Hi, all --
From reviewing the archives I *believe* I'm in a good place to ask, but I
could be wrong. Please be gentle in your redirection :-)
I am doing some work for a client who has finally switched from SCO UNIX
to SCO's version of Linux, which includes SuSEfirewall2 which, AIUI, is a
front-end to iptables and/or netfilter (I know I don't know about what
I'm talking!)
In any given location he has a static external interface and a 10.x.y.z
internal interface and would like to do NATting for his internal Windows
machines. I am trying to write a script to configure and enable
SuSEfirewall2 for this so that he can do a hands-off install on his
literally thousands of clients.
SCO UNIX used ipf and ipnat, and I got those simple rules worked out.
Now I need to do the same thing for iptables and SuSEfirewall2 and I'm
pretty lost. Maybe I don't even need to worry about that package but to
instead just talk to iptables directly; if that's the case, not only do I
need to work up a different config file but also startup scripts, right?
Recalling that this has to be a hands-off install, I have whipped up a
little script to identify the internal and external interfaces, and then
apply
cat /etc/sysconfig/SuSEfirewall2.bak.$$ | \
sed \
-e "s/FW_DEV_EXT=.*/FW_DEV_EXT='$EXT'/" \
-e "s/FW_DEV_INT=.*/FW_DEV_INT='$INT'/" \
-e "s/FW_QUICKMODE=.*/FW_QUICKMODE='yes'/" \
-e "s/FW_ROUTE=.*/FW_ROUTE='yes'/" \
-e "s/FW_MASQUERADE=.*/FW_MASQUERADE='yes'/" \
-e "s:FW_MASQ_NETS=.*:FW_MASQ_NETS='10.0.0.0/8':" \
-e "s/FW_SERVICES_QUICK_TCP=.*/FW_SERVICES_QUICK_TCP='telnet ftp ssh www mysql'/" \
-e "s:FW_TRUSTED_NETS=.*:FW_TRUSTED_NETS='10.0.0.0/8':" > \
/etc/sysconfig/SuSEfirewall2
to set the variables accordingly and then create the rc?.d start and stop
symlinks for the three scripts.
Unfortunately, a client machine on the inside properly pointing to the
internal address as its default gateway cannot get through. Having read
the example file, asked google for help, read through list archives, and
generally poked and prodded everywhere I can, I've come up with many "you
need to turn on NAT" but no pointers to how to do so!
TIA & HAND
:-D
--
David T-G * There is too much animal courage in
(play) davidtg@xxxxxxxxxxxxxxx * society and not sufficient moral courage.
(work) davidtgwork@xxxxxxxxxxxxxxx -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg!
Attachment:
pgp00435.pgp
Description: PGP signature
