I got simple masquerading working under SuSE 9.3 (sharing a modem), but I can't get it working under SuSE 10.0 . I can ping and ftp within my internal network, but the internal network can't see the internet. Has anything relevant changed between 9.3 and 10.0, or am I doing something stupid? Any ideas? Where do I look for clues? Peter Taylor
Peter A. Taylor wrote:
I got simple masquerading working under SuSE 9.3 (sharing a modem), but I can't get it working under SuSE 10.0 . I can ping and ftp within my internal network, but the internal network can't see the internet. Has anything relevant changed between 9.3 and 10.0, or am I doing something stupid? Any ideas? Where do I look for clues?
Peter Taylor
Have you turned on IP Forwarding on Yast (Network Card) ?
On Monday 14 November 2005 10:50, Rui Santos wrote:
Peter A. Taylor wrote:
I got simple masquerading working under SuSE 9.3 (sharing a modem), but I can't get it working under SuSE 10.0 . I can ping and ftp within my internal network, but the internal network can't see the internet. Has anything relevant changed between 9.3 and 10.0, or am I doing something stupid? Any ideas? Where do I look for clues?
Have you turned on IP Forwarding on Yast (Network Card) ?
Yes. The /etc/sysconfig/sysctl files in the 9.3 and 10.0 partitions are identical. Judging by the error message I get from "ifup eth0", I think the problem is with the routing table. I will post on that next. Peter Taylor
On 11/14/2005 09:40 AM, Peter A. Taylor wrote:
I got simple masquerading working under SuSE 9.3 (sharing a modem), but I can't get it working under SuSE 10.0 . I can ping and ftp within my internal network, but the internal network can't see the internet. Has anything relevant changed between 9.3 and 10.0, or am I doing something stupid? Any ideas? Where do I look for clues? Depending on how much firewall logging you've turned on, you might be able to find some hints in /var/log/firewall. The firewall configuration variables are all stored in /etc/sysconfig/SuSEfirewall2. I hesitate to ask the obvious, but did you perhaps make a typographical error inputting the masqueraded net and netmask in the firewall config?
If these don't provide the clues you need to resolve the problem, please post the variables from your firewall config file. This command: egrep "^[^#]" /etc/sysconfig/SuSEfirewall2 will print all non-comment lines to the console (depending on the permissions setting you chose for your system -- easy, secure, etc -- you may need to run this as root).
On Monday 14 November 2005 18:16, Darryl Gregorash wrote:
On 11/14/2005 09:40 AM, Peter A. Taylor wrote:
I got simple masquerading working under SuSE 9.3 (sharing a modem), but I can't get it working under SuSE 10.0 . I can ping and ftp within my internal network, but the internal network can't see the internet. Has anything relevant changed between 9.3 and 10.0, or am I doing something stupid? Any ideas? Where do I look for clues?
Depending on how much firewall logging you've turned on, you might be able to find some hints in /var/log/firewall.
Short version: "ifup eth0" tells me my default route is unreachable, but I don't understand why. Update: Now I'm really confused. I get the same error message from "ifup eth0" under SuSE 9.3, but masquerade works anyway. Under 10.0, my wife can't ping our ISP's ftp server via masquerade, but she at least seems to resolve the server's name. Long version: In /var/log/firewall, I get stuff like the following (192.168.2.15 is my "athena" box with the modem. 192.168.2.20 is my wife's "isis", to which I want to give internet access. 192.168.2.1 is an SMC router.): Nov 15 09:05:49 athena kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.2.20 DST=64.243.71.82 LEN=73 TOS=0x00 PREC=0x00 TTL=127 ID=33119 PROTO=UDP SPT=1027 DPT=53 LEN=53 Nov 15 09:05:54 athena kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.2.20 DST=207.46.2.31 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=33122 DF PROTO=TCP SPT=1415 DPT=1863 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402) Nov 15 09:09:34 athena kernel: SFW2-IN-ILL-TARGET IN=eth0 OUT= MAC= SRC=192.168.2.15 DST=224.0.0.251 LEN=74 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=54
The firewall configuration variables are all stored in /etc/sysconfig/SuSEfirewall2.
egrep "^[^#]" /etc/sysconfig/SuSEfirewall2
Very nice. Thank you. I've added that to my crib sheet. :-) I will post the full output below, but the short version is that I did this to both the 9.3 and 10.0 SuSEfirewall2 files, sorted the output, and ran "diff". The result ("<" is 9.3, ">" is 10.0): 2,4c2,4 < FW_ALLOW_FW_BROADCAST_DMZ="no" < FW_ALLOW_FW_BROADCAST_EXT="no" < FW_ALLOW_FW_BROADCAST_INT="no" ---
FW_ALLOW_FW_BROADCAST_DMZ="" FW_ALLOW_FW_BROADCAST_EXT="" FW_ALLOW_FW_BROADCAST_INT="" 24a25 FW_LOAD_MODULES="" 37c38 < FW_ROUTE="yes" # PAT 11-1-2005.
FW_ROUTE="yes" 54a56 FW_USE_IPTABLES_BATCH=""
I "diff"ed some other files, too: /etc/host.conf identical /etc/hosts identical /etc/hosts.allow identical /etc/hosts.deny identical /etc/sysconfig/sysctl identical /etc/sysconfig/network/routes identical /etc/sysconfig/network/ifcfg-modem0 identical /etc/sysconfig/network/ifcfg-eth-id-00:07:95:37:98:b7 2c2 < BROADCAST='192.168.2.255' ---
BROADCAST='' 7c7 < NETWORK='192.168.2.0'
NETWORK=''
That looked interesting, so I renamed the 10.0 file and copied the 9.3 version ("<"), then ran "ifdown eth0" and "ifup eth0". Here's what I got: athena:/etc/sysconfig/network # ifup eth0 eth0 device: Silicon Integrated Systems [SiS] SiS900 PCI Fast Ethernet (rev 90) eth0 configuration: eth-id-00:07:95:37:98:b7 ERROR: Warning: Could not set up default route via interface Command ip route replace to default via 192.168.2.1 returned: . RTNETLINK answers: Network is unreachable Configuration line: default 192.168.2.1 - - This needs NOT to be AN ERROR if you set up multiple interfaces. See man 5 routes how to avoid this warning. But both the 9.3 and the 10.0 versions of ifcfg-eth-id-00:07:95:37:98:b7 produced the same result under 10.0 . I also compared /etc/sysconfig/network/config (egrep, sort, diff): 9d8 < FAILURE_ACTION=off 10a10
FORCE_PERSISTENT_NAMES=yes 13c13 < IFPLUGD_OPTIONS="-f -I -u 0 -d 10"
IFPLUGD_OPTIONS="-f -I" 18d17 < USE_IPV6=yes
I overlooked the FAILURE_ACTION variable, but played with the other three, which hod no apparent effect. Again, /etc/sysconfig/network/routes is identical to the 9.3 version that works. I'm thoroughly confused. Peter Taylor PS. Here is /etc/sysconfig/network/routes: 192.168.2.0 192.168.2.1 255.255.255.0 eth-id-00:07:95:37:98:b7 default 192.168.2.1 - - Here is the sorted output from the egrep command on the 10.0 SuSEfirewall2 file: FW_ALLOW_CLASS_ROUTING="" FW_ALLOW_FW_BROADCAST_DMZ="" FW_ALLOW_FW_BROADCAST_EXT="" FW_ALLOW_FW_BROADCAST_INT="" FW_ALLOW_FW_SOURCEQUENCH="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_PING_FW="yes" FW_CUSTOMRULES="" FW_DEV_DMZ="" FW_DEV_EXT="modem0" FW_DEV_INT="eth-id-00:07:95:37:98:b7" FW_FORWARD="" FW_FORWARD_MASQ="" FW_HTB_TUNE_DEV="" FW_IGNORE_FW_BROADCAST_DMZ="no" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="no" FW_IPSEC_TRUST="no" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="" FW_KERNEL_SECURITY="yes" FW_LOAD_MODULES="" FW_LOG="" FW_LOG_ACCEPT_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_DROP_CRIT="yes" FW_LOG_LIMIT="" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_MASQUERADE="yes" FW_PROTECT_FROM_INT="no" FW_REDIRECT="" FW_REJECT="" FW_ROUTE="yes" FW_SERVICES_ACCEPT_EXT="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DROP_EXT="" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_REJECT_EXT="0/0,tcp,113" FW_STOP_KEEP_ROUTING_STATE="no" FW_TRUSTED_NETS="" FW_USE_IPTABLES_BATCH="" FW_ZONES=""
On 11/15/2005 02:54 PM, Peter A. Taylor wrote:
On Monday 14 November 2005 18:16, Darryl Gregorash wrote:
On 11/14/2005 09:40 AM, Peter A. Taylor wrote:
I got simple masquerading working under SuSE 9.3 (sharing a modem), but I can't get it working under SuSE 10.0 . I can ping and ftp within my internal network, but the internal network can't see the internet. Has anything relevant changed between 9.3 and 10.0, or am I doing something stupid? Any ideas? Where do I look for clues?
