Firewall stops internal ICMP.
Hi, I have a small home-net, where a SUSE 10.0 machine serves as a router. Everything works as expected, all the clients can surf / e-mail, whatever, but there is a smaller issue disturbing the harmony... We have dial-up connection and surprisingly I found, when we have no active connection, our clients _don't_ know about and they really wait until the initialized e.g. web-address will be timed-out. So in fact the router doesn't immediately let the clients know, that there is no connection and they have to find it out after a while, just "alone". Checking the firewall log showed me, that the ICMP (error-) messages don't arrive to the clients, because they get blocked (192.168.0.1 is the router, 192.168.0.6 is the client; in particular case trying to imap-ing e-mails from 146.123.123.123): Nov 26 11:28:17 trincsi kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.6 LEN=101 TOS=0x00 PREC=0xC0 TTL=64 ID=3105 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.0.6 DST=146.123.123.123 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=20782 DF PROTO=TCP SPT=59061 DPT=143 WINDOW=6368 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080A0004BF9602DCDD03) ] Please could you suggest me a solution, how to get these ICMP packets arrive to my clients and let them through susefirewall? Maybe that's the same issue, but from clients I simply can't ping the router! I never needed it and don't plan to use something like that, but probably I would have to allow icmp somehow generally. I spent already hours with the configuration, until now no fruits. Any ideas are very welcome. Thank you, Pelibali
On 11/27/2005 12:11 PM, pelibali wrote:
Hi,
I have a small home-net, where a SUSE 10.0 machine serves as a router. Everything works as expected, all the clients can surf / e-mail, whatever, but there is a smaller issue disturbing the harmony...
We have dial-up connection and surprisingly I found, when we have no active connection, our clients _don't_ know about and they really wait until the initialized e.g. web-address will be timed-out. So in fact the router doesn't immediately let the clients know, that there is no connection and they have to find it out after a while, just "alone". Checking the firewall log showed me, that the ICMP (error-) messages don't arrive to the clients, because they get blocked (192.168.0.1 is the router, 192.168.0.6 is the client; in particular case trying to imap-ing e-mails from 146.123.123.123):
Nov 26 11:28:17 trincsi kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.6 LEN=101 TOS=0x00 PREC=0xC0 TTL=64 ID=3105 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.0.6 DST=146.123.123.123 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=20782 DF PROTO=TCP SPT=59061 DPT=143 WINDOW=6368 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080A0004BF9602DCDD03) ]
Please could you suggest me a solution, how to get these ICMP packets arrive to my clients and let them through susefirewall? Maybe that's the same issue, but from clients I simply can't ping the router! I never needed it and don't plan to use something like that, but probably I would have to allow icmp somehow generally. I spent already hours with the configuration, until now no fruits. Any ideas are very welcome.
Post the results of these please (on the router, of course). egrep "^[^#]" /etc/sysconfig/SuSEfirewall2 iptables-save /sbin/SuSEfirewall2 debug
Hi, On Sun, 27 Nov 2005 13:33:03 -0600 Darryl Gregorash <.> wrote:
On 11/27/2005 12:11 PM, pelibali wrote: <SNIPP>
We have dial-up connection and surprisingly I found, when we have no active connection, our clients _don't_ know about and they really wait until the initialized e.g. web-address will be timed-out. So in fact the router doesn't immediately let the clients know, that there is no connection and they have to find it out after a while, just "alone". Checking the firewall log showed me, that the ICMP (error-) messages don't arrive to the clients, because they get blocked (192.168.0.1 is the router, 192.168.0.6 is the client; in particular case trying to imap-ing e-mails from 146.123.123.123):
Nov 26 11:28:17 trincsi kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.6 LEN=101 TOS=0x00 PREC=0xC0 TTL=64 ID=3105 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.0.6 DST=146.123.123.123 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=20782 DF PROTO=TCP SPT=59061 DPT=143 WINDOW=6368 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080A0004BF9602DCDD03) ]
<SNIPP>
Post the results of these please (on the router, of course).
