using Suse 12.1 to forward internet and LAN

testingsuse111 · July 30, 2012, 8:24pm

Hi-
Is there a way to configure Suse 12.1 to allow computers attached to a switch (which is attached to one NIC on a Suse 12.1 machine) to connect to the LAN/internet on the other NIC without masquerading/hiding/protection?
Below is a simple map of what I have going on:

Three various computers — SWITCH — NIC1 (Suse 12.1 machine) NIC2 — LAN/Internet

Suse (linux) has a lot of security features/capabilities, but what I’m looking for is a solution for the “various computers” to simply have their requests, or requests of them, routed through the Suse 12.1 machine without messing with their IP addresses or re-directing IP/ports; just as though the various computers, themselves, where attached directly to the LAN/internet.

Maybe;
FW_ROUTE=“yes”
FW_MASQUERADE = “no”

I’m new to this aspect of linux, so I may have used terminologies in accurately (sorry).

Thanks!

testingsuse111 · July 30, 2012, 8:46pm

I just found some new information…

I would like to create a direct link from the LAN/internet to the “three various computers”
The “three various computers” have valid, non-private, IP addresses (which were assigned by my ISP).

I think I need to use these lines in SuseFirewall2;
FW_FORWARD= (leaving this blank allows all traffic ??)
FW_ROUTE=“yes”

For the “three various computers”, should their gateways point to NIC2?

Would this do the trick?

THANKS!

djh-novell · July 31, 2012, 11:39am

testingsuse111 wrote:
> Hi-
> Is there a way to configure Suse 12.1 to allow computers attached to a
> switch (which is attached to one NIC on a Suse 12.1 machine) to connect
> to the LAN/internet on the other NIC without
> masquerading/hiding/protection?
> Below is a simple map of what I have going on:
>
> Three various computers — SWITCH — NIC1 (Suse 12.1 machine) NIC2
> — LAN/Internet

There’s no technical problem with this arrangement. You just need to
enable forwarding and tell the firewall to get out of the way, as you
suggest. But it’s a rather unusual arrangement and if you explain why yu
think you need it like this, people may have a better idea. It’s unusual
because:

(1) The opensuse box isn’t performing any function, apparently, but is
spending some (lots) of its time just forwarding network packets. That
will add latency and may limit bandwidth. Why not connect the
LAN/internet to the switch and so take the opensuse box out of the circuit.

(2) The arrangement apparently leaves the three other boxes with no
firewall protection. It’s generally a good idea to have a dedicated
firewall, optimised for the purpose and with clearly defined rules. One
exception might be if your three boxes are themselves firewalls under
test, but then you’re compromising their performance by putting the
opensuse box in circuit.

testingsuse111 · July 31, 2012, 9:55pm

Hi djh-novell-

There are some details in the “map” I didn’t include, but here they are:

Three various computers (each have giga-bit NICs) — SWITCH (giga-bit) — NIC1 (giga-bit) (Suse 12.1 machine) NIC2 (fast ether-slow)— LAN/Internet

The “three various computers” will communicate with the Suse machine (Suse has NFS, and Samba services running) using giga-bit (fast for me transferring very large files). The LAN is heavily firewalled from the internet by the organization where these computers are used and the network is “policed” rigorously.

The switch simply can’t be connected to the LAN, nor can the “three various computers”… it’s just the way things are (or I would have smile)

testingsuse111 · July 31, 2012, 10:36pm

Turning off Suse’s firewall doesn’t seem to be a solution.

