Mailinglist Archive: opensuse (4570 mails)
| < Previous | Next > |
Re: [SLE] SuSE 10.0 masquerade changes?
- From: "Peter A. Taylor" <murmur@xxxxxxx>
- Date: Fri, 18 Nov 2005 17:01:00 +0000 (UTC)
- Message-id: <200511181047.07720.murmur@xxxxxxx>
On Thursday 17 November 2005 19:49, Darryl Gregorash wrote:
>
> First, put your actual internal netmask, eg. 192.168.1.0/24, into
> FW_MASQ_NETS in the firewall config file -- you can simply edit the file
> to do this, but run "/etc/init.d/SuSEfirewall_setup restart" immediately
> after, if you are already connect to the internet.
>
> Next, while connected to the internet, as root, run "/sbin/SuSEfirewall2
> debug" and see what you get. Your output *should* include lines like these:
The entry in /etc/sysconfig/SuSEfirewall2 is now:
FW_MASQ_NETS="192.168.2.0/24"
I ran "/etc/init.d/SuSEfirewall2_setup restart", then connected via modem0,
then ran "/sbin/SuSEfirewall2 debug":
modprobe ip_tables
modprobe ip_conntrack
modprobe ip6table_filter
modprobe ip6table_mangle
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -N reject_func
iptables -A reject_func -p tcp -j REJECT --reject-with tcp-reset
iptables -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A reject_func -j REJECT --reject-with icmp-proto-unreachable
iptables -A INPUT -j ACCEPT -i lo
iptables -A OUTPUT -j ACCEPT -o lo
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -N reject_func
ip6tables -A reject_func -p tcp -j REJECT --reject-with tcp-reset
ip6tables -A reject_func -p udp -j REJECT --reject-with port-unreach
ip6tables -A reject_func -j REJECT --reject-with addr-unreach
ip6tables -A reject_func -j DROP
ip6tables -A INPUT -j ACCEPT -i lo
ip6tables -A OUTPUT -j ACCEPT -o lo
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
ip6tables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
echo "1" > "/proc/sys/net/ipv4/ip_forward"
echo "1" > "/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"
echo "1" > "/proc/sys/net/ipv4/tcp_syncookies"
echo "0" > "/proc/sys/net/ipv4/tcp_ecn"
echo "1" > "/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses"
echo "20" > "/proc/sys/net/ipv4/ipfrag_time"
echo "1" > "/proc/sys/net/ipv4/igmp_max_memberships"
echo "1024 29999" > "/proc/sys/net/ipv4/ip_local_port_range"
echo "1" > "/proc/sys/net/ipv4/conf/all/log_martians"
echo "0" > "/proc/sys/net/ipv4/conf/all/bootp_relay"
echo "0" > "/proc/sys/net/ipv4/conf/all/proxy_arp"
echo "1" > "/proc/sys/net/ipv4/conf/all/secure_redirects"
echo "0" > "/proc/sys/net/ipv4/conf/all/accept_source_route"
echo "1" > "/proc/sys/net/ipv4/conf/all/rp_filter"
echo "1" > "/proc/sys/net/ipv4/conf/default/log_martians"
echo "0" > "/proc/sys/net/ipv4/conf/default/bootp_relay"
echo "0" > "/proc/sys/net/ipv4/conf/default/proxy_arp"
echo "1" > "/proc/sys/net/ipv4/conf/default/secure_redirects"
echo "0" > "/proc/sys/net/ipv4/conf/default/accept_source_route"
echo "1" > "/proc/sys/net/ipv4/conf/default/rp_filter"
echo "1" > "/proc/sys/net/ipv4/conf/eth0/log_martians"
echo "0" > "/proc/sys/net/ipv4/conf/eth0/bootp_relay"
echo "0" > "/proc/sys/net/ipv4/conf/eth0/proxy_arp"
echo "1" > "/proc/sys/net/ipv4/conf/eth0/secure_redirects"
echo "0" > "/proc/sys/net/ipv4/conf/eth0/accept_source_route"
echo "1" > "/proc/sys/net/ipv4/conf/eth0/rp_filter"
echo "1" > "/proc/sys/net/ipv4/conf/lo/log_martians"
echo "0" > "/proc/sys/net/ipv4/conf/lo/bootp_relay"
echo "0" > "/proc/sys/net/ipv4/conf/lo/proxy_arp"
echo "1" > "/proc/sys/net/ipv4/conf/lo/secure_redirects"
echo "0" > "/proc/sys/net/ipv4/conf/lo/accept_source_route"
echo "1" > "/proc/sys/net/ipv4/conf/lo/rp_filter"
echo "1" > "/proc/sys/net/ipv4/conf/modem0/log_martians"
echo "0" > "/proc/sys/net/ipv4/conf/modem0/bootp_relay"
echo "0" > "/proc/sys/net/ipv4/conf/modem0/proxy_arp"
echo "1" > "/proc/sys/net/ipv4/conf/modem0/secure_redirects"
echo "0" > "/proc/sys/net/ipv4/conf/modem0/accept_source_route"
echo "1" > "/proc/sys/net/ipv4/conf/modem0/rp_filter"
echo "1" > "/proc/sys/net/ipv4/route/flush"
iptables -N input_int
iptables -N input_ext
iptables -N forward_int
iptables -N forward_ext
ip6tables -N input_int
ip6tables -N input_ext
ip6tables -N forward_int
ip6tables -N forward_ext
iptables -A input_int -j ACCEPT
ip6tables -A input_int -j ACCEPT
iptables -A input_ext -m pkttype --pkt-type broadcast -j DROP
iptables -A input_ext -j ACCEPT -p icmp --icmp-type source-quench
iptables -A input_ext -j ACCEPT -p icmp --icmp-type echo-request
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type echo-request
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type echo-reply
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type destination-unreachable
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type time-exceeded
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type parameter-problem
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type timestamp-reply
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type address-mask-reply
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type protocol-unreachable
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type redirect
ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type echo-reply
ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type destination-unreachable
ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type packet-too-big
ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type time-exceeded
ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type parameter-problem
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type router-solicitation
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type router-advertisement
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type
neighbour-solicitation
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type
neighbour-advertisement
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type redirect