Depending on how much firewall logging you've turned on, you might be able to find some hints in /var/log/firewall.
Short version: "ifup eth0" tells me my default route is unreachable, but I don't understand why.
Because you don't have a default route on that interface. This isn't a problem, because this is the internal interface. If it bothers you, see "man 5 routes", the 3 paragraphs beginning "The fourth column gives the name of the interface...." after the title "Syntax"
Update: Now I'm really confused. I get the same error message from "ifup eth0" under SuSE 9.3, but masquerade works anyway. Under 10.0, my wife can't ping our ISP's ftp server via masquerade, but she at least seems to resolve the server's name.
I'm even more confused:
Nov 15 09:05:49 athena kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.2.20 DST=64.243.71.82 LEN=73 TOS=0x00 PREC=0x00 TTL=127 ID=33119 PROTO=UDP SPT=1027 DPT=53 LEN=53
This is a DNS lookup from "isis" that was just dropped, yet you say your wife is able to resolve hostnames.
Nov 15 09:09:34 athena kernel: SFW2-IN-ILL-TARGET IN=eth0 OUT= MAC= SRC=192.168.2.15 DST=224.0.0.251 LEN=74 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=54
Multicast DNS? Strange.. this is possibly "isis" doing a multicast search for a name server, given the previous failure... but don't quote me. But this is rejected as an illegal target.
egrep "^[^#]" /etc/sysconfig/SuSEfirewall2
Very nice. Thank you. I've added that to my crib sheet. :-)
man perlre :)
18d17 < USE_IPV6=yes
Here is the sorted output from the egrep command on the 10.0 SuSEfirewall2 file:
<snip> Maybe someone else will spot something, but I cannot immediately see any
Not related to your immediate problem, but you should probably turn this off unless you have explicit need (including tunnelling) to support ipv6. problem. Perhaps posting the output of "iptables -L -n" will help (and you will have to run that as root).
On Tuesday 15 November 2005 19:36, Darryl Gregorash wrote:
I'm even more confused:
Nov 15 09:05:49 athena kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.2.20 DST=64.243.71.82 LEN=73 TOS=0x00 PREC=0x00 TTL=127 ID=33119 PROTO=UDP SPT=1027 DPT=53 LEN=53
This is a DNS lookup from "isis" that was just dropped, yet you say your wife is able to resolve hostnames.
"isis" runs Windows XP Home Edition. Perhaps it caches recently used domain name data? It also has a modem, which she can't use when I'm online.
Maybe someone else will spot something, but I cannot immediately see any problem. Perhaps posting the output of "iptables -L -n" will help (and you will have to run that as root).
Thanks. I did this under 8.2, 9.3, and 10.0. The full output from 10.0 follows, but first, here is the "diff" between 9.3 and 10.0: "diff" between output from SuSE 9.3 and 10.0, online, "iptables -L -n" (9.3 is "<", 10.0 is ">"): 34,36c34 < ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED < ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED < LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' ---
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' 52,54c50 < ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED < ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED < LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' 74c70 < LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
Under SuSE 8.2, I used the "personal" firewall, and things are so different that I don't know where to begin in comparing them. Output from SuSE 10.0, online, "iptables -L -n": Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED input_int all -- 0.0.0.0/0 0.0.0.0/0 input_ext all -- 0.0.0.0/0 0.0.0.0/0 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU forward_int all -- 0.0.0.0/0 0.0.0.0/0 forward_ext all -- 0.0.0.0/0 0.0.0.0/0 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR ' Chain forward_ext (1 references) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 code 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 5 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT-INV ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain forward_int (1 references) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 code 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 5 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT-INV ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain input_ext (1 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 code 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 5 reject_func tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 state NEW LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain input_int (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain reject_func (1 references) target prot opt source destination REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable Thanks, Peter Taylor
On 11/16/2005 11:11 AM, Peter A. Taylor wrote:
On Tuesday 15 November 2005 19:36, Darryl Gregorash wrote:
I'm even more confused:
Nov 15 09:05:49 athena kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.2.20 DST=64.243.71.82 LEN=73 TOS=0x00 PREC=0x00 TTL=127 ID=33119 PROTO=UDP SPT=1027 DPT=53 LEN=53
This is a DNS lookup from "isis" that was just dropped, yet you say your wife is able to resolve hostnames.
"isis" runs Windows XP Home Edition. Perhaps it caches recently used domain name data? It also has a modem, which she can't use when I'm online.
