Re: [SLE] Firewall stops internal ICMP.

From: pelibali <pelibali@xxxxxxxxxxx>
Date: Sun, 4 Dec 2005 18:41:52 +0100

Hi,

On Sun, 27 Nov 2005 13:33:03 -0600
Darryl Gregorash <.> wrote:

> On 11/27/2005 12:11 PM, pelibali wrote:
<SNIPP>
> >We have dial-up connection and surprisingly I found, when we have no
> >active connection, our clients _don't_ know about and they really wait
> >until the initialized e.g. web-address will be timed-out. So in fact
> >the router doesn't immediately let the clients know, that there is no
> >connection and they have to find it out after a while, just "alone".
> >Checking the firewall log showed me, that the ICMP (error-) messages
> >don't arrive to the clients, because they get blocked (192.168.0.1 is
> >the router, 192.168.0.6 is the client; in particular case trying to
> >imap-ing e-mails from 146.123.123.123):
> >
> >Nov 26 11:28:17 trincsi kernel: SFW2-OUT-ERROR IN= OUT=eth0
> >SRC=192.168.0.1 DST=192.168.0.6 LEN=101 TOS=0x00 PREC=0xC0 TTL=64
> >ID=3105 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.0.6 DST=146.123.123.123
> >LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=20782 DF PROTO=TCP SPT=59061
> >DPT=143 WINDOW=6368 RES=0x00 ACK PSH FIN URGP=0 OPT
> >(0101080A0004BF9602DCDD03) ]
> >
<SNIPP>
> >
> >
> Post the results of these please (on the router, of course).
>
> egrep "^[^#]" /etc/sysconfig/SuSEfirewall2
>
> iptables-save
>
> /sbin/SuSEfirewall2 debug
>

