Forward Service 3389/7000

SUSE Product Topics SLES Networking
1

Hello, My name’s Fabian. I’m from Argentina.
I need help with Forward Service in Server Linux Enterprise SP3. My server (firewall) works by giving internet to the internal network, I want to enable port 3389 (ms-wbt-server) and 7000 (afs3-fileserver) to my internal network to access external servers, but I could not do it. Enclosed is my settings SuSEfirewall2.

Thank you.

Fabian

FW_DEV_EXT=“any eth0”
FW_DEV_INT=“eth1”
FW_DEV_DMZ=“usb0”
FW_ROUTE=“yes”
FW_MASQUERADE=“yes”
FW_MASQ_DEV=“zone:ext”
FW_MASQ_NETS=“0/0”
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT=“no”
FW_SERVICES_EXT_TCP=“3050 3389 7000”
FW_SERVICES_EXT_UDP=“3389 7000”
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_CONFIGURATIONS_EXT=“samba-client samba-server vnc-server xorg-x11-server”
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_REJECT_INT=""
FW_SERVICES_ACCEPT_EXT=“0/0,tcp,3389,3389
0/0,udp,3389,3389
0/0,tcp,7000,7000
0/0,udp,7000,7000”
FW_SERVICES_ACCEPT_DMZ=""
FW_SERVICES_ACCEPT_INT=""
FW_SERVICES_ACCEPT_RELATED_EXT=“0/0, 0/0,udp”
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD=“192.168.0.0/24,192.168.11.0/24”
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ=“0/0,192.168.0.9,tcp,7000
0/0,192.168.0.9,udp,7000
0/0,192.168.0.25,tcp,3389
0/0,192.168.0.25,udp,3389”
FW_REDIRECT=""
FW_LOG_DROP_CRIT=“yes”
FW_LOG_DROP_ALL=“no”
FW_LOG_ACCEPT_CRIT=“yes”
FW_LOG_ACCEPT_ALL=“no”
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY=“yes”
FW_STOP_KEEP_ROUTING_STATE=“no”
FW_ALLOW_PING_FW=“yes”
FW_ALLOW_PING_DMZ=“no”
FW_ALLOW_PING_EXT=“yes”
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT=“no”
FW_ALLOW_FW_BROADCAST_INT=“no”
FW_ALLOW_FW_BROADCAST_DMZ=“no”
FW_IGNORE_FW_BROADCAST_EXT=“yes”
FW_IGNORE_FW_BROADCAST_INT=“no”
FW_IGNORE_FW_BROADCAST_DMZ=“no”
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT=""
FW_REJECT_INT=“no”
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST=“ext”
FW_ZONES=""
FW_USE_IPTABLES_BATCH=“no”
FW_LOAD_MODULES=“nf_conntrack_netbios_ns”
FW_FORWARD_ALWAYS_INOUT_DEV=""
FW_FORWARD_ALLOW_BRIDGING=""
FW_BOOT_FULL_INIT=""

2

Hi Fabian,

which are the resulting iptables rules for forwarding? (“iptables -L FORWARD -nv”, and if subrules appear in “target” column, repeat for those)

I’m not comfortable with the SUSEfirewall scripts, but can help judge the resulting rule sets :wink:

Regards,
Jens

3

Ok ;), thank.

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6365 309K TCPMSS tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 forward_ext all – * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec proto 50
0 0 forward_ext all – * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec proto 50
301K 22M forward_int all – eth1 * 0.0.0.0/0 0.0.0.0/0
387K 525M forward_ext all – eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 forward_dmz all – usb0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ’
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

4

Hi Fabian,

[QUOTE=fabianmk;15003]Ok ;), thank.

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6365 309K TCPMSS tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 forward_ext all – * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec proto 50
0 0 forward_ext all – * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec proto 50
301K 22M forward_int all – eth1 * 0.0.0.0/0 0.0.0.0/0
387K 525M forward_ext all – eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 forward_dmz all – usb0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ’
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0[/QUOTE]

there’s nothing in the FORWARD chain WRT ports 3389 & 7000, but you might want to check the highlighted chains (especially forward_int), that’s where I’d expect that SUSEfirewall put the rules resulting from your configuration.

I’m looking for entries similar to

10645   20M ACCEPT     tcp  --  eth1 eth0  192.168.0.0/24       0.0.0.0/0        tcp spts:1024:65535 dpt:3389

which would indicate that TCP traffic incoming on eth1 (your internal interface) port 1024…65535 and heading to any (Internet) host port 3389, leaving via eth0 (your Internet-connected interface) would be permitted.

BTW, I see that you have “usb0” configured as your DMZ device - is that as intended, I’ve never seen a network device called “usb0” :wink:

Something else I noticed:

This, AFAICT, opens the firewall for incoming traffic from the Internet to your firewall system for these “services” - from your description I understood that you wanted to forward traffic for 3389/7000 from your internal network(s) to some Internet servers… did I understand that correctly?