Output from SuSE 10.0, online, "iptables -L -n": Mea culpa; there are actually 3 independent tables in the firewall (filter, nat and mangle), and the command as I gave it to you only gives
OK, that might be the reason she can resolve the ISP's ftp server, but it doesn't explain why her network traffic is being dropped. Note also that name caching is only temporary, and if your internal network was a permanent fixture (ie if she had no modem of her own), I am pretty sure she would be unable to resolve any hostnames. the state of the "filter" table. All the masquerading rules are in the "nat" table. Perhaps we really need to be looking at the raw rules anyway, for which there is the "iptables-save" command. Each line of the output is essentially the parameters of a single "iptables" commandline as the firewall script created it. Just run "iptables-save" as root, with no parameters, and post the results. This command outputs all three of the tables by default.
On Wednesday 16 November 2005 22:10, Darryl Gregorash wrote:
Mea culpa; there are actually 3 independent tables in the firewall (filter, nat and mangle), and the command as I gave it to you only gives the state of the "filter" table. All the masquerading rules are in the "nat" table. Perhaps we really need to be looking at the raw rules anyway, for which there is the "iptables-save" command. Each line of the output is essentially the parameters of a single "iptables" commandline as the firewall script created it. Just run "iptables-save" as root, with no parameters, and post the results. This command outputs all three of the tables by default.
Thanks. The output is enclosed below. I tried this with SuSE 8.2 and 9.3 as well. Several things jump out at me. (1) References to modem0 (9.3) or ppp* (8.2) are conspicuously absent under 10.0. Missing along with this are any references to MASQUERADE. (2) The flag, FIN, is present under 10.0 but not 9.3. (3) The numbers in brackets are different (8.2 differs from 9.3 as well). (4) The order of the sections is different (mangle, filter, nat vs. mangle, nat, filter). I also noticed that the 9.3 and 10.0 files, /etc/sysconfig/network/scripts/ifup-ppp, differ in the order in which the follow two lines appear (the 8.2 version was too different for easy comparison): test -f scripts/functions && . scripts/functions || exit $R_INTERNAL test -f ./config && . ./config There are also seemingly minor differences in the 9.3 and 10.0 files, /etc/sysconfig/network/scripts/functions and functions.common . I noticed that the latter differences involve udev (diff ... | grep -i udev):
# If your script is called from udev and you did not set DEFAULT_LOG_LEVEL we # use the udev loglevel. Else an unset LOG_LEVEL will be set to 3 (err). LOG_LEVEL=${LOG_LEVEL:-$UDEV_LOG}
I have been having seemingly unrelated problems with my usb card reader. Is it possible that udev is choking on some other piece of hardware (ie. a floppy drive that I have not used recently), and this error is having widespread effects? The card reader works beautifully under 8.2, but is flakey (only recognized if present during boot) under 9.3 and 10.0 . Masquerade works under 8.2 and 9.3, but not 10.0 . The floppy drive shows up in "My Computer" despite the drive being empty (both 9.3 and 10.0, IIRC). I also notice with both 9.3 and 10.0 that, during shutdown, I get a red "missing" message right after it says, "sending all processes the term signal." Could these be related? Thanks, Peter Taylor Output from iptables-save under SuSE 10.0: # Generated by iptables-save v1.3.3 on Thu Nov 17 01:45:12 2005 *mangle :PREROUTING ACCEPT [72:5604] :INPUT ACCEPT [31:2975] :FORWARD ACCEPT [7:511] :OUTPUT ACCEPT [51:4493] :POSTROUTING ACCEPT [74:6657] COMMIT # Completed on Thu Nov 17 01:45:12 2005 # Generated by iptables-save v1.3.3 on Thu Nov 17 01:45:12 2005 *nat :PREROUTING ACCEPT [24:1677] :POSTROUTING ACCEPT [10:748] :OUTPUT ACCEPT [10:748] COMMIT # Completed on Thu Nov 17 01:45:12 2005 # Generated by iptables-save v1.3.3 on Thu Nov 17 01:45:12 2005 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :forward_ext - [0:0] :forward_int - [0:0] :input_ext - [0:0] :input_int - [0:0] :reject_func - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -j input_int -A INPUT -i modem0 -j input_ext -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options -A INPUT -j DROP -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -i eth0 -j forward_int -A FORWARD -i modem0 -j forward_ext -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options -A FORWARD -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT -A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options -A forward_ext -j DROP -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT -A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options -A forward_int -j DROP -A input_ext -m pkttype --pkt-type broadcast -j DROP -A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT -A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT -A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func -A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options -A input_ext -j DROP -A input_int -j ACCEPT -A reject_func -p tcp -j REJECT --reject-with tcp-reset -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable -A reject_func -j REJECT --reject-with icmp-proto-unreachable COMMIT # Completed on Thu Nov 17 01:45:12 2005
On 11/17/2005 08:54 AM, Peter A. Taylor wrote:
On Wednesday 16 November 2005 22:10, Darryl Gregorash wrote:
Mea culpa; there are actually 3 independent tables in the firewall (filter, nat and mangle), and the command as I gave it to you only gives the state of the "filter" table. All the masquerading rules are in the "nat" table. Perhaps we really need to be looking at the raw rules anyway, for which there is the "iptables-save" command. Each line of the output is essentially the parameters of a single "iptables" commandline as the firewall script created it. Just run "iptables-save" as root, with no parameters, and post the results. This command outputs all three of the tables by default.