iptables -A input_ext -s 0/0 -p tcp --dport 113 -m state --state NEW -j
reject_func
ip6tables -A input_ext -s 0/0 -p tcp --dport 113 -m state --state NEW -j
reject_func
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type echo-reply
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type destination-unreachable
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type time-exceeded
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type parameter-problem
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type timestamp-reply
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type address-mask-reply
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type protocol-unreachable
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type redirect
ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type echo-reply
ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type destination-unreachable
ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type packet-too-big
ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type time-exceeded
ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type parameter-problem
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type echo-reply
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type destination-unreachable
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type time-exceeded
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type parameter-problem
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type timestamp-reply
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type address-mask-reply
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type protocol-unreachable
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type redirect
ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type echo-reply
ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type destination-unreachable
ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type packet-too-big
ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type time-exceeded
ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type parameter-problem
iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p tcp
--syn
ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p tcp
--syn
iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p
icmp
ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p
icmpv6
iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p udp
ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p udp
iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT-INV -m
state --state INVALID
ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT-INV -m
state --state INVALID
iptables -A input_ext -j DROP
ip6tables -A input_ext -j DROP
iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p
tcp --syn
ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p
tcp --syn
iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p
icmp
ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p
icmpv6
iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p
udp
ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p
udp
iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT-INV
-m state --state INVALID
ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT-INV
-m state --state INVALID
iptables -A forward_int -j DROP
ip6tables -A forward_int -j DROP
iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p
tcp --syn
ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p
tcp --syn
iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p
icmp
ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p
icmpv6
iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p
udp
ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p
udp
iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT-INV
-m state --state INVALID
ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT-INV
-m state --state INVALID
iptables -A forward_ext -j DROP
ip6tables -A forward_ext -j DROP
iptables -A INPUT -j input_int -i eth0
iptables -A INPUT -j input_ext -i modem0
iptables -A FORWARD -j forward_int -i eth0
iptables -A FORWARD -j forward_ext -i modem0
ip6tables -A INPUT -j input_int -i eth0
ip6tables -A INPUT -j input_ext -i modem0
ip6tables -A FORWARD -j forward_int -i eth0
ip6tables -A FORWARD -j forward_ext -i modem0
iptables -A INPUT -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-IN-ILL-TARGET
iptables -A INPUT -j DROP
iptables -A FORWARD -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWD-ILL-ROUTING
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-OUT-ERROR
ip6tables -A INPUT -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-IN-ILL-TARGET
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWD-ILL-ROUTING
ip6tables -A FORWARD -j DROP
ip6tables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
ip6tables -A OUTPUT -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-OUT-ERROR
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
And of course, the inevitable diff between SuSE 9.3 ("<") and 10.0 (">") :
:-)
3,4d2
< modprobe ip_conntrack_ftp
< modprobe ip_nat_ftp
38a37
> ip6tables -A reject_func -j DROP
142,146d140
< iptables -A forward_int -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
-s 0/0 -o modem0
< iptables -A forward_int -d 0/0 -i modem0 -j ACCEPT -m state --state
ESTABLISHED,RELATED
< iptables -A forward_ext -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
-s 0/0 -o modem0
< iptables -A forward_ext -d 0/0 -i modem0 -j ACCEPT -m state --state
ESTABLISHED,RELATED
< iptables -A POSTROUTING -j MASQUERADE -t nat -s 0/0 -o modem0
Thank you,
Peter Taylor
>
> First, put your actual internal netmask, eg. 192.168.1.0/24, into
> FW_MASQ_NETS in the firewall config file -- you can simply edit the file
> to do this, but run "/etc/init.d/SuSEfirewall_setup restart" immediately
> after, if you are already connect to the internet.