Regards,
Jens

5

Hi Fabian,

[QUOTE=fabianmk;14999]Hello, My name’s Fabian. I’m from Argentina.
I need help with Forward Service in Server Linux Enterprise SP3. My server (firewall) works by giving internet to the internal network, I want to enable port 3389 (ms-wbt-server) and 7000 (afs3-fileserver) to my internal network to access external servers, but I could not do it. Enclosed is my settings SuSEfirewall2.

Thank you.

Fabian

FW_DEV_EXT=“any eth0”
FW_DEV_INT=“eth1”
FW_DEV_DMZ=“usb0”
[…]
FW_FORWARD_MASQ=“0/0,192.168.0.9,tcp,7000
0/0,192.168.0.9,udp,7000
0/0,192.168.0.25,tcp,3389
0/0,192.168.0.25,udp,3389”
[…][/QUOTE]

looking at /usr/share/doc/packages/SuSEfirewall2/EXAMPLES and some online docs I noticed it said that multiple entries are to be space-delimited… you used new-lines, you might need to escape those by trailing “”.

Regards,
Jens

6

Hi Jens

With this rules “iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3389 -j DNAT --to 192.168.0.25:3389” work correctly, but I don’t implement correctly this rules in susefirewall2

[QUOTE]which would indicate that TCP traffic incoming on eth1 (your internal interface) port 1024…65535 and heading to any (Internet) host port 3389, leaving via eth0 (your Internet-connected interface) would be permitted.

BTW, I see that you have “usb0” configured as your DMZ device - is that as intended, I’ve never seen a network device called “usb0”[/QUOTE]

yes, this is correctly. The eth1 is internal interface and the eth0 is internet interface. But usb0 is configuration DMZ but this is off.

Yes, this is correctly. My remote server is running with ip dynamics with service dns www.no-ip.org and the conection with this for the port 3389 (ms-wbt-server), and port 7000 (afs3-fileserver) I use for .NET Applications of service provider telephony card.

7

Hi Fabian,

[QUOTE=fabianmk;15022]Hi Jens
[…]
Yes, this is correctly. My remote server is running with ip dynamics with service dns www.no-ip.org and the conection with this for the port 3389 (ms-wbt-server), and port 7000 (afs3-fileserver) I use for .NET Applications of service provider telephony card.[/QUOTE]

so no need to open the incoming ports on the firewall then - the server process listening on 3389/7000 is on the remote server, you only have outgoing sessions?

“iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3389 -j DNAT --to 192.168.0.25:3389”

this looks like “overkill” to me. Address translation already is activated by SuSEfirewall, else you couldn’t reach any host at all. I believe that all you need is to permit forwarding of TCP traffic fo your destination server through your firewall

iptables -I FORWARD -i eth1 -o eth0 -p tcp --sport 1024: --dport 3389 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I FORWARD -i eth0 -o eth1 -p tcp --sport 3389 --dport 1024: -m state --state ESTABLISHED -j ACCEPT
Which might happen by adding these “services” in the FW_FORWARD_MASQ, where I believe you have a syntax error.

Regards,
Jens

8

Hi Jens

this multiple entries with space-delimited is formed by SuSEfirewall2 Yast, I have replaced space-delimited with "" but this is do not work.
regards,

Fabian

9

Hi Fabian,

[QUOTE=fabianmk;15026]Hi Jens

this multiple entries with space-delimited is formed by SuSEfirewall2 Yast, I have replaced space-delimited with “” but this is do not work.
regards,

Fabian[/QUOTE]

if those entries were generated, they better work :wink: Too bad, it would have been an easy solution.

Back to the main thread here :slight_smile:

Regards,
Jens

10

Hi Fabian,

as it appears to be no syntax problem - what is actually generated into the forward_int chain?

Regards,
Jens

11

Hi Jens

I did used this rules iptables for testing connection and this did correctly, but now I using SuSEfirewall because this is best security.
Regards.

Jens

12

I have also tried with “|” and it has not worked.

13

Hi Fabian,

I believe you need to to give an overview of your setup… because if the service is on a remote server, how can “-j DNAT --to 192.168.0.25:3389” help?

So please indicate

  • where is your client running (the initiator of the TCP session)
  • where is your server process running (the receiving end of the TCP session)
  • your client’s network setup (including IP network info)
  • clients’s connection to the firewall you’re trying to configure
  • firewall setup (interfaces + their IP addresses, eventually routing table)
  • connection from firewall to server
  • server network setup

As you can see, you’ve got me sufficiently confused :[

Regards,
Jens

14

Hi Jens:
I’m sorry for your confused. My english is not very good.

