Article

(View Disclaimer)

Problem

Within the Access Manager documentation, we reference multiple iptables scripts to translate Novell Identity Server TCP ports, or the IP address of incoming SSLVPN requests:

- http://www.novell.com/documentation/novellaccessma... (Translating the Identity Server Configuration Port)
- http://www.novell.com/documentation/novellaccessma... (Additional Configuration for Enterprise Mode)

If multiple scripts exist for the above operation, and these scripts are configured to start at various run levels using the insserv command, it is very possible that some of the iptables commands will not be executed correctly. When this happens, either the SSLVPN source IP address is not rewritten, or the TCP port translation required by the Identity server remains unchanged. If you add the fact that most customers will be running iptables commands restricting access to services on the host, the entire system can get very confusing, as the iptables statements are being executed via multiple scripts.

Solution

To solve this problem, all iptables commands should be centralized into one manageable location. With the SuSEFirewall2 Yast interface, it's possible to generate most of the required filters via a UI. This filter configuration is written to the /etc/sysconfig/SuSEFirewall2 script. Integrating the Access Manager SSLVPN and Identity server iptables commands into this script will imply a central repository for all iptables commands.

The AppNote at http://www.novell.com/coolsolutions/appnote/19939.... explains how to integrate the SSLVPN iptables into this setup. In order to include the Identity server iptables command into the same setup, you need to follow the procedure below (no Yast changes required). We are also assuming that the objective is to write the Identity Server connector TCP port of 8443 to 443, and that the SSLVPN filters are setup following the above AppNote.

1. Edit the file /etc/sysconfig/SuSEfirewall2 and change the following line:

FW_CUSTOMRULES=""

to

	FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

2. Open the /etc/sysconfig/scripts/SuSEfirewall2-custom file in an editor.

3. Add the following lines under the section fw_custom_before_port_handling()

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 192.168.16.109:8443 
true

This is to rewrite all incoming requests with a destination TCP port of 443 to TCP port 8443 on IP address 192.168.16.109 (where the Novell Identity Server is listening).

The file will look like the example below (keep the other lines intact). 10.8.0.0/16 is configured as a tunnel subnet, and 10.1.1.1 is your private interface.

fw_custom_before_port_handling() {
    # these rules will be loaded after the anti-spoofing and icmp handling
    # and after the input has been redirected to the input_XXX and
    # forward_XXX chains and some basic chain-specific anti-circumvention
    # rules have been set,
    # but before any IP protocol or TCP/UDP port allow/protection rules
    # will be set.
    # You can use this hook to allow/deny certain IP protocols or TCP/UDP
    # ports before the SuSEfirewall2 generated rules are hit.
  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 147.2.16.109:8443
    true
}

4. At the system console, restart the firewall by executing the 'rcSuSefirewall2 restart' command.

5. Verify that the Access Manager pre- (IDP server) and post- (SSLVPN) routing iptables filters have been registered correctly using the 'iptables -t nat -nvL' command:

linuxlab5:/var/opt/novell/tomcat4/logs # iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 46955 packets, 2685K bytes)
 pkts bytes target     prot opt in     out     source               destination
    4   176 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:147.2.16.109:8443

Chain POSTROUTING (policy ACCEPT 20987 packets, 1266K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      *       10.8.0.0/16          0.0.0.0/0           to:10.1.1.1

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.