Here’s some additional information:
The “three various computers” use these IP addresses - 10.8.8.131, 10,8,8,132, and 10,8,8,133, gateway for all three = 10.8.8.100, netmask for all three = 255.255.252.0
The Suse’s machine has these IP addresses - giga-bit NIC = 10.8.8.130, LAN/internet fast ether NIC = 10.8.8.100

Is there something (maybe a lot) that I’m not considering? THANKS!

deano_ferrari · August 1, 2012, 3:13am

I believe what you want to achieve is described here (AKA IPmasquerading): openSUSE ICS: Internet Connection Sharing (Linux IP Masquerading) with Suse or Windows Servers

testingsuse111 · August 1, 2012, 6:10pm

Hi deano_ferrari-

Thanks for the help, but masquerading is the last thing I want for this arrangement. I don’t want the “three various computers” to be hidden at all. They have their own firewalls and the organization has extensive internet-firewall protection.

I’m still eager to try ideas. THANKS!

lwfinger · August 1, 2012, 7:09pm

On 08/01/2012 11:16 AM, testingsuse111 wrote:
>
> Hi deano_ferrari-
>
> Thanks for the help, but masquerading is the last thing I want for this
> arrangement. I don’t want the “three various computers” to be hidden at
> all. They have their own firewalls and the organization has extensive
> internet-firewall protection.
>
> I’m still eager to try ideas. THANKS!

I do not understand why connecting the various computers and the organizational
network to a switch does not fit the requirements, but I will assume the reason
is valid.

What I think you need to do is “bridge” the two NICs on your main computer as
described in
http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge. AFAIK,
that will transfer all protocols destined to go outside the cluster, but will
not expose any internal traffic to the rest of the organization.

testingsuse111 · August 2, 2012, 4:51pm

Hi lwfinger-

I opened the link and read the page. What is suggested sounds GOOD! I will be testing it soon and posting the results here.

Thanks!

user · August 6, 2012, 2:22pm

On Tue, 31 Jul 2012 20:46:04 GMT, testingsuse111
<testingsuse111@no-mx.forums.opensuse.org> wrote:

>
>Turning off Suse’s firewall doesn’t seem to be a solution.
>
>Here’s some additional information:
>The “three various computers” use these IP addresses - 10.8.8.131,
>10,8,8,132, and 10,8,8,133, gateway for all three = 10.8.8.100, netmask
>for all three = 255.255.252.0
>The Suse’s machine has these IP addresses - giga-bit NIC = 10.8.8.130,
>LAN/internet fast ether NIC = 10.8.8.100
>
>Is there something (maybe a lot) that I’m not considering? THANKS!

Perhaps. In General 10.X.X.X addresses are internal private class a
addresses. They do not appear in the public address space of Internet. It
seems that your company’s ISP is translating those (server / website)
addresses for you. It may actually be an IP instead of an ISP. You may
want simple bridging.

?-)

testingsuse111 · August 6, 2012, 10:42pm

Hi lwfinger-

It worked! Thanks!
I had tried many different ideas and didn’t trust the installation I had been working with, so I did a fresh install and used these commands (without setting up the NIC’s AT ALL);

su (and entered password)

ifconfig eth0 0.0.0.0

ifconfig eth1 0.0.0.0

brctl addbr mybridge

brctl addif mybridge eth0

brctl addif mybridge eth1

ifconfig mybridge 10.8.8.130 netmask 255.255.255.0

Thank you, it works great! I rebooted the system and, as expected, the bridge stopped working. Is there a way to make the bridge permanent?

lwfinger · August 7, 2012, 2:03am

On 08/06/2012 03:46 PM, testingsuse111 wrote:
>
> Hi lwfinger-
>
> It worked! Thanks!
> I had tried many different ideas and didn’t trust the installation I
> had been working with, so I did a fresh install and used these commands
> (without setting up the NIC’s AT ALL);
>
> # su (and entered password)
>
> # ifconfig eth0 0.0.0.0
> # ifconfig eth1 0.0.0.0
> # brctl addbr mybridge
> # brctl addif mybridge eth0
> # brctl addif mybridge eth1
> # ifconfig mybridge 10.8.8.130 netmask 255.255.255.0
>
> Thank you, it works great! I rebooted the system and, as expected, the
> bridge stopped working. Is there a way to make the bridge permanent?

Add the commands you need to /etc/init.d/boot.local.