Results 1 to 6 of 6

Thread: SLES 15 IP Masquerade selective ports

  1. #1

    SLES 15 IP Masquerade selective ports

    I am using a SLES 15 machine with 2 network cards as a router for a private network to the internet. I have setup IP masquerading and machines in the 'private' network can access the internet successfully.

    What I want to do now is limit the outbound traffic from the private network to the external network to a selection of TCP ports and block everything else. I need to allow port 22 (SSH) and a few ports on an external licence server but nothing else (no http or https for example) but I am struggling to see how to setup firewalld to do this.

    The firewall is running and the internal zone allows https as my router machine is running rmt for patching and registration but I only want this to apply to connections from the internal (private) networks to the router itself, not via the masquerading process to he external network.

    Can anyone offer any advice or links to resources on how to set this up?

    Thanks

    Rob

  2. #2

    Re: SLES 15 IP Masquerade selective ports

    ttrcf wrote:

    >
    > I am using a SLES 15 machine with 2 network cards as a router for a
    > private network to the internet. I have setup IP masquerading and
    > machines in the 'private' network can access the internet
    > successfully.
    >
    > What I want to do now is limit the outbound traffic from the private
    > network to the external network to a selection of TCP ports and block
    > everything else. I need to allow port 22 (SSH) and a few ports on an
    > external licence server but nothing else (no http or https for
    > example) but I am struggling to see how to setup firewalld to do this.
    >
    > The firewall is running and the internal zone allows https as my
    > router machine is running rmt for patching and registration but I
    > only want this to apply to connections from the internal (private)
    > networks to the router itself, not via the masquerading process to he
    > external network.
    >
    > Can anyone offer any advice or links to resources on how to set this
    > up?
    >
    > Thanks
    >
    > Rob


    Hi Rob,

    How are you configuring your firewall?

    - YaST provides an easy way to configure a simple firewall and the
    configuration is saved in /etc/sysconfig/SuSEfirewall2.
    - You have more control over what is configured if you edit
    /etc/sysconfig/SuSEfirewall2 directly.

    The configuration specified in SuSEfirewall2 is used to create the
    actual firewall rules via iptables. If you know what you are doing you
    can use iptables directly and obtain very granular control over how the
    firewall behaves. (man iptables)

    To simplify your configuration, SuSEfirewall2 makes a number of
    assumptions including: internal zones have access to external zones;
    external zones do not have access to other zones; services running on
    your firewall system are generally not accessible from other systems.
    Then, of course, the rest of the firewall configuration involves
    creating exceptions to these rules but there are only so many types of
    exceptions that can be created even by editing SuSEfirewall2 directly.

    Sometimes it may be necessary to thing outside the box!

    I haven't tried this but what happens if you setup both interfaces as
    external? By default external interfaces don't have access to anything.
    Could you not then define precisely what traffic is permitted to and
    from each interface and which interface has access to services on the
    firewall itself?

    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.

  3. #3

    Re: SLES 15 IP Masquerade selective ports

    Kevin

    Thanks for your reply. SLES15 uses firewalld rather than SuSEFirewall2 which complicates matters a little but the the underlying technology is still iptables.

    My difficulty is how to apply separate rules to the traffic from the private network that is destined for the router machine via the adapter in the internal firewall zone (https to the rmt server for example) whilst not allowing https traffic to servers on the external side via the IP masquerade.

    Rob

  4. #4

    Re: SLES 15 IP Masquerade selective ports

    ttrcf wrote:

    > My difficulty is how to apply separate rules to the traffic from the
    > private network that is destined for the router machine via the
    > adapter in the internal firewall zone


    That is what I understood.

    Can you not configure both interfaces as external and then permit
    specific traffic to/from each interface?

    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.

  5. #5

    Re: SLES 15 IP Masquerade selective ports

    Quote Originally Posted by KBOYLE View Post
    ttrcf wrote:

    > My difficulty is how to apply separate rules to the traffic from the
    > private network that is destined for the router machine via the
    > adapter in the internal firewall zone


    That is what I understood.

    Can you not configure both interfaces as external and then permit
    specific traffic to/from each interface?

    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.
    Kevin

    Thanks again but I am not sure what you mean by this. If I have both NICs in the same zone will they not pickup exactly the same rules? Could you perhaps give an example of a firewalld rule that would act on traffic between two interfaces in the same zone.

    I was playing yesterday with outbound rules on the external interface and managed to block all outgoing traffic except DNS and SSH. This worked for traffic from the external zone but did not affect the masqueraded traffic from the internal zone, even though it was passing through the external interface. Is this expected behaviour?

    Rob

  6. #6

    Re: SLES 15 IP Masquerade selective ports

    ttrcf wrote:

    >
    > KBOYLE;56640 Wrote:
    > > ttrcf wrote:
    > >
    > > > My difficulty is how to apply separate rules to the traffic from
    > > > the private network that is destined for the router machine via
    > > > the adapter in the internal firewall zone

    > >
    > > That is what I understood.
    > >
    > > Can you not configure both interfaces as external and then permit
    > > specific traffic to/from each interface?
    > >
    > > --
    > > Kevin Boyle - Knowledge Partner
    > > If you find this post helpful and are logged into the web interface,
    > > please show your appreciation and click on the star below this post.
    > > Thank you.

    >
    > Kevin
    >
    > Thanks again but I am not sure what you mean by this. If I have both
    > NICs in the same zone will they not pickup exactly the same rules?
    > Could you perhaps give an example of a firewalld rule that would act
    > on traffic between two interfaces in the same zone.



    Hi Rob,

    I have not worked with SLES 15 so I'm going to let someone else jump in
    and offer some suggestions...

    I've done a lot of firewall configuration in SLES 11 which uses
    SuSEfirewall2 but things have changed in SLES 15.

    Have you read the documentation?
    https://www.suse.com/documentation/sles-15/index.html

    The firewall is mentioned throughout the various documents but the
    Security Guide seems to have the most relevant information. See the
    section on Masquerading and Firewalls:

    https://www.suse.com/documentation/s..._firewall.html


    > I was playing yesterday with outbound rules on the external interface
    > and managed to block all outgoing traffic except DNS and SSH. This
    > worked for traffic from the external zone but did not affect the
    > masqueraded traffic from the internal zone, even though it was passing
    > through the external interface. Is this expected behaviour?


    firewalld appears to be quite different from SuSEfirewall2. Until I
    have worked with it I can't say what is expected behaviour.

    While you can easily configure rules you have to be careful. Until you
    understand all the nuances of the application and the configuration
    utility, the rules you define may not produce the results you desire
    and may even allow unintentional access.

    Most firewall configuration tools use the concept of zones to create a
    set of default rules to simplify the configuration. Typically, an
    external zone is associated with a public network where all input is
    blocked unless it is specifically enabled while an internal zone is
    associated with a trusted network where all input is permitted. When
    you configure a system to function as a router you want some traffic to
    pass from one interface to another. To accomplish this you need to
    enable "forwarding" then define rules to permit specific types of
    traffic.

    My earlier suggestion to put both your interfaces into the external
    zone would mean that input form both interfaces would be blocked by
    default. You would then have to create rules to define what services on
    your server, if any, can be accessed from a specific interface and
    additional ruled to permit specific types of traffic to pass from one
    interface to the other. How you might do that depends on the specific
    firewall configuration tool you are using.

    I hope that helps.

    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •