masquerading with SUSE

Hi folks,
desperately I try to configure a SUSE 9.3 machine as gateway and proxy
from the outside world to an internal http Windows server using
NAT-Masquerading. The opposite direction functions well, I can connect
with all pc's and servers to the internet and the public IP's are
masqueraded. But I need to route from the outside world let's say
295.176.186.193:8090 -> 10.1.1.64:80. I configured like this using
YAST-Masquerading. Nevertheless it doesn't work, calling
295.176.186.193:8090 from outside results in the error CONNECTION
REFUSED WHEN ATTEMPTING TO CONTACT 295.176.186.193.

Here some infos:

netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
295.176.186.192 0.0.0.0 255.255.255.224 U 0 0
0 eth1
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 lo
0.0.0.0 295.176.186.193 0.0.0.0 UG 0 0
0 eth1

route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
295.176.186.192 * 255.255.255.224 U 0 0 0
eth1
10.1.1.0 * 255.255.255.0 U 0 0 0
eth0
link-local * 255.255.0.0 U 0 0 0
eth0
loopback * 255.0.0.0 U 0 0 0
lo
default gwe-e0 0.0.0.0 UG 0 0 0
eth1



iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 295.176.186.192/27 gw.intranet.unimi.it tcp
dpt:http to:10.1.1.124:80
DNAT tcp -- anywhere gw.intranet.unimi.it tcp
dpt:hosts2-ns to:10.1.1.125:81

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


Any idea what's wrong ??
Thanx a lot....

Can you give the output of iptables -L -n

Because you need to allow port 8090 in your INPUT filter inorder to accept the 8090 connection unless its default policy is ACCEPT.

Hi folks,
> desperately I try to configure a SUSE 9.3 machine as gateway and proxy
> from the outside world to an internal http Windows server using
> NAT-Masquerading. The opposite direction functions well, I can connect
> with all pc's and servers to the internet and the public IP's are
> masqueraded. But I need to route from the outside world let's say
> 295.176.186.193:8090 -> 10.1.1.64:80. I configured like this using
> YAST-Masquerading. Nevertheless it doesn't work, calling
> 295.176.186.193:8090 from outside results in the error CONNECTION
> REFUSED WHEN ATTEMPTING TO CONTACT 295.176.186.193.
>
> Here some infos:
>
> netstat -rn
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window
> irtt Iface
> 295.176.186.192 0.0.0.0 255.255.255.224 U 0 0
> 0 eth1
> 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0
> 0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
> 0 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
> 0 lo
> 0.0.0.0 295.176.186.193 0.0.0.0 UG 0 0
> 0 eth1
>
> route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 295.176.186.192 * 255.255.255.224 U 0 0 0
> eth1
> 10.1.1.0 * 255.255.255.0 U 0 0 0
> eth0
> link-local * 255.255.0.0 U 0 0 0
> eth0
> loopback * 255.0.0.0 U 0 0 0
> lo
> default gwe-e0 0.0.0.0 UG 0 0 0
> eth1
>
>
>
> iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> DNAT tcp -- 295.176.186.192/27 gw.intranet.unimi.it tcp
> dpt:http to:10.1.1.124:80
> DNAT tcp -- anywhere gw.intranet.unimi.it tcp
> dpt:hosts2-ns to:10.1.1.125:81
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> MASQUERADE all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
>
> Any idea what's wrong ??
> Thanx a lot....
>

YES, here we are::

# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
input_int all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x02 TCPMSS clamp to PMTU
forward_int all -- 0.0.0.0/0 0.0.0.0/0
forward_ext all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '

Chain forward_ext (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
LOG tcp -- 295.176.186.192/27 10.1.1.124 limit: avg
3/min burst 5 tcp dpt:80 state NEW LOG flags 6 level 4 prefix
`SFW2-FWDext-ACC-REVMASQ '
ACCEPT tcp -- 195.176.186.192/27 10.1.1.124 tcp dpt:80

LOG tcp -- 0.0.0.0/0 10.1.1.125 limit: avg
3/min burst 5 tcp dpt:81 state NEW LOG flags 6 level 4 prefix
`SFW2-FWDext-ACC-REVMASQ '
ACCEPT tcp -- 0.0.0.0/0 10.1.1.125 tcp dpt:81

LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDext-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 state INVALID LOG flags 6 level 4 prefix
`SFW2-FWDext-DROP-DEFLT-INV '
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain forward_int (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
LOG tcp -- 295.176.186.192/27 10.1.1.124 limit: avg
3/min burst 5 tcp dpt:80 state NEW LOG flags 6 level 4 prefix
`SFW2-FWDint-ACC-REVMASQ '
ACCEPT tcp -- 195.176.186.192/27 10.1.1.124 tcp dpt:80

LOG tcp -- 0.0.0.0/0 10.1.1.125 limit: avg
3/min burst 5 tcp dpt:81 state NEW LOG flags 6 level 4 prefix
`SFW2-FWDint-ACC-REVMASQ '
ACCEPT tcp -- 0.0.0.0/0 10.1.1.125 tcp dpt:81

LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDint-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 state INVALID LOG flags 6 level 4 prefix
`SFW2-FWDint-DROP-DEFLT-INV '
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain input_ext (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
broadcast
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp dpt:80 flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-INext-ACC-TCP '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp dpt:53 flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-INext-ACC-TCP '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53

LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp dpt:22 flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-INext-ACC-TCP '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

reject_func tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:113 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53

LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-INext-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 state INVALID LOG flags 6 level 4 prefix
`SFW2-INext-DROP-DEFLT-INV '
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain input_int (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
broadcast
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp dpt:5801 flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-INint-ACC-TCP '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:5801
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp dpt:5901 flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-INint-ACC-TCP '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:5901
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp dpt:80 flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-INint-ACC-TCP '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp dpt:53 flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-INint-ACC-TCP '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53

LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp dpt:22 flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-INint-ACC-TCP '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53

LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-INint-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INint-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INint-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 state INVALID LOG flags 6 level 4 prefix
`SFW2-INint-DROP-DEFLT-INV '
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- 0.0.0.0/0 0.0.0.0/0
reject-with icmp-proto-unreachable

Since You have the DROP policy in the INPUT Filter, you need to add the rule to accept the 8090 packets.

Thank you very much, may I ask you if I can use a more general ACCEPT
rule, since I have more than one port to open, without risking too much
???
thanx again...

That depends on your security risks. If you donot want to filter any
packets, then well you can make the general ACCEPT rule.

I still do not understand if I have change the configuration of the
SUSE firewall (/etc/SuSEfirewall2) manually and/or to change the
iptables itself.
What would be the command for the iptables ???
So far I changed in /etc/SuSEfirewall2:
FW_SERVICES_EXT_TCP="80 domain ssh 8090"
but it still refuses...

thanx a lot....

I set
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT

but nothing changed....

any idea ???

Check if the IP Forwarding is enabled using

cat /proc/sys/net/ipv4/ip_forward

The value should be 1.

If it is 0, then do

echo "1" >/proc/sys/net/ipv4/ip_forward

Or you can change the value of net.ipv4.ip_forward to 1 in the
/etc/sysctl.conf file and execute /sbin/sysctl -p