My Configuration Networks is:

External Server: Dynamic IP use DNS www.no-ip.org (www.nameserver.no-ip.org)

Sever Internet / Firewall: eth0 external / internet interface (Static IP 192.168.11.121/255.255.255.0)
eth1 internal interface (Static IP 192.168.0.1/255.255.255.0)

Workstation: 192.168.0.9/255.255.255.0 Gateway 192.168.0.1 need use port 7000 NET Application connection server of provider telephony card
192.168.0.25/255.255.255.0 Gateway 192.168.0.1 need use port 3389 for Remote Control Server External (www.nameserver.no-ip.org)

Thank you for your response.
Regards,
Fabian

15

fabianmk wrote:
[color=blue]

I need help with Forward Service in Server Linux Enterprise SP3.[/color]

In your other post you say:[color=blue]

Sever Internet / Firewall: eth0 external / internet interface (Static
IP 192.168.11.121/255.255.255.0)[/color]

You say this is your Internet interface but you are using a private IP
address which not valid for the Internet. May I assume your gateway to
the Internet is through another router? If this is so, then that router
is is likely providing a NAT function so you would not need to use
masquerading on this server. Besides, to me it doesn’t make much sense
to use masquerading to substitute one private IP address for another.
[color=blue]

eth1 internal interface (Static IP
192.168.0.1/255.255.255.0)

Workstation: 192.168.0.9/255.255.255.0 Gateway 192.168.0.1 need use
port 7000 NET Application connection server of provider telephony card
192.168.0.25/255.255.255.0 Gateway 192.168.0.1 need
use port 3389 for Remote Control Server External[/color]

Ok, to simplify,
Port 3389 traffic must be directed to 192.168.0.1
Port 7000 traffic must be directed to 192.168.0.25

These packets must be forwarded from the external interface to their
respective hosts on your LAN.

I will comment on your firewall settings…

As Jens already mentioned, this does not seem to be a valid interface:[color=blue]

FW_DEV_DMZ=“usb0”[/color]

Setting this option one alone doesn’t do anything. Either activate

masquerading with FW_MASQUERADE below if you want to masquerade

your internal network to the internet, or configure FW_FORWARD to

define what is allowed to be forwarded.

While this setting is correct, you need to make sure FW_FORWARD has the
correct settings.[color=blue]

FW_ROUTE=“yes”[/color]

This sets up masquerading but your Internet interface has a private IP
address. All outgoing packets will be assigned 192.168.11.121 instead
of 192.168.0.n. I suspect you don’t need this. All these settings
should be set to “”.[color=blue]

FW_MASQUERADE=“yes”
FW_MASQ_DEV=“zone:ext”
FW_MASQ_NETS=“0/0”
FW_NOMASQ_NETS=“”[/color]

FW_SERVICES_xxx_xxx specified which services you want to allow access
to ON THE FIREWALL. From what you have told us, you don’t want to do
that except for possibly 3050. You already said traffic on ports 3389
and 7000 is to be directed to specific hosts on the LAN.[color=blue]

FW_SERVICES_EXT_TCP=“3050 3389 7000”[/color]
FW_SERVICES_EXT_TCP=“”[color=blue]
FW_SERVICES_EXT_UDP=“3389 7000”[/color]
FW_SERVICES_EXT_UDP=“”

Do you really want to allow access to these services on your server
FROM THE INTERNET?[color=blue]

FW_CONFIGURATIONS_EXT=“samba-client samba-server vnc-server
xorg-x11-server”[/color]

Here you are saying to allow this traffic to enter your server from the
Ext interface (Internet) but these services aren’t running on your
server so this is incorrect.[color=blue]

FW_SERVICES_ACCEPT_EXT=“0/0,tcp,3389,3389
0/0,udp,3389,3389
0/0,tcp,7000,7000
0/0,udp,7000,7000”[/color]
FW_SERVICES_ACCEPT_EXT=“”

I’m not exactly sure what you are trying to do here. It looks as if you
are allowing EVERYTHING through the external interface to enter the
server. I suspect this should be changed.[color=blue]

FW_SERVICES_ACCEPT_RELATED_EXT=“0/0, 0/0,udp”[/color]
FW_SERVICES_ACCEPT_RELATED_EXT=“”

FW_FORWARD determines WHAT gets forwarded. The syntax is the same as is
used for FW_FORWARD_MASQ. You are telling the firewall to forward
outgoing (only) traffic but only between two specific networks.[color=blue]

FW_FORWARD=“192.168.0.0/24,192.168.11.0/24”[/color]

At the very least, this syntax is incorrect. It must be on one line or
else you have to use a line continuation character: ""[color=blue]

FW_FORWARD_MASQ=“0/0,192.168.0.9,tcp,7000
0/0,192.168.0.9,udp,7000
0/0,192.168.0.25,tcp,3389
0/0,192.168.0.25,udp,3389”[/color]
FW_FORWARD_MASQ=" \
0/0,192.168.0.9,tcp,7000 \
0/0,192.168.0.9,udp,7000 \
0/0,192.168.0.25,tcp,3389 \
0/0,192.168.0.25,udp,3389 \
"
Assuming you don’t use masquerading and you want to allow ALL outgoing
traffic, FW_FORWARD should look something like this:
FW_FORWARD=" \
192.168.0.0/24,0/0 \
0/0,192.168.0.9,tcp,7000 \
0/0,192.168.0.9,udp,7000 \
0/0,192.168.0.25,tcp,3389 \
0/0,192.168.0.25,udp,3389 \
"
And FW_FORWARD_MASQ would be FW_FORWARD_MASQ=“”

I have not verified your other firewall settings.

Please see /etc/sysconfig/SuSEfirewall2 for a description of what each
setting does.


Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…