---
1.
FW_DEV_EXT="any modem0"
FW_DEV_INT="eth-id-00:22:ed:34:86:03"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.0.0/24"
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
FW_SERVICES_ACCEPT_EXT=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT=""
FW_ALLOW_FW_BROADCAST_INT=""
FW_ALLOW_FW_BROADCAST_DMZ=""
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT=""
FW_HTB_TUNE_DEV=""
FW_IPv6="no"
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST="no"
FW_ZONES=""
FW_USE_IPTABLES_BATCH=""
FW_LOAD_MODULES=""
---
2.
# Generated by iptables-save v1.3.3 on Mon Nov 28 20:12:34 2005
*mangle
:PREROUTING ACCEPT [16099:4205271]
:INPUT ACCEPT [12949:3072660]
:FORWARD ACCEPT [3115:1130001]
:OUTPUT ACCEPT [12840:3993152]
:POSTROUTING ACCEPT [15955:5123153]
COMMIT
# Completed on Mon Nov 28 20:12:34 2005
# Generated by iptables-save v1.3.3 on Mon Nov 28 20:12:34 2005
*nat
:PREROUTING ACCEPT [181:11400]
:POSTROUTING ACCEPT [158:9581]
:OUTPUT ACCEPT [158:9581]
COMMIT
# Completed on Mon Nov 28 20:12:34 2005
# Generated by iptables-save v1.3.3 on Mon Nov 28 20:12:34 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j input_int
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -j forward_int
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m state --state ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_ext -j DROP
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_int -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Mon Nov 28 20:12:34 2005
---
3.
modprobe ip_tables
modprobe ip_conntrack
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -N reject_func
iptables -A reject_func -p tcp -j REJECT --reject-with tcp-reset
iptables -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A reject_func -j REJECT --reject-with icmp-proto-unreachable
iptables -A INPUT -j ACCEPT -i lo
iptables -A OUTPUT -j ACCEPT -o lo
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -N reject_func
ip6tables -A reject_func -p tcp -j REJECT --reject-with tcp-reset
ip6tables -A reject_func -p udp -j REJECT --reject-with port-unreach
ip6tables -A reject_func -j REJECT --reject-with addr-unreach
ip6tables -A reject_func -j DROP
ip6tables -A INPUT -j ACCEPT -i lo
ip6tables -A OUTPUT -j ACCEPT -o lo
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
ip6tables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
echo "1" > "/proc/sys/net/ipv4/ip_forward"
echo "1" > "/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"
echo "1" > "/proc/sys/net/ipv4/tcp_syncookies"
echo "0" > "/proc/sys/net/ipv4/tcp_ecn"
echo "1" > "/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses"
echo "20" > "/proc/sys/net/ipv4/ipfrag_time"
echo "1" > "/proc/sys/net/ipv4/igmp_max_memberships"
echo "1024 29999" > "/proc/sys/net/ipv4/ip_local_port_range"
echo "1" > "/proc/sys/net/ipv4/conf/all/log_martians"
echo "0" > "/proc/sys/net/ipv4/conf/all/bootp_relay"
echo "0" > "/proc/sys/net/ipv4/conf/all/proxy_arp"
echo "1" > "/proc/sys/net/ipv4/conf/all/secure_redirects"
echo "0" > "/proc/sys/net/ipv4/conf/all/accept_source_route"
echo "1" > "/proc/sys/net/ipv4/conf/all/rp_filter"
echo "1" > "/proc/sys/net/ipv4/conf/default/log_martians"
echo "0" > "/proc/sys/net/ipv4/conf/default/bootp_relay"
echo "0" > "/proc/sys/net/ipv4/conf/default/proxy_arp"
echo "1" > "/proc/sys/net/ipv4/conf/default/secure_redirects"
echo "0" > "/proc/sys/net/ipv4/conf/default/accept_source_route"
echo "1" > "/proc/sys/net/ipv4/conf/default/rp_filter"
echo "1" > "/proc/sys/net/ipv4/conf/eth0/log_martians"
echo "0" > "/proc/sys/net/ipv4/conf/eth0/bootp_relay"
echo "0" > "/proc/sys/net/ipv4/conf/eth0/proxy_arp"
echo "1" > "/proc/sys/net/ipv4/conf/eth0/secure_redirects"
echo "0" > "/proc/sys/net/ipv4/conf/eth0/accept_source_route"
echo "1" > "/proc/sys/net/ipv4/conf/eth0/rp_filter"
echo "1" > "/proc/sys/net/ipv4/conf/lo/log_martians"
echo "0" > "/proc/sys/net/ipv4/conf/lo/bootp_relay"
echo "0" > "/proc/sys/net/ipv4/conf/lo/proxy_arp"
echo "1" > "/proc/sys/net/ipv4/conf/lo/secure_redirects"
echo "0" > "/proc/sys/net/ipv4/conf/lo/accept_source_route"
echo "1" > "/proc/sys/net/ipv4/conf/lo/rp_filter"
echo "1" > "/proc/sys/net/ipv4/route/flush"
iptables -N input_int
iptables -N input_ext
iptables -N forward_int
iptables -N forward_ext
ip6tables -N input_int
ip6tables -N input_ext
ip6tables -N forward_int
ip6tables -N forward_ext
iptables -A input_int -j ACCEPT
ip6tables -A input_int -j ACCEPT
iptables -A input_ext -m pkttype --pkt-type broadcast -j DROP
iptables -A input_ext -j ACCEPT -p icmp --icmp-type source-quench
iptables -A input_ext -j ACCEPT -p icmp --icmp-type echo-request
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type echo-request
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type echo-reply
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type destination-unreachable
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type time-exceeded
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type parameter-problem
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type timestamp-reply
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type address-mask-reply
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type protocol-unreachable
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type redirect
ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type echo-reply
ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type destination-unreachable
ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type packet-too-big
ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type time-exceeded
ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type parameter-problem
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type router-solicitation
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type router-advertisement
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type neighbour-solicitation
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type neighbour-advertisement
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type redirect
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED -p icmp --icmp-type echo-reply
ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED -p icmpv6 --icmpv6-type echo-reply
iptables -A input_ext -s 0/0 -p tcp --dport 113 -m state --state NEW -j reject_func
ip6tables -A input_ext -s 0/0 -p tcp --dport 113 -m state --state NEW -j reject_func
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type echo-reply
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type destination-unreachable
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type time-exceeded
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type parameter-problem
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type timestamp-reply
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type address-mask-reply
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type protocol-unreachable
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type redirect
ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type echo-reply
ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type destination-unreachable
ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type packet-too-big
ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type time-exceeded
ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type parameter-problem
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type echo-reply
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type destination-unreachable
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type time-exceeded
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type parameter-problem
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type timestamp-reply
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type address-mask-reply
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type protocol-unreachable
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type redirect
ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type echo-reply
ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type destination-unreachable
ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type packet-too-big
ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type time-exceeded
ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type parameter-problem
iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p tcp --syn
ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p tcp --syn
iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p icmp
ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p icmpv6
iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p udp
ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p udp
iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT-INV -m state --state INVALID
ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT-INV -m state --state INVALID
iptables -A input_ext -j DROP
ip6tables -A input_ext -j DROP
iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p tcp --syn
ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p tcp --syn
iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p icmp
ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p icmpv6
iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p udp
ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p udp
iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT-INV -m state --state INVALID
ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT-INV -m state --state INVALID
iptables -A forward_int -j DROP
ip6tables -A forward_int -j DROP
iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p tcp --syn
ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p tcp --syn
iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p icmp
ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p icmpv6
iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p udp
ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p udp
iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT-INV -m state --state INVALID
ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT-INV -m state --state INVALID
iptables -A forward_ext -j DROP
ip6tables -A forward_ext -j DROP
iptables -A INPUT -j input_int -i eth0
iptables -A INPUT -j input_ext
iptables -A FORWARD -j forward_int -i eth0
ip6tables -A INPUT -j input_int -i eth0
ip6tables -A INPUT -j input_ext
ip6tables -A FORWARD -j forward_int -i eth0
iptables -A INPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-IN-ILL-TARGET
iptables -A INPUT -j DROP
iptables -A FORWARD -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWD-ILL-ROUTING
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-OUT-ERROR
ip6tables -A INPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-IN-ILL-TARGET
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWD-ILL-ROUTING
ip6tables -A FORWARD -j DROP
ip6tables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
ip6tables -A OUTPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-OUT-ERROR
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
---

