SuSEfirewall2

[mingazal]

Не делается проброс к внутренней машине, помогите разобраться
suse10.2 eth0 192.168.x.x. eth1 213.172.x.x

FW_DEV_INT="eth2"
FW_DEV_EXT="eth0"

# This option overrides IP_FORWARD from
# /etc/sysconfig/network/options

FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"

FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_INT="yes"
FW_ALLOW_PING_EXT="no"

FW_SERVICES_INT_TCP="4674"
FW_SERVICES_INT_UDP="53"
FW_SERVICES_EXT_TCP="4674"
FW_SERVICES_EXT_UDP=""
FW_SERVICES_INT_RPC=""
FW_SERVICES_INT_IP=""

FW_MASQ_NETS="0/0"

FW_FORWARD_MASQ="0/0,192.168.x.144,tcp,4674,46741,213.172.x.x"
FW_SERVICES_REJECT_EXT="0/0,tcp,113"

FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"

FW_LOAD_MODULES="ip_conntrack_ftp ip_nat_ftp"
FW_PROTECT_FROM_INT="yes"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_SERVICES_EXT_RPC=""
FW_SERVICES_EXT_IP=""
FW_FORWARD_MASQ=""
FW_FORWARD_ALWAYS_INOUT_DEV=""
FW_ALLOW_FW_BROADCAST_EXT=""
FW_ALLOW_FW_BROADCAST_INT=""
FW_ALLOW_FW_BROADCAST_DMZ=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_IPSEC_TRUST="no"
FW_SERVICES_ACCEPT_EXT=""
FW_SERVICES_ACCEPT_INT=""
FW_SERVICES_ACCEPT_DMZ=""

[prezha]

i'm not sure what you want to achieve here, but there are some points you should correct - see my comments below...

Цитата: Сообщение от mingazal Не делается проброс к внутренней машине, помогите разобраться suse10.2 eth0 192.168.x.x. eth1 213.172.x.x FW_DEV_INT="eth2" => FW_DEV_INT="eth-id-_mac_address_of_your_eth0__like__eth-id-00:05:5d:dd:fd:10" FW_DEV_EXT="eth0" => FW_DEV_EXT="eth-id-_mac_address_of_your_eth1__like__eth-id-00:05:5d:dd:fd:20" # This option overrides IP_FORWARD from # /etc/sysconfig/network/options FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_INT="yes" FW_ALLOW_PING_EXT="no" FW_SERVICES_INT_TCP="4674" FW_SERVICES_INT_UDP="53" FW_SERVICES_EXT_TCP="4674" FW_SERVICES_EXT_UDP="" FW_SERVICES_INT_RPC="" FW_SERVICES_INT_IP="" FW_MASQ_NETS="0/0" FW_FORWARD_MASQ="0/0,192.168.x.144,tcp,4674,46741,213.172.x.x" => FW_FORWARD_MASQ="213.172.x.x,192.168.x.144,tcp,467 4,46741" FW_SERVICES_REJECT_EXT="0/0,tcp,113" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_LOAD_MODULES="ip_conntrack_ftp ip_nat_ftp" FW_PROTECT_FROM_INT="yes" => be *careful* with this: Цитата: # If you set this to "yes", internal machines may only access # services on the firewall you explicitly allow. If you set this to # "no", any internal user can connect (and attack) any service on # the firewall. FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="no" FW_IGNORE_FW_BROADCAST_DMZ="no" FW_SERVICES_EXT_RPC="" FW_SERVICES_EXT_IP="" FW_FORWARD_MASQ="" => doubled: you already sat it above to "0/0,192.168.x.144,tcp,4674,46741,213.172.x.x" FW_FORWARD_ALWAYS_INOUT_DEV="" FW_ALLOW_FW_BROADCAST_EXT="" FW_ALLOW_FW_BROADCAST_INT="" FW_ALLOW_FW_BROADCAST_DMZ="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_IPSEC_TRUST="no" FW_SERVICES_ACCEPT_EXT="" FW_SERVICES_ACCEPT_INT="" FW_SERVICES_ACCEPT_DMZ=""

if you wanted to forward port 4674 on your fw to port 46741 on int pc, change to this:
FW_SERVICES_EXT_TCP="4674"
FW_SERVICES_EXT_UDP="4674"
FW_FORWARD_MASQ="213.172.x.y,192.168.x.144,tcp,467 4,46741 213.172.x.y,192.168.x.144,udp,4674,46741"
and also, you might need this:
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

[mingazal]

prezha спасибо , но проблема осталась
1.
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

пишет is deprecated and will likely be removed in the future..

2. посавил wireshak, connect fr suse10.2
a. suse10.2->192.168.10.144 12874->4674
192.168.10.144->suse10.2 4674->12874
b.coonect fr inet
вижу пакеты
inet->192.168.10.144
а вот пакеты от 192.168.10.144 отсутствуют