On Wednesday 16 November 2005 22:10, Darryl Gregorash wrote:
Mea culpa; there are actually 3 independent tables in the firewall (filter, nat and mangle), and the command as I gave it to you only gives the state of the "filter" table. All the masquerading rules are in the "nat" table. Perhaps we really need to be looking at the raw rules anyway, for which there is the "iptables-save" command. Each line of the output is essentially the parameters of a single "iptables" commandline as the firewall script created it. Just run "iptables-save" as root, with no parameters, and post the results. This command outputs all three of the tables by default.
Thanks. The output is enclosed below. I tried this with SuSE 8.2 and 9.3 as well. Several things jump out at me. (1) References to modem0 (9.3) or ppp* (8.2) are conspicuously absent under 10.0. Missing along with this are any references to MASQUERADE. (2) The flag, FIN, is present under 10.0 but not 9.3. (3) The numbers in brackets are different (8.2 differs from 9.3 as well). (4) The order of the sections is different (mangle, filter, nat vs. mangle, nat, filter). I also noticed that the 9.3 and 10.0 files, /etc/sysconfig/network/scripts/ifup-ppp, differ in the order in which the follow two lines appear (the 8.2 version was too different for easy comparison): test -f scripts/functions && . scripts/functions || exit $R_INTERNAL test -f ./config && . ./config There are also seemingly minor differences in the 9.3 and 10.0 files, /etc/sysconfig/network/scripts/functions and functions.common . I noticed that the latter differences involve udev (diff ... | grep -i udev):
# If your script is called from udev and you did not set DEFAULT_LOG_LEVEL we # use the udev loglevel. Else an unset LOG_LEVEL will be set to 3 (err). LOG_LEVEL=${LOG_LEVEL:-$UDEV_LOG}
I have been having seemingly unrelated problems with my usb card reader. Is it possible that udev is choking on some other piece of hardware (ie. a floppy drive that I have not used recently), and this error is having widespread effects? The card reader works beautifully under 8.2, but is flakey (only recognized if present during boot) under 9.3 and 10.0 . Masquerade works under 8.2 and 9.3, but not 10.0 . The floppy drive shows up in "My Computer" despite the drive being empty (both 9.3 and 10.0, IIRC). I also notice with both 9.3 and 10.0 that, during shutdown, I get a red "missing" message right after it says, "sending all processes the term signal." Could these be related? Thanks, Peter Taylor Output from iptables-save under SuSE 10.0: # Generated by iptables-save v1.3.3 on Thu Nov 17 01:45:12 2005 *mangle :PREROUTING ACCEPT [72:5604] :INPUT ACCEPT [31:2975] :FORWARD ACCEPT [7:511] :OUTPUT ACCEPT [51:4493] :POSTROUTING ACCEPT [74:6657] COMMIT # Completed on Thu Nov 17 01:45:12 2005 # Generated by iptables-save v1.3.3 on Thu Nov 17 01:45:12 2005 *nat :PREROUTING ACCEPT [24:1677] :POSTROUTING ACCEPT [10:748] :OUTPUT ACCEPT [10:748] COMMIT # Completed on Thu Nov 17 01:45:12 2005 # Generated by iptables-save v1.3.3 on Thu Nov 17 01:45:12 2005 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :forward_ext - [0:0] :forward_int - [0:0] :input_ext - [0:0] :input_int - [0:0] :reject_func - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -j input_int -A INPUT -i modem0 -j input_ext -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options -A INPUT -j DROP -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -i eth0 -j forward_int -A FORWARD -i modem0 -j forward_ext -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options -A FORWARD -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT -A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options -A forward_ext -j DROP -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT -A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options -A forward_int -j DROP -A input_ext -m pkttype --pkt-type broadcast -j DROP -A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT -A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT -A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func -A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options -A input_ext -j DROP -A input_int -j ACCEPT -A reject_func -p tcp -j REJECT --reject-with tcp-reset -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable -A reject_func -j REJECT --reject-with icmp-proto-unreachable COMMIT # Completed on Thu Nov 17 01:45:12 2005