>
> Next, while connected to the internet, as root, run "/sbin/SuSEfirewall2
> debug" and see what you get. Your output *should* include lines like these:
The entry in /etc/sysconfig/SuSEfirewall2 is now:
FW_MASQ_NETS="192.168.2.0/24"
I ran "/etc/init.d/SuSEfirewall2_setup restart", then connected via modem0,
then ran "/sbin/SuSEfirewall2 debug":
modprobe ip_tables
modprobe ip_conntrack
modprobe ip6table_filter
modprobe ip6table_mangle
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -N reject_func
iptables -A reject_func -p tcp -j REJECT --reject-with tcp-reset
iptables -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A reject_func -j REJECT --reject-with icmp-proto-unreachable
iptables -A INPUT -j ACCEPT -i lo
iptables -A OUTPUT -j ACCEPT -o lo
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -N reject_func
ip6tables -A reject_func -p tcp -j REJECT --reject-with tcp-reset
ip6tables -A reject_func -p udp -j REJECT --reject-with port-unreach
ip6tables -A reject_func -j REJECT --reject-with addr-unreach
ip6tables -A reject_func -j DROP
ip6tables -A INPUT -j ACCEPT -i lo
ip6tables -A OUTPUT -j ACCEPT -o lo
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
ip6tables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
echo "1" > "/proc/sys/net/ipv4/ip_forward"
echo "1" > "/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"
echo "1" > "/proc/sys/net/ipv4/tcp_syncookies"
echo "0" > "/proc/sys/net/ipv4/tcp_ecn"
echo "1" > "/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses"
echo "20" > "/proc/sys/net/ipv4/ipfrag_time"
echo "1" > "/proc/sys/net/ipv4/igmp_max_memberships"
echo "1024 29999" > "/proc/sys/net/ipv4/ip_local_port_range"
echo "1" > "/proc/sys/net/ipv4/conf/all/log_martians"
echo "0" > "/proc/sys/net/ipv4/conf/all/bootp_relay"
echo "0" > "/proc/sys/net/ipv4/conf/all/proxy_arp"
echo "1" > "/proc/sys/net/ipv4/conf/all/secure_redirects"
echo "0" > "/proc/sys/net/ipv4/conf/all/accept_source_route"
echo "1" > "/proc/sys/net/ipv4/conf/all/rp_filter"
echo "1" > "/proc/sys/net/ipv4/conf/default/log_martians"
echo "0" > "/proc/sys/net/ipv4/conf/default/bootp_relay"
echo "0" > "/proc/sys/net/ipv4/conf/default/proxy_arp"
echo "1" > "/proc/sys/net/ipv4/conf/default/secure_redirects"
echo "0" > "/proc/sys/net/ipv4/conf/default/accept_source_route"
echo "1" > "/proc/sys/net/ipv4/conf/default/rp_filter"
echo "1" > "/proc/sys/net/ipv4/conf/eth0/log_martians"
echo "0" > "/proc/sys/net/ipv4/conf/eth0/bootp_relay"
echo "0" > "/proc/sys/net/ipv4/conf/eth0/proxy_arp"
echo "1" > "/proc/sys/net/ipv4/conf/eth0/secure_redirects"
echo "0" > "/proc/sys/net/ipv4/conf/eth0/accept_source_route"
echo "1" > "/proc/sys/net/ipv4/conf/eth0/rp_filter"
echo "1" > "/proc/sys/net/ipv4/conf/lo/log_martians"
echo "0" > "/proc/sys/net/ipv4/conf/lo/bootp_relay"
echo "0" > "/proc/sys/net/ipv4/conf/lo/proxy_arp"
echo "1" > "/proc/sys/net/ipv4/conf/lo/secure_redirects"
echo "0" > "/proc/sys/net/ipv4/conf/lo/accept_source_route"
echo "1" > "/proc/sys/net/ipv4/conf/lo/rp_filter"
echo "1" > "/proc/sys/net/ipv4/conf/modem0/log_martians"
echo "0" > "/proc/sys/net/ipv4/conf/modem0/bootp_relay"
echo "0" > "/proc/sys/net/ipv4/conf/modem0/proxy_arp"
echo "1" > "/proc/sys/net/ipv4/conf/modem0/secure_redirects"
echo "0" > "/proc/sys/net/ipv4/conf/modem0/accept_source_route"
echo "1" > "/proc/sys/net/ipv4/conf/modem0/rp_filter"
echo "1" > "/proc/sys/net/ipv4/route/flush"
iptables -N input_int
iptables -N input_ext
iptables -N forward_int
iptables -N forward_ext
ip6tables -N input_int
ip6tables -N input_ext
ip6tables -N forward_int
ip6tables -N forward_ext
iptables -A input_int -j ACCEPT
ip6tables -A input_int -j ACCEPT
iptables -A input_ext -m pkttype --pkt-type broadcast -j DROP
iptables -A input_ext -j ACCEPT -p icmp --icmp-type source-quench
iptables -A input_ext -j ACCEPT -p icmp --icmp-type echo-request
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type echo-request
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type echo-reply
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type destination-unreachable
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type time-exceeded
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type parameter-problem
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type timestamp-reply
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type address-mask-reply
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type protocol-unreachable
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type redirect
ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type echo-reply
ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type destination-unreachable
ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type packet-too-big
ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type time-exceeded
ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type parameter-problem
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type router-solicitation
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type router-advertisement
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type
neighbour-solicitation
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type
neighbour-advertisement
ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type redirect
iptables -A input_ext -s 0/0 -p tcp --dport 113 -m state --state NEW -j
reject_func
ip6tables -A input_ext -s 0/0 -p tcp --dport 113 -m state --state NEW -j
reject_func
