removed the test server to check gateway availability), but this doesn’t seem to do anything in regard to ICS. Is there a way to limit ICS access to just a couple of specified machines, without adding all kinds of custom firewall rules that will probably be overwritten at the next change through yast?

Hummm. . . that is a good question. Though I’ve not tried this, I wonder if just blocking everyone with ALL:ALL in hosts.deny and then allowing the specific ones you want in hosts.allow would work? Might be worth a shot.

Thanks to a hint from a friend I managed to figure it out last night :slight_smile:

The tricky bit is that apparently ‘IP forwarding’ only works between the external and internal zone, and that there’s no way you can deviate from these zones for specific services within the suse firewall settings (like nfs and samba).
So I’ve moved eth1 (172.20) from ‘internal’ to the ‘external zone’ and created a second local network (192.168) with an idle on board nic, assigning that one to the internal zone. Did have to, where possible, limit access from within the service settings, for example, in smb.conf “interfaces = eth1 eth3 localhost” (eth2 being the wan interface). And of course you need another vlan or switch, but this will pretty much prevent your possibly large set of custom firewall rules to cause trouble, should you make changes to your setup as this uses physically separated networks.

server with internet access:

  • eth2 (wan): external zone
  • eth1 (172.20): external zone (configure samba, nfs and whatnot from within their own conf files to allow access to eth1 or the applicable IP range, 172.20 etc)
  • eth3 (192.168): internal zone
  • yast network settings / routing: enable IP forwarding
  • yast firewall / masquerading: masquerade networks

server without internet access:

  • one eth on the 172.20 network (so it can provide its services)
  • one eth on the 192.168 network
  • yast network settings / routing: default gateway -> 192.168 IP of server