Firewall and Masquerading in SuSE Linux 6.4/7.0/7.1

Support knowledgebase (sm_masq2)
Applies to

SuSE Linux: Versions 6.4 to 7.1
This article refers to an older version of SuSE Linux. Therefore some of the informations given in this article may be outdated or the article may contain stale links.

Kernel: Versions since 2.2

Situation:

Procedure:

Introductory Notes

  1. Pure Masquerading Without Filters

    This procedure enables internal network hosts to access the Internet without any filters.

    Attention: Please note that although this procedure is the easiest way to provide all internal hosts with Internet access, it leaves them relatively defenseless. Therefore, never choose this option for productive operations.

    Attention 2: From SuSE Linux 7.1 on, you should use personal-firewall for masquerading instead of this method (see further below).

    For this reason, this section will not (!) draw attention to the fact that /sbin/init.d was moved to /etc/init.d starting from SuSE Linux 7.1, and therefore the paths indicated in this section do not apply.

    The package ipchains (series sec) must be installed.

    Set the parameter START_FW in /etc/rc.config to "no".

    Create the file /sbin/init.d/masquerade with the following content:
    Since browsers often cause cut & paste errors, we recommend that you do this with Lynx and the following command:

    lynx -dump http://sdb.suse.de/sdb/de/html/sm_masq2.html > masquerade
    Then delete the text before and after the script.

    
    #! /bin/sh
    
    . /etc/rc.config
    
    PROG="/sbin/ipchains"
    WORLD_DEV="ippp0"
    MODULES="ip_masq_autofw ip_masq_cuseeme ip_masq_ftp ip_masq_irc ip_masq_mfw \
           ip_masq_portfw ip_masq_quake ip_masq_raudio ip_masq_user ip_masq_vdolive"
    
    LOADED_MODULES=$(lsmod|grep ip_masq|cut -d " " -f1)
    
    return=$rc_done
    
    if [ ! -x $PROG ]
    then
      echo -n "Start masquerading failed- install ipchains"
      return=$rc_failed
      echo -e "$return"
      exit 1
    fi
    
    case "$1" in
     start)
       echo -n "Starting masquerading"
       echo "1" > /proc/sys/net/ipv4/ip_forward
    
       $PROG -F || return=$rc_failed
       $PROG -A forward -i $WORLD_DEV -j MASQ || return=$rc_failed
    
       for i in $MODULES;do
          insmod $i > /dev/null 2>&1 || return=$rc_failed;
       done
    
       echo -e "$return"
       ;;
    
    stop)
       echo -n "Shutting down masquerading"
    
       $PROG -F || return=$rc_failed
    
       test "$IP_FORWARD" = no && echo "0" > /proc/sys/net/ipv4/ip_forward
    
       for i in $LOADED_MODULES;do
          rmmod $i > /dev/null 2>&1 || return=$rc_failed;
       done
    
       echo -e "$return"
       ;;
    
    *)
    
       echo "Usage: $0 {start|stop}"
       exit 1
       ;;
    esac
    
    test "$return" = "$rc_done" || exit 1
    
    exit 0
    
    

    "ippp0" must be replaced with the device you use for establishing Internet connections.
    Of course this procedure also works with an analog connection and ppp0.

    Make the file executable: chmod 700 /sbin/init.d/masquerade.

    Set up the corresponding links for automatic start-up in the respective runlevels:

       ln -s ../masquerade /sbin/init.d/rc2.d/S99masquerade
       ln -s ../masquerade /sbin/init.d/rc2.d/K51masquerade
       ln -s ../masquerade /sbin/init.d/rc3.d/S99masquerade
       ln -s ../masquerade /sbin/init.d/rc3.d/K51masquerade
    

    The next time the system is booted, LAN hosts can access the Internet if they have entered the masquerading host as default gateway.

  2. Masquerading with Simple Filters (from SuSE Linux 7.1)

    Starting from SuSE Linux 7.1, the best solution for simple masquerading is the use of personal-firewall. This approach, too, is very easy to configure, but provides a measure of protection for the internal network, since all incoming connections are rejected at the outer device.

    In order to be able to use this solution, the personal-firewall package (series sec) must be installed. In new installations, this option is included in the default software selection. When updating from an older SuSE Linux version, it may be necessary to postinstall this package.

    An update can be downloaded from ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec1/personal-firewall.rpm

    The configuration requires only one parameter to be modified:

    REJECT_ALL_INCOMING_CONNECTIONS in the file /etc/rc.config.d/security.rc.config.

    Possible values:

    Accordingly, for one network adaptor eth0 and ISDN dial-in ippp0 , the entry for masquerading the entire internal network traffic traversing ippp0 and block all incoming external connections would look as follows:

    REJECT_ALL_INCOMING_CONNECTIONS="ippp0 masq"

  3. Firewall with Packet Filters

    Here a short description of the settings in /etc/rc.config.d/firewall.rc.config.

    The following packages must be installed:

    Set the parameter START_FW= in /etc/rc.config to "yes" in order for the firewall scripts to be processed when the system is booted.

    If your firewall is a dial-in host with dynamic IP addresses, the call /sbin/SuSEfirewall must be entered in the script /etc/ppp/ip-up.

    If you are using SuSE Linux 7.0 or 7.1, the respective entries already exist in /etc/ppp/ip-up.
    Simply set the parameter START_FW in /etc/rc.config to yes.
    You can ignore any error messages regarding missing devices that you may receive when you boot the system, since the actual rules are set later on during dial-up.

    All other settings are performed in /etc/rc.config.d/firewall.rc.config.

    Important notes:

    The configuration, setup, and maintenance of your firewall is not eligible for installation support.

    Be sure to read the documentation in /usr/doc/packages/firewals for SuSE Linux 6.4, /usr/share/doc/packages/firewals for SuSE Linux 7.0, or /usr/share/doc/packages/SuSEfirewall/ for SuSE Linux 7.1, as well as chapters 6.7 and 18 in the manual.

    If you only perform these settings and use SuSEfirewall, do not expect your system to be bulletproof!
    There is no solution that you can simply install to protect yourself against all kinds of assaults from the Internet.

    In order to increase the security of a firewall server, you should:

    The options that need to be configured are as follows:

    The individual options:

    The following options should be left with their default settings unless you are absolutely sure of what you are doing:

Keywords: FIREWALL, MASQUERADING, FORWARDING, ROUTING, DIALIN, IPCHAINS, ROUTER

SDB-sm_masq2, Copyright SuSE Linux AG, Nürnberg, Germany - Version: 06. Feb 2002
SuSE Linux AG - Last generated: 08. Feb 2002 by tino (sdb_gen 1.40.0)