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type echo-reply
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type destination-unreachable
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type time-exceeded
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type parameter-problem
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type timestamp-reply
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type address-mask-reply
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type protocol-unreachable
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type redirect
ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type echo-reply
ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type destination-unreachable
ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type packet-too-big
ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type time-exceeded
ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type parameter-problem
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type echo-reply
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type destination-unreachable
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type time-exceeded
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type parameter-problem
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type timestamp-reply
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type address-mask-reply
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type protocol-unreachable
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp
--icmp-type redirect
ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type echo-reply
ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type destination-unreachable
ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type packet-too-big
ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type time-exceeded
ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p
icmpv6 --icmpv6-type parameter-problem
iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p tcp
--syn
ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p tcp
--syn
iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p
icmp
ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p
icmpv6
iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p udp
ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p udp
iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT-INV -m
state --state INVALID
ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT-INV -m
state --state INVALID
iptables -A input_ext -j DROP
ip6tables -A input_ext -j DROP
iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p
tcp --syn
ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p
tcp --syn
iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p
icmp
ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p
icmpv6
iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p
udp
ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p
udp
iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT-INV
-m state --state INVALID
ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT-INV
-m state --state INVALID
iptables -A forward_int -j DROP
ip6tables -A forward_int -j DROP
iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p
tcp --syn
ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p
tcp --syn
iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p
icmp
ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p
icmpv6
iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p
udp
ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p
udp
iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT-INV
-m state --state INVALID
ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT-INV
-m state --state INVALID
iptables -A forward_ext -j DROP
ip6tables -A forward_ext -j DROP
iptables -A INPUT -j input_int -i eth0
iptables -A INPUT -j input_ext -i modem0
iptables -A FORWARD -j forward_int -i eth0
iptables -A FORWARD -j forward_ext -i modem0
ip6tables -A INPUT -j input_int -i eth0
ip6tables -A INPUT -j input_ext -i modem0
ip6tables -A FORWARD -j forward_int -i eth0
ip6tables -A FORWARD -j forward_ext -i modem0
iptables -A INPUT -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-IN-ILL-TARGET
iptables -A INPUT -j DROP
iptables -A FORWARD -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWD-ILL-ROUTING
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-OUT-ERROR
ip6tables -A INPUT -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-IN-ILL-TARGET
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-FWD-ILL-ROUTING
ip6tables -A FORWARD -j DROP
ip6tables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
ip6tables -A OUTPUT -j LOG -m limit --limit 3/minute --log-level warning
--log-tcp-options --log-ip-options --log-prefix SFW2-OUT-ERROR
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
And of course, the inevitable diff between SuSE 9.3 ("<") and 10.0 (">") :
:-)
3,4d2
< modprobe ip_conntrack_ftp
< modprobe ip_nat_ftp
38a37
> ip6tables -A reject_func -j DROP
142,146d140
< iptables -A forward_int -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
-s 0/0 -o modem0
< iptables -A forward_int -d 0/0 -i modem0 -j ACCEPT -m state --state
ESTABLISHED,RELATED
< iptables -A forward_ext -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
-s 0/0 -o modem0
< iptables -A forward_ext -d 0/0 -i modem0 -j ACCEPT -m state --state
ESTABLISHED,RELATED
< iptables -A POSTROUTING -j MASQUERADE -t nat -s 0/0 -o modem0
Thank you,
Peter Taylor
| < Previous | Next > |