Thanks. The output is enclosed below. I tried this with SuSE 8.2 and 9.3 as well. Several things jump out at me. Grrrr
First, put your actual internal netmask, eg. 192.168.1.0/24, into FW_MASQ_NETS in the firewall config file -- you can simply edit the file to do this, but run "/etc/init.d/SuSEfirewall_setup restart" immediately after, if you are already connect to the internet. Next, while connected to the internet, as root, run "/sbin/SuSEfirewall2 debug" and see what you get. Your output *should* include lines like these: iptables -A forward_int -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -s 192.168.1.0/24 -o eth1 iptables -A forward_int -d 192.168.1.0/24 -i eth1 -j ACCEPT -m state --state ESTABLISHED,RELATED iptables -A forward_ext -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -s 192.168.1.0/24 -o eth1 iptables -A forward_ext -d 192.168.1.0/24 -i eth1 -j ACCEPT -m state --state ESTABLISHED,RELATED iptables -A POSTROUTING -j MASQUERADE -t nat -s 192.168.1.0/24 -o eth1 Don't simply pipe the firewall debug output through grep, because I'd like to see the complete output.
On Thursday 17 November 2005 19:49, Darryl Gregorash wrote:
First, put your actual internal netmask, eg. 192.168.1.0/24, into FW_MASQ_NETS in the firewall config file -- you can simply edit the file to do this, but run "/etc/init.d/SuSEfirewall_setup restart" immediately after, if you are already connect to the internet.
Next, while connected to the internet, as root, run "/sbin/SuSEfirewall2 debug" and see what you get. Your output *should* include lines like these:
The entry in /etc/sysconfig/SuSEfirewall2 is now: FW_MASQ_NETS="192.168.2.0/24" I ran "/etc/init.d/SuSEfirewall2_setup restart", then connected via modem0, then ran "/sbin/SuSEfirewall2 debug": modprobe ip_tables modprobe ip_conntrack modprobe ip6table_filter modprobe ip6table_mangle iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -N reject_func iptables -A reject_func -p tcp -j REJECT --reject-with tcp-reset iptables -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A reject_func -j REJECT --reject-with icmp-proto-unreachable iptables -A INPUT -j ACCEPT -i lo iptables -A OUTPUT -j ACCEPT -o lo ip6tables -F INPUT ip6tables -F OUTPUT ip6tables -F FORWARD ip6tables -P INPUT DROP ip6tables -P OUTPUT ACCEPT ip6tables -P FORWARD DROP ip6tables -F ip6tables -X ip6tables -t mangle -F ip6tables -t mangle -X ip6tables -N reject_func ip6tables -A reject_func -p tcp -j REJECT --reject-with tcp-reset ip6tables -A reject_func -p udp -j REJECT --reject-with port-unreach ip6tables -A reject_func -j REJECT --reject-with addr-unreach ip6tables -A reject_func -j DROP ip6tables -A INPUT -j ACCEPT -i lo ip6tables -A OUTPUT -j ACCEPT -o lo iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED ip6tables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED echo "1" > "/proc/sys/net/ipv4/ip_forward" echo "1" > "/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" echo "1" > "/proc/sys/net/ipv4/tcp_syncookies" echo "0" > "/proc/sys/net/ipv4/tcp_ecn" echo "1" > "/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses" echo "20" > "/proc/sys/net/ipv4/ipfrag_time" echo "1" > "/proc/sys/net/ipv4/igmp_max_memberships" echo "1024 29999" > "/proc/sys/net/ipv4/ip_local_port_range" echo "1" > "/proc/sys/net/ipv4/conf/all/log_martians" echo "0" > "/proc/sys/net/ipv4/conf/all/bootp_relay" echo "0" > "/proc/sys/net/ipv4/conf/all/proxy_arp" echo "1" > "/proc/sys/net/ipv4/conf/all/secure_redirects" echo "0" > "/proc/sys/net/ipv4/conf/all/accept_source_route" echo "1" > "/proc/sys/net/ipv4/conf/all/rp_filter" echo "1" > "/proc/sys/net/ipv4/conf/default/log_martians" echo "0" > "/proc/sys/net/ipv4/conf/default/bootp_relay" echo "0" > "/proc/sys/net/ipv4/conf/default/proxy_arp" echo "1" > "/proc/sys/net/ipv4/conf/default/secure_redirects" echo "0" > "/proc/sys/net/ipv4/conf/default/accept_source_route" echo "1" > "/proc/sys/net/ipv4/conf/default/rp_filter" echo "1" > "/proc/sys/net/ipv4/conf/eth0/log_martians" echo "0" > "/proc/sys/net/ipv4/conf/eth0/bootp_relay" echo "0" > "/proc/sys/net/ipv4/conf/eth0/proxy_arp" echo "1" > "/proc/sys/net/ipv4/conf/eth0/secure_redirects" echo "0" > "/proc/sys/net/ipv4/conf/eth0/accept_source_route" echo "1" > "/proc/sys/net/ipv4/conf/eth0/rp_filter" echo "1" > "/proc/sys/net/ipv4/conf/lo/log_martians" echo "0" > "/proc/sys/net/ipv4/conf/lo/bootp_relay" echo "0" > "/proc/sys/net/ipv4/conf/lo/proxy_arp" echo "1" > "/proc/sys/net/ipv4/conf/lo/secure_redirects" echo "0" > "/proc/sys/net/ipv4/conf/lo/accept_source_route" echo "1" > "/proc/sys/net/ipv4/conf/lo/rp_filter" echo "1" > "/proc/sys/net/ipv4/conf/modem0/log_martians" echo "0" > "/proc/sys/net/ipv4/conf/modem0/bootp_relay" echo "0" > "/proc/sys/net/ipv4/conf/modem0/proxy_arp" echo "1" > "/proc/sys/net/ipv4/conf/modem0/secure_redirects" echo "0" > "/proc/sys/net/ipv4/conf/modem0/accept_source_route" echo "1" > "/proc/sys/net/ipv4/conf/modem0/rp_filter" echo "1" > "/proc/sys/net/ipv4/route/flush" iptables -N input_int iptables -N input_ext iptables -N forward_int iptables -N forward_ext ip6tables -N input_int ip6tables -N input_ext ip6tables -N forward_int ip6tables -N forward_ext iptables -A input_int -j ACCEPT ip6tables -A input_int -j ACCEPT iptables -A input_ext -m pkttype --pkt-type broadcast -j DROP iptables -A input_ext -j ACCEPT -p icmp --icmp-type source-quench iptables -A input_ext -j ACCEPT -p icmp --icmp-type echo-request ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type echo-request iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type echo-reply iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type destination-unreachable iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type time-exceeded iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type parameter-problem iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type timestamp-reply iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type address-mask-reply iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type protocol-unreachable iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type redirect ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type echo-reply ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type destination-unreachable ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type packet-too-big ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type time-exceeded ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type parameter-problem ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type router-solicitation ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type router-advertisement ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type neighbour-solicitation ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type neighbour-advertisement ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type redirect iptables -A input_ext -s 0/0 -p tcp --dport 113 -m state --state NEW -j reject_func ip6tables -A input_ext -s 0/0 -p tcp --dport 113 -m state --state NEW -j reject_func iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type echo-reply iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type destination-unreachable iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type time-exceeded iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type parameter-problem iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type timestamp-reply iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type address-mask-reply iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type protocol-unreachable iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type redirect ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type echo-reply ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type destination-unreachable ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type packet-too-big ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type time-exceeded ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type parameter-problem iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type echo-reply iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type destination-unreachable iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type time-exceeded iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type parameter-problem iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type timestamp-reply iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type address-mask-reply iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type protocol-unreachable iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type redirect ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type echo-reply ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type destination-unreachable ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type packet-too-big ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type time-exceeded ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type parameter-problem iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p tcp --syn ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p tcp --syn iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p icmp ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p icmpv6 iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p udp ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p udp iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT-INV -m state --state INVALID ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT-INV -m state --state INVALID iptables -A input_ext -j DROP ip6tables -A input_ext -j DROP iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p tcp --syn ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p tcp --syn iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p icmp ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p icmpv6 iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p udp ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p udp iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT-INV -m state --state INVALID ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT-INV -m state --state INVALID iptables -A forward_int -j DROP ip6tables -A forward_int -j DROP iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p tcp --syn ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p tcp --syn iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p icmp ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p icmpv6 iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p udp ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p udp iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT-INV -m state --state INVALID ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT-INV -m state --state INVALID iptables -A forward_ext -j DROP ip6tables -A forward_ext -j DROP iptables -A INPUT -j input_int -i eth0 iptables -A INPUT -j input_ext -i modem0 iptables -A FORWARD -j forward_int -i eth0 iptables -A FORWARD -j forward_ext -i modem0 ip6tables -A INPUT -j input_int -i eth0 ip6tables -A INPUT -j input_ext -i modem0 ip6tables -A FORWARD -j forward_int -i eth0 ip6tables -A FORWARD -j forward_ext -i modem0 iptables -A INPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-IN-ILL-TARGET iptables -A INPUT -j DROP iptables -A FORWARD -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWD-ILL-ROUTING iptables -A FORWARD -j DROP iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED iptables -A OUTPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-OUT-ERROR ip6tables -A INPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-IN-ILL-TARGET ip6tables -A INPUT -j DROP ip6tables -A FORWARD -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWD-ILL-ROUTING ip6tables -A FORWARD -j DROP ip6tables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED ip6tables -A OUTPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-OUT-ERROR iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu And of course, the inevitable diff between SuSE 9.3 ("<") and 10.0 (">") : :-) 3,4d2 < modprobe ip_conntrack_ftp < modprobe ip_nat_ftp 38a37
ip6tables -A reject_func -j DROP 142,146d140 < iptables -A forward_int -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -s 0/0 -o modem0 < iptables -A forward_int -d 0/0 -i modem0 -j ACCEPT -m state --state ESTABLISHED,RELATED < iptables -A forward_ext -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -s 0/0 -o modem0 < iptables -A forward_ext -d 0/0 -i modem0 -j ACCEPT -m state --state ESTABLISHED,RELATED < iptables -A POSTROUTING -j MASQUERADE -t nat -s 0/0 -o modem0
Thank you, Peter Taylor
On 11/18/2005 10:47 AM, Peter A. Taylor wrote:
<snip> iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type echo-reply iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type destination-unreachable <snip> OK, I have no idea what is wrong. The masquerading subroutine is clearly being executed here, but the actual masquerading rules are never implemented.
It's possible the firewall script has become corrupted. Refresh the SuSEfirewall2 package from the installation media, and restart the firewall. If that doesn't resolve the issue, email your /sbin/SuSEfirewall2 to me -- don't post it here, but send it to me directly.
On Saturday 19 November 2005 00:14, Darryl Gregorash wrote:
It's possible the firewall script has become corrupted. Refresh the SuSEfirewall2 package from the installation media, and restart the firewall. If that doesn't resolve the issue, email your
I copied SuSEfirewall2-3.4-6.noarch.rpm off the DVD, ran "rpm -Uvh --force SuSEfirewall2-3.4-6.noarch.rpm", and rebooted. Nothing changed as far as I could tell.
/sbin/SuSEfirewall2 to me -- don't post it here, but send it to me directly.
