Hello,

we own a static external IP xxx.xxx.xxx.xxx
I’m redirecting external calls on https://xxx.xxx.xxx.xxx:30443 to our intranet server 192.168.12.5:30443 for using our internal forum-software, using Susefirewall2 with “FW_FORWARD_MASQ”. This works well.

Calling https://xxx.xxx.xxx.xxx:30443 from internal network (intranet) doesn’t work, our superordinate IT doesn’t allow using the external Ip from intranet.

I tried following solution on our internet-proxy-server:
If a call comes from network 192.168.0.0/16 for adress https://xxx.xxx.xxx.xxx on port 30443 redirect the call to IP 192.168.12.5 using port 30443.

My implementation in Susefirewall2:
FW_FORWARD_MASQ=
“192.168.0.0/16,192.168.12.5,tcp,30443,30443,xxx.xxx.xxx.xxx
192.168.0.0/16,192.168.12.5,udp,30443,30443,xxx.xxx.xxx.xxx”

Basing on the example in documentation:

Examples: - “4.0.0.0/8,10.0.0.10,tcp,80” forward all tcp request on

port 80 coming from the 4.0.0.0/8 network to the

internal server 10.10.0.10

- “4.0.0.0/8,10.0.0.10,tcp,80,81” forward all tcp request on

port 80 coming from the 4.0.0.0/8 network to the

internal server 10.10.0.10 on port 81

- “200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202”

the network 200.200.200.0/24 trying to access the

address 202.202.202.202 on port 80 will be forwarded

to the internal server 10.0.0.10 on port 81

But it doesn’t work.
Any Idea?

Thanks for your help,
Holger

Do you control your own intranet DNS?
If so, can you configure it as a normal DNS instead of a forwarding only DNS? If this is possible, then your solution is simple… Create your intranet’s Domain zone and populate it with internal IP addresses instead of the public IP addresses on the Internet.

This a variation on “Poisoning DNS” but is where you do this intentionally for good and is not a malicious hack.

Even if you can’t do this with an intranet DNS, for a small network you can distribute a custom Hosts file with the required records pointing to intranet addresses, and if you want to ease managing so many Hosts files can often be distributed using DHCP.

TSU

On Leap 15 you should have firewalld instead of SuSEfirewall. Is this an upgrade of a previous openSUSE version?
You should have a script installed susefirewall2-to-firewalld, to migrate. Firewalld has a nice interface ( bit of a learning curve ) with lots of options.
And yes, it provides port forwarding.

If I understand the following from the @OP, simply changing the firewall management isn’t enough

our superordinate IT doesn't allow using the external Ip from intranet.

The solution I propose points each Host in the private network to the private IP address of the webserver instead of to the public IP address, then performing a hairpin turn passing through the external firewall to the internal web server.

TSU