134600 – FW_REDIRECT doesn't work in SuSEfirewall2

Bug 134600 - FW_REDIRECT doesn't work in SuSEfirewall2

Summary: FW_REDIRECT doesn't work in SuSEfirewall2

Status:	RESOLVED INVALID

Alias:	None

Product:	SUSE LINUX 10.0
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	unspecified
Hardware:	Other SuSE Linux 10.0

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2005-11-20 22:46 UTC by Médéric Boquien
Modified:	2005-11-24 08:25 UTC (History)
CC List:	0 users

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Médéric Boquien 2005-11-20 22:46:42 UTC

If i want to redirect to a local port using SuSEfirewall2,the FW_REDIRECT option has no effect and the packets aren't redirected. As a short artificial testcase, imagine you have a ssh daemon running on port 22 and you want to connect to it on port 222, so you want to redirect all connections from port 222 to port 22: FW_REDIRECT="192.168.1.0/24,0/0,tcp,222,22 127.0.0.1,0/0,tcp,222,22"
After restarting the firewall i get:
telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
SSH-1.99-OpenSSH_4.1

telnet 192.168.1.254 22
Trying 192.168.1.254...
Connected to 192.168.1.254.
Escape character is '^]'.
SSH-1.99-OpenSSH_4.1

*but*

telnet 127.0.0.1 222
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

telnet 192.168.1.254 222
Trying 192.168.1.254...
telnet: connect to address 192.168.1.254: Connection refused

As you see the requestion REDIRECT is not performed. This problem is the same as described here i think: http://lists.suse.com/archive/suse-security/2005-Jul/0032.html

Thank you very much,

Médéric

Comment 1 Ludwig Nussel 2005-11-21 08:24:11 UTC

loopback is treated in a special way by the kernel. Try connecting from another machine and it will work.

Comment 2 Médéric Boquien 2005-11-21 18:32:21 UTC

Unfortunetaly connecting from another computer is not an option as i do that to access a machine which is behind firewall through a tunnel ssh and it is my only computer. Is there another way to do port redirecting on localhost in SuSE or do i have to use another firewall? I used to do this manipulation with shorewall and it worked without any problem.

Thanks,

Médéric

Comment 3 Ludwig Nussel 2005-11-22 08:27:40 UTC

"another firewall" also just uses iptables. If you find out which kind of magic rule is necessary o make it work I might be able to add that to SuSEfirweall2. You can see the commands SuSEfirewall2 uses by running "SuSEfirewall2 debug".

Comment 4 Médéric Boquien 2005-11-23 22:16:40 UTC

Hi Ludwig,

I think i've found what is needed to make SuSEfirewall2 work as expected. The problem is similar to the one described here: http://www.caucho.com/support/resin-interest/0509/0008.html . An OUTPUT rule similar to the PREROUTING one is needed. I wrote a such line in the console and all of a sudden everything worked as i wanted. Thank you very much for adding this to SuSEfirewall2.

Regards,

Médéric

Comment 5 Ludwig Nussel 2005-11-24 08:25:21 UTC

that works indeed, thanks for the hint. However, after thinking more about it I am not going to add it. I think it will cause breakage if you use e.g. squid as transparent proxy. In that case you would redirect port 80 to local 3128. In contrast to ssh squid does also create outgoing connection to port 80 so it would also match this redirect rule and redirect to itself in a loop.