Done, but I copied the old one before reinstalling the rpm, and the "new" file is identical. Is there some way that a hardware problem could be causeing masquerade to choke under one OS but not another? This computer was inside a house that had a fire with major smoke damage, and I had to replace the CDROM, the CDRW (now a DVD burner), and the 3.5" floppy drive (and I tossed a 5.25" floppy drive). I replaced the external serial port modem as well. Come to think of it, I replaced the replacement for the CDROM, too. The USB card reader has always worked fine under SuSE 8.2, but after the fire, I installed 9.3, and the card reader didn't work at all under 9.3 until I removed the CDRW. I recently installed 10.0 as well. The card reader has been flakey under 9.3 and 10.0, but I noticed that the floppy was appearing on "My Computer" even though the drive was empty, so I disabled it in the BIOS, and now the card reader seems to work under 10.0 (but still not 9.3). Is there any way that a hardware problem could cause udev under 10.0 (but not 9.3) to have problems with masquerading over the modem through a serial port? Alternately, is there any basis for suspecting that differences in IPv6 between 9.3 and 10.0 (or my amateurish configuration thereof) could cause masquerading to fail? "grep -i ipv6 /etc/sysconfig/network/config" comes up empty under 10.0, but under 9.3 I get: USE_IPV6=yes I'm puzzled that there are no quotation marks around the yes. Under both 9.3 and 10.0, in /etc/sysconfig/SuSEfirewall2, I find FW_IPv6="" FW_IPv6_REJECT_OUTGOING="" Under both 9.3 and 10.0, in /etc/sysconfig/windowmanager, I find KDE_USE_IPV6="yes" Thank you, Peter Taylor
On Saturday 19 November 2005 00:14, Darryl Gregorash wrote:
It's possible the firewall script has become corrupted. Refresh the SuSEfirewall2 package from the installation media, and restart the firewall. If that doesn't resolve the issue, email your
I copied SuSEfirewall2-3.4-6.noarch.rpm off the DVD, ran "rpm -Uvh --force SuSEfirewall2-3.4-6.noarch.rpm", and rebooted. Nothing changed as far as I could tell. I ran the script you sent me in debug mode, and got a very respectable set of firewall rules for my system -- internal and external interfaces are both network cards, with internal IP fixed and external assigned by DHCP. Both cards are configured at boot time, and the firewall is established when the network is brought up. In your case, the firewall
On 11/19/2005 12:57 PM, Peter A. Taylor wrote: script is being run "on demand", called from the /etc/ppp/if-up script, but otherwise there is no significant difference between our systems. Furthermore, there is no essential difference between our firewall configuration files. So long as "modem0" is a link to a defined PPP device (and I assume you would be unable to dail out if it were not), your firewall should be getting set up properly. I stated earlier that the masquerading subroutine is being executed, but only the rules for icmp are being established. This was actually not correct, but it is true that the script is executing everything up to, and following, that subroutine. What we need to do is establish whether or not the subroutine is actually being entered. For this, I would like you to make the following cosmetic changes to your /sbin/SuSEfirewall2 script: search for "masquerading_rules()" before the line "for nets in $FW_MASQ_NETS; do" add the following lines: echo IN MASQ ROUTINE sleep 5 save Run "/sbin/SuSEfirewall2 debug". Don't walk away, because you only have 5 seconds to see if that line actually does get echoed to the screen :) The only way those two lines will never execute is if your FW_MASQUERADE variable in /etc/sysconfig/SuSEfirewall2 is not strictly equal to "yes". Given your previous posts, this would imply the presence of a non-printing character in the string (there are no typographical errors in firewall script or config file). Therefore, before trying this test, you might want to edit the value of FW_MASQUERADE in your firewall config file. I would suggest deleting the entire line including end-of-line, as well as the end-of-line on the preceding line; then simply re-open the file and replace all the missing text. And if **that** doesn't work, my prematurely grey hair will begin to fall out, I am sure.
Is there some way that a hardware problem could be causeing masquerade to choke under one OS but not another? This computer was inside a house that
No, because the firewall script does not actually care whether or not a device is even configured. In truth, though I have never checked, I am not sure the device even needs to exist; all the firewall script does is write a bunch of stuff into kernel memory, and for that, only the netfilter modules are strictly necessary.
USE_IPV6=yes
This is part of the network config file, and should have no effect on the firewall (I do wish that one variable would turn IPv6 on/off globally, but that is up to the folx at SuSE). However, you have IPv6 turned off everywhere else, and you may with to turn it off here as well. I don't know what effect, if any, the missing quote marks might have; as far as I know, they are only critical if your string is null.
On Saturday 19 November 2005 20:05, Darryl Gregorash wrote:
you to make the following cosmetic changes to your /sbin/SuSEfirewall2 script:
search for "masquerading_rules()" before the line "for nets in $FW_MASQ_NETS; do" add the following lines: echo IN MASQ ROUTINE sleep 5 save
The only way those two lines will never execute is if your FW_MASQUERADE variable in /etc/sysconfig/SuSEfirewall2 is not strictly equal to "yes".
Those lines were being executed, but I inserted some similar lines a little farther down, and discovered that the "net2" string was empty. The problem was that /etc/sysconfig/SuSEfirewall2 had gotten corrupted, with the line FW_DEV_EXT="modem0" written at the bottom of the file instead of near the top. Maybe I screwed up editing the file by hand, then decided to use YaST, and YaST wrote the new FW_DEV_EXT line in the wrong place because the original was missing? That'll teach me to use "sort" to make it easier to compare dissimilar files. Thank you very much for your help and patience! Peter Taylor
participants (3)
-
Darryl Gregorash
-
Peter A. Taylor
-
Rui Santos