Bug 134600

Summary: FW_REDIRECT doesn't work in SuSEfirewall2
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Médéric Boquien <mboquien>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: SuSE Linux 10.0   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Médéric Boquien 2005-11-20 22:46:42 UTC 
If i want to redirect to a local port using SuSEfirewall2,the FW_REDIRECT option has no effect and the packets aren't redirected. As a short artificial testcase, imagine you have a ssh daemon running on port 22 and you want to connect to it on port 222, so you want to redirect all connections from port 222 to port 22: FW_REDIRECT="192.168.1.0/24,0/0,tcp,222,22 127.0.0.1,0/0,tcp,222,22"
After restarting the firewall i get:
telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
SSH-1.99-OpenSSH_4.1

telnet 192.168.1.254 22
Trying 192.168.1.254...
Connected to 192.168.1.254.
Escape character is '^]'.
SSH-1.99-OpenSSH_4.1

*but*

telnet 127.0.0.1 222
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

telnet 192.168.1.254 222
Trying 192.168.1.254...
telnet: connect to address 192.168.1.254: Connection refused

As you see the requestion REDIRECT is not performed. This problem is the same as described here i think: http://lists.suse.com/archive/suse-security/2005-Jul/0032.html

Thank you very much,

Médéric
Comment 1 Ludwig Nussel 2005-11-21 08:24:11 UTC 
loopback is treated in a special way by the kernel. Try connecting from another machine and it will work.
Comment 2 Médéric Boquien 2005-11-21 18:32:21 UTC 
Unfortunetaly connecting from another computer is not an option as i do that to access a machine which is behind firewall through a tunnel ssh and it is my only computer. Is there another way to do port redirecting on localhost in SuSE or do i have to use another firewall? I used to do this manipulation with shorewall and it worked without any problem.

Thanks,

Médéric
Comment 3 Ludwig Nussel 2005-11-22 08:27:40 UTC 
"another firewall" also just uses iptables. If you find out which kind of magic rule is necessary o make it work I might be able to add that to SuSEfirweall2. You can see the commands SuSEfirewall2 uses by running "SuSEfirewall2 debug".
Comment 4 Médéric Boquien 2005-11-23 22:16:40 UTC 
Hi Ludwig,

I think i've found what is needed to make SuSEfirewall2 work as expected. The problem is similar to the one described here: http://www.caucho.com/support/resin-interest/0509/0008.html . An OUTPUT rule similar to the PREROUTING one is needed. I wrote a such line in the console and all of a sudden everything worked as i wanted. Thank you very much for adding this to SuSEfirewall2.

Regards,

Médéric
Comment 5 Ludwig Nussel 2005-11-24 08:25:21 UTC 
that works indeed, thanks for the hint. However, after thinking more about it I am not going to add it. I think it will cause breakage if you use e.g. squid as transparent proxy. In that case you would redirect port 80 to local 3128. In contrast to ssh squid does also create outgoing connection to port 80 so it would also match this redirect rule and redirect to itself in a loop.