After running SuSEfirewall2 on a brain old SuSE 9.2 machine for many years I thought I’ll give it a try for my new firewall using OpenSuSE 13.1 on a freshly installed VM with two network interfaces:
ens32 - 192.168.1.4 = internal
ens34 - 195.58.174.124 = directly connected to the internet
The firewall machine itself is running ssh which should be reachable for everyone.
On the internal network for testing two machines are running:
192.168.1.24 - apache2 on 80+443; this Apache should be reachable (port forward) for everyone
192.168.1.133 - Windows client, only for surfing, no servers
My SuSEfirewall2-settings:
FW_DEV_EXT=“ens34”
FW_DEV_INT=“ens32”
FW_ROUTE=“yes”
FW_MASQUERADE=“yes”
FW_MASQ_DEV=“ens34”
FW_MASQ_NETS=“192.168.1.0/24”
FW_SERVICES_EXT_TCP=“80 443 ssh”
FW_SERVICES_INT_TCP=“80 443 ssh”
FW_TRUSTED_NETS=“192.168.1.0/24” (also tried “”)
FW_FORWARD_MASQ=“0.0.0.0/0,192.168.1.24,tcp,80,80,195.58.174.124”
FW_ALLOW_FW_SOURCEQUENCH=“yes” (also tried no)
All logging to YES
What’s working:
- I can reach ssh no matter from where (inside, outside) and which IP (192.168.1.24, 195.58.174.124…) I’m using
- I can reach the web server when using the external IP 195.58.174.124 from an external machine
- I can reach every external IP/name from the internal machine
But only one thing does NOT work:
- if I try to reach the external IP 195.58.174.124 from an INTERNAL machine I get:
telnet 195.58.174.124 80
Trying 195.58.174.124…
telnet: connect to address 195.58.174.124: Connection refused
and the firewall log only shows:
kernel: [23611.147397] SFW2-INint-ACC-ALL IN=ens32 OUT= MAC=00:…:00 SRC=192.168.1.24 DST=195.58.174.124 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18534 DF PROTO=TCP SPT=33135 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A0996B4E50000000001030307)
I don’t like the “OUT=” but am not sure if that is that the problem…
I tried to vary lots of the SuSEfirewall2-settings, change the generated iptables-statements (I must confess I’m not a iptables-guru) and so - nothing, although already spending lots of hours.
Anyone any ideas? Thanks a lot!!!
Markus
PS: nmap from an internal machine shows (shortened):
nmap 195.58.174.124
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
nmap 192.168.1.4
Not shown: 989 closed ports
PORT STATE SERVICE
22/tcp open ssh
From an external machine:
nmap 195.58.174.124
(The 1660 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp closed https - of course, no masq rule until now