SuSEfirewall or routing problem

Panchux · March 2, 2012, 4:02pm

Hi all and thank you for your help in advance.

I’m trying to install a server with 3 nics, 2 for different subnets and 1 connected to internet.

eth0: 192.168.11.2/24
eth2: 131.107.2.3/24 (I know this is not a C class ip but the previous admin set it like that)
eth3: 200.69.219.x/28

eth0 is connected to a Draytek Vigor 2910 router with 2 ip addresses (192.168.11.1 and public ip 200.69.219.xxx) This public ip is used to stablish a VPN with other Draytek routers but with slightly different configuration:

Draytek 2: 192.168.10.1 + public ip
Draytek 3: 192.168.12.1 + public ip
Draytek 4: 192.168.13.1 + public ip

Behind those private ip address there is a server with 2 nics: one connected to the Draytek and one connected to the rest of the network (e.g. 192.168.12.2/192.168.2.2). So the server acts as the gateway for the local network and the Draytek router acts as the gateway for the server.

192.168.2.0/24 >> 192.168.2.2 >> 192.168.12.1 <=VPN=> 192.168.11.1 << 131.107.2.3 << 131.107.2.0/24

I need:

a. 131.107.2.0/24 network to get internet connection (Squid is installed and working fine)
b. allow any computer from the networks (192.168.0.0/24, 192.168.2.0/24, 192.168.3.0/24) behind the Draytek routers to access peers at 131.107.2.0/24 network and vice versa
c. allow access to the Drayteks (192.168.10.1, 192.168.11.1, 192.168.12.1, 192.168.13.1) from 131.107.2.0/24 network (for configuration and testing pourposes)

I have the following routing table


#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
200.69.219.56   0.0.0.0         255.255.255.248 U     0      0        0 eth3
192.168.3.0     192.168.11.1    255.255.255.0   UG    0      0        0 eth0
192.168.2.0     192.168.11.1    255.255.255.0   UG    0      0        0 eth0
192.168.0.0     192.168.11.1    255.255.255.0   UG    0      0        0 eth0
192.168.13.0    192.168.11.1    255.255.255.0   UG    0      0        0 eth0
192.168.12.0    192.168.11.1    255.255.255.0   UG    0      0        0 eth0
192.168.11.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.10.0    192.168.11.1    255.255.255.0   UG    0      0        0 eth0
131.107.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         200.69.219.62   0.0.0.0         UG    0      0        0 eth3

And the /etc/sysconfig/SuSEfirewall2 file is


#grep -v ^# /etc/sysconfig/SuSEfirewall2 | grep -v '"]"]' | grep -v ^$
FW_DEV_EXT="any eth3"
FW_DEV_INT="eth0 eth1 eth2"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="zone:ext"
FW_MASQ_NETS="0/0"
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP="ftp 22 telnet 512:514 www domain https smtp pop3 imap imaps ntp 587"
FW_SERVICES_EXT_UDP="512:514 domain https ping-pong www"
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_CONFIGURATIONS_EXT="bind pure-ftpd sshd vsftpd"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT="bind dhcp-server"
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_REJECT_INT=""
FW_SERVICES_ACCEPT_EXT=""
FW_SERVICES_ACCEPT_DMZ=""
FW_SERVICES_ACCEPT_INT=""
FW_SERVICES_ACCEPT_RELATED_EXT=""
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS="131.107.2.0/24 192.168.11.0/24 192.168.12.0/24 192.168.2.0/24 192.168.10.0/24 192.168.13.0/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD="0/0,131.107.2.0/24 131.107.2.0/24,0/0 192.168.12.0/24,131.107.2.0/24 131.107.2.0/24,192.168.12.0/24 131.107.2.0/24,192.168.2.0/24 192.168.2.0/24,131.107.2.0/24"
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ=""
FW_REDIRECT="131.107.2.0/24,0.0.0.0/0,tcp,80,3128"
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="yes"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT="no"
FW_ALLOW_FW_BROADCAST_INT="no"
FW_ALLOW_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT=""
FW_REJECT_INT="yes"
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST="no"
FW_ZONES=""
FW_USE_IPTABLES_BATCH=""
FW_LOAD_MODULES="nf_conntrack_netbios_ns"
FW_FORWARD_ALWAYS_INOUT_DEV=""
FW_FORWARD_ALLOW_BRIDGING=""

I know I’m missing something but I don’t know what.
As always any help will be much appreciated,

Pancho

tsu2 · March 3, 2012, 1:36am

I guess the first question I have is whether I understand your setup…

It sounds like you’re not really crossing the Internet, but have physically segmented (both physically and logically) your local network into 3 subnetworks… And, you’re using VPNs to connect from one subnetwork to another (!!!).

Also, if I understand your network properly, it’s setup very messy… It sounds like each subnetwork has its own Server which may or may not be providing Gateway services for their own networks. If this is all within a single Site it’s likely all designed inadvisably.

If not correct,
It would be useful if you described each network in a “Top Down” fashion… ie.

Site(s)
Within each Site the Gateway device or Server
When you describe a Server or router, describe <all> the relevant info, ie interfaces, IP addresses and subnets together.

Ordinarily private networks have private networks, I understand one of your private networks is using a public address space. Have you considered the possible problems that can cause?

Ordinarily, the Default Gateway points to the Internet, so if any network isn’t able to find the Internet is the DG configured properly?

A fundamental concept of routing is that any multi-homed machine automatically knows where the networks are it has direct contact, but an machine that does not have direct contact with a network will not. Ordinarily, if the location of a destination isn’t known, the packets are directed to the DG… But if the destination is actually on the other side of some machine or router that isn’t the DG, then that’s when you need to make a routing entry. These special routing entries might be on regular client machines (eg specify a non-default machine as the special path to a network) or on routers/multi-homed routing machines (eg if the destination is not in direct contact but on the other side of another non-default machine).

HTH,
TS

Panchux · March 3, 2012, 4:36am

TS, I really appreciate your reply.

I must add that those networks are in different locations. We are in Argentina and we have 2 offices in Buenos Aires, 1 in Puerto Tirol, Chaco and 1 in Formosa, provincia de Formosa. So we cross the internet using the VPN.

I know the setup is really messy but that is what I inherited. A much simpler solution would be to have a Draytek as the gateway and all the ramaining clients and servers on the same network. But that implies modifying lots of programs and shortcuts and reconfiguring 4 telephone centrals.

I also understand the problems of using public ip addresses rather than private but I can not change it right now but I’m willing to do it in the future.

I will make a diagram so all the four networks with their routers, servers and clients are correctly described. That might help to generate the correct routing and firewalling.

Thanks again, and again.

Pancho