RE: [SLE] Problems with susefirewall2

From: Stephen Furlong (stephen_at_freemail.servebeer.com)
Date: 02/26/05

Next message: Stephen Furlong: "RE: [SLE] Sometimes Linux makes me crazy."

Previous message: Chris Cameron: "Re: [SLE] Move from single drive to software RAID"
In reply to: Carlos E. R.: "RE: [SLE] Problems with susefirewall2"
Next in thread: Jon Clausen: "Re: [SLE] Problems with susefirewall2"
Reply: Jon Clausen: "Re: [SLE] Problems with susefirewall2"
Reply: Togan Muftuoglu: "Re: [SLE] Problems with susefirewall2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: "'Suse Mailing List'" <suse-linux-e@suse.com>
Date: Sat, 26 Feb 2005 22:49:30 -0000

Ok here goes ;

FW_QUICKMODE="no"
FW_DEV_EXT="eth-id-00:02:b3:4b:fe:a0"
FW_DEV_INT="wlan0"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="no"
FW_SERVICES_EXT_TCP="4000:4200 5801 5901 8100 domain http https imap imaps
microsoft-ds netbios-dgm netbios-ns netbios-ssn pop3 pop3s rsync smtp ssh
tftp"
FW_SERVICES_EXT_UDP="4000:4200 8100 bootps domain"
FW_SERVICES_EXT_IP="49152:49159"
FW_SERVICES_EXT_RPC="mountd nfs nfs_acl nlockmgr status"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_SERVICES_INT_TCP="49152:49159"
FW_SERVICES_INT_UDP="49152:49159"
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="49152:49159"
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD="0/0,0/0,udp152:49159"
FW_FORWARD_MASQ="192.168.0.0/49152:49159,192.168.0.10,tcp,49152:49159"
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_ANTISPOOF="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="int"
FW_IGNORE_FW_BROADCAST="no"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING="yes"
FW_IPSEC_TRUST="no"

Although it is disabled atm because im directly into my router (disabled
because it would then block me access into it)

Also tried a iptables-only config, ill post that too

#!/bin/bash

IPTABLES=/usr/sbin/iptables

case "$1" in
start)
echo -n "Starting IP Firewall and NAT..."

# Clear old rules
$IPTABLES --flush
$IPTABLES --delete-chain

# Masquerading
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Forward All Data From Internal To External
$IPTABLES -A FORWARD -i wlan0 -o eth0 -j ACCEPT

# Forward packets that are part of existing and related connections from
external to internal, and visa versa
$IPTABLES -A FORWARD -i eth0 -o wlan1 -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A FORWARD -i wlan1 -o eth0 -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all inputs to firewall from the internal network and local
interfaces
$IPTABLES -A INPUT -i wlan0 -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

# Anti-Spoofing
$IPTABLES -A INPUT -i eth0 -s 193.168.0.10 -j DROP
$IPTABLES -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP

# Port-Specific Rules
$IPTABLES -A INPUT -i wlan0 -p tcp --dport 22 -j ACCEPT #SSH Connections
$IPTABLES -A INPUT -i wlan0 -p tcp --dport 80 -j ACCEPT #HTTP Connections
$IPTABLES -A INPUT -i wlan0 -p tcp --dport 443 -j ACCEPT #SSL Connections
$IPTABLES -A INPUT -i wlan0 -p tcp --dport 5901 -j ACCEPT #VNC
$IPTABLES -A INPUT -i wlan0 -p udp --dport 5901 -j ACCEPT

$IPTABLES -A INPUT -i wlan0 -s 193.168.0.10 -d 193.168.0.1 -p tcp --dport
137 -j ACCEPT #SAMBA related ports
$IPTABLES -A INPUT -i wlan0 -s 193.168.0.10 -d 193.168.0.1 -p tcp --dport
138 -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -s 193.168.0.10 -d 193.168.0.1 -p tcp --dport
139 -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -s 193.168.0.10 -d 193.168.0.1 -p udp --dport
137 -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -s 193.168.0.10 -d 193.168.0.1 -p udp --dport
138 -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -s 193.168.0.10 -d 193.168.0.1 -p udp --dport
139 -j ACCEPT

# -- Allow external DC connection in to enable ACTIVE mode
$IPTABLES -t nat -I PREROUTING -i eth0 -p tcp --dport 49158 -j DNAT --to
193.168.0.10:49158
$IPTABLES -t nat -I PREROUTING -i eth0 -p udp --dport 49158 -j DNAT --to
193.168.0.10:49158
$IPTABLES -I FORWARD -i eth0 -p tcp -s 0/0 -d 193.168.0.10 --dport 49158 -j
ACCEPT
$IPTABLES -I FORWARD -i eth0 -p udp -s 0/0 -d 193.168.0.10 --dport 49158 -j
ACCEPT

# Allow pings, but reject the rest
$IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -i eth0 -j DROP
$IPTABLES -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
$IPTABLES -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP

echo "done."
;;
stop)
echo -n "Stopping IP Firewall and NAT..."
$IPTABLES -X
$IPTABLES -F
$IPTABLES -Z

# Input Rules
$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,related -j ACCEPT
$IPTABLES -A INPUT -i eth0 -j REJECT
echo "done."
;;

restart)
echo -n "Restarting IP Firewall and NAT..."
$0 stop > /dev/null
sleep 1
$0 start > /dev/null
;;

*)
echo "Usage: $0 {start|stop|restart}"
;;
esac

the ports I was trying to forward on this occasion were 49152:49159, or
single ports within that range. Basically any port range will do, as long as
there are about 10-200 ports open (more the better)

thanks in advance :)

(sorry carlos for sending it to you twice)

-- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com

Next message: Stephen Furlong: "RE: [SLE] Sometimes Linux makes me crazy."

Previous message: Chris Cameron: "Re: [SLE] Move from single drive to software RAID"
In reply to: Carlos E. R.: "RE: [SLE] Problems with susefirewall2"
Next in thread: Jon Clausen: "Re: [SLE] Problems with susefirewall2"
Reply: Jon Clausen: "Re: [SLE] Problems with susefirewall2"
Reply: Togan Muftuoglu: "Re: [SLE] Problems with susefirewall2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: Trouble accessing Outlook Web Access from behind firewall
... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
(comp.security.firewalls)
Re: [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork?
... fingerprinting being launched against 1665 ports rather than just one. ... sending an empty email when NO Solaris telnet servers have been found ... for IP in `cat $IPSFILE` ... echo "Trying $IP ..."; ...
(Full-Disclosure)
Trouble with upgrading ports...
... I am having difficulty upgrading ports on all my freebsd 5.3-stable ... But if I do a 'portupgrade -arR', ... fangorn# rm INDEX-5 ... echo "Grabbing source, docs, and ports..." ...
(freebsd-questions)
Re: ports security branch
... > I installed FreeBSD 6.0 together with all needed -RELEASE ports/packages ... Running security/portaudit after a while ... > on my own to go grab the fresh ports tree, ... make fetchindex less /usr/ports/UPDATING echo 'Do you want to update the port tree? ...
(freebsd-stable)
Script help for updating routine
... things on a daily basis, like cvsup src, docs, ports, ... portsdb, portversion, portupgrade, & so on. ... echo "Cvsup latest src and doc" ...
(freebsd-questions)