I hope, that the size of this message is no problem and thanks in
advance for any suggestions!

Best,
Pelibali

--
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@xxxxxxxx

Prev by Date: [SLE] Updates for SUSE 8.0 and 8.2
Next by Date: [SLE] Support for SUSE 9.0
Previous by thread: [SLE] Updates for SUSE 8.0 and 8.2
Next by thread: [SLE] Support for SUSE 9.0
Index(es):
- Date
- Thread

Relevant Pages

Re: [SLE] SuSE 10.0 masquerade changes?
... iptables -F OUTPUT ... ip6tables -F OUTPUT ... icmpv6 --icmpv6-type destination-unreachable ... state --state INVALID ...
(SuSE)
Re: [opensuse] A firewall rejection I dont understand.
... SuSEfirewall2: using default zone 'ext' for interface eth1 ... iptables v1.4.12.1: bad rate "NO"' ... ip6tables v1.4.12.1: bad rate "NO"' ... Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ ...
(SuSE)
Re: Regression caused by commit "netfilter: iptables: lock free counters"
... Perhaps ip6tables or your kernel needs to be upgraded. ... This is a big problem yes, since "iptables|ip6tables" -L needs to allocate kernel memory ... Then if we want to be sure "iptables -L" cannot fail, we should reserve this extra space ...
(Linux-Kernel)
Re: Cant get networking working in Fedora14
... by default) which may be dropping all ICMP packets. ... I turned it off in /etc/rc.d/init.d iptables and ip6tables and rebooted. ...
(Fedora)
Re: Firewall for blocking P2P programs like fasttrack, morpheus, Gnutella and so on
... will integrate with iptables. ... It detects a lot of clients, ... that use SSL and port 80 proxies. ... > The second is Smoothwall 3 with the addon smoothrule. ...
(comp.security.firewalls)