egrep "^[^#]" /etc/sysconfig/SuSEfirewall2
iptables-save
/sbin/SuSEfirewall2 debug
--- 1. FW_DEV_EXT="any modem0" FW_DEV_INT="eth-id-00:22:ed:34:86:03" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.0.0/24" FW_PROTECT_FROM_INT="no" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC="" FW_SERVICES_DROP_EXT="" FW_SERVICES_REJECT_EXT="0/0,tcp,113" FW_SERVICES_ACCEPT_EXT="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG_LIMIT="" FW_LOG="" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_SOURCEQUENCH="" FW_ALLOW_FW_BROADCAST_EXT="" FW_ALLOW_FW_BROADCAST_INT="" FW_ALLOW_FW_BROADCAST_DMZ="" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="no" FW_IGNORE_FW_BROADCAST_DMZ="no" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="" FW_HTB_TUNE_DEV="" FW_IPv6="no" FW_IPv6_REJECT_OUTGOING="" FW_IPSEC_TRUST="no" FW_ZONES="" FW_USE_IPTABLES_BATCH="" FW_LOAD_MODULES="" --- 2. # Generated by iptables-save v1.3.3 on Mon Nov 28 20:12:34 2005 *mangle :PREROUTING ACCEPT [16099:4205271] :INPUT ACCEPT [12949:3072660] :FORWARD ACCEPT [3115:1130001] :OUTPUT ACCEPT [12840:3993152] :POSTROUTING ACCEPT [15955:5123153] COMMIT # Completed on Mon Nov 28 20:12:34 2005 # Generated by iptables-save v1.3.3 on Mon Nov 28 20:12:34 2005 *nat :PREROUTING ACCEPT [181:11400] :POSTROUTING ACCEPT [158:9581] :OUTPUT ACCEPT [158:9581] COMMIT # Completed on Mon Nov 28 20:12:34 2005 # Generated by iptables-save v1.3.3 on Mon Nov 28 20:12:34 2005 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :forward_ext - [0:0] :forward_int - [0:0] :input_ext - [0:0] :input_int - [0:0] :reject_func - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -j input_int -A INPUT -j input_ext -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options -A INPUT -j DROP -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -i eth0 -j forward_int -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options -A FORWARD -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options -A forward_ext -p icmp -m state --state ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT -A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options -A forward_ext -j DROP -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT -A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options -A forward_int -j DROP -A input_ext -m pkttype --pkt-type broadcast -j DROP -A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT -A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT -A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func -A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options -A input_ext -j DROP -A input_int -j ACCEPT -A reject_func -p tcp -j REJECT --reject-with tcp-reset -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable -A reject_func -j REJECT --reject-with icmp-proto-unreachable COMMIT # Completed on Mon Nov 28 20:12:34 2005 --- 3. modprobe ip_tables modprobe ip_conntrack iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -N reject_func iptables -A reject_func -p tcp -j REJECT --reject-with tcp-reset iptables -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A reject_func -j REJECT --reject-with icmp-proto-unreachable iptables -A INPUT -j ACCEPT -i lo iptables -A OUTPUT -j ACCEPT -o lo ip6tables -F INPUT ip6tables -F OUTPUT ip6tables -F FORWARD ip6tables -P INPUT DROP ip6tables -P OUTPUT ACCEPT ip6tables -P FORWARD DROP ip6tables -F ip6tables -X ip6tables -t mangle -F ip6tables -t mangle -X ip6tables -N reject_func ip6tables -A reject_func -p tcp -j REJECT --reject-with tcp-reset ip6tables -A reject_func -p udp -j REJECT --reject-with port-unreach ip6tables -A reject_func -j REJECT --reject-with addr-unreach ip6tables -A reject_func -j DROP ip6tables -A INPUT -j ACCEPT -i lo ip6tables -A OUTPUT -j ACCEPT -o lo iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED ip6tables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED echo "1" > "/proc/sys/net/ipv4/ip_forward" echo "1" > "/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" echo "1" > "/proc/sys/net/ipv4/tcp_syncookies" echo "0" > "/proc/sys/net/ipv4/tcp_ecn" echo "1" > "/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses" echo "20" > "/proc/sys/net/ipv4/ipfrag_time" echo "1" > "/proc/sys/net/ipv4/igmp_max_memberships" echo "1024 29999" > "/proc/sys/net/ipv4/ip_local_port_range" echo "1" > "/proc/sys/net/ipv4/conf/all/log_martians" echo "0" > "/proc/sys/net/ipv4/conf/all/bootp_relay" echo "0" > "/proc/sys/net/ipv4/conf/all/proxy_arp" echo "1" > "/proc/sys/net/ipv4/conf/all/secure_redirects" echo "0" > "/proc/sys/net/ipv4/conf/all/accept_source_route" echo "1" > "/proc/sys/net/ipv4/conf/all/rp_filter" echo "1" > "/proc/sys/net/ipv4/conf/default/log_martians" echo "0" > "/proc/sys/net/ipv4/conf/default/bootp_relay" echo "0" > "/proc/sys/net/ipv4/conf/default/proxy_arp" echo "1" > "/proc/sys/net/ipv4/conf/default/secure_redirects" echo "0" > "/proc/sys/net/ipv4/conf/default/accept_source_route" echo "1" > "/proc/sys/net/ipv4/conf/default/rp_filter" echo "1" > "/proc/sys/net/ipv4/conf/eth0/log_martians" echo "0" > "/proc/sys/net/ipv4/conf/eth0/bootp_relay" echo "0" > "/proc/sys/net/ipv4/conf/eth0/proxy_arp" echo "1" > "/proc/sys/net/ipv4/conf/eth0/secure_redirects" echo "0" > "/proc/sys/net/ipv4/conf/eth0/accept_source_route" echo "1" > "/proc/sys/net/ipv4/conf/eth0/rp_filter" echo "1" > "/proc/sys/net/ipv4/conf/lo/log_martians" echo "0" > "/proc/sys/net/ipv4/conf/lo/bootp_relay" echo "0" > "/proc/sys/net/ipv4/conf/lo/proxy_arp" echo "1" > "/proc/sys/net/ipv4/conf/lo/secure_redirects" echo "0" > "/proc/sys/net/ipv4/conf/lo/accept_source_route" echo "1" > "/proc/sys/net/ipv4/conf/lo/rp_filter" echo "1" > "/proc/sys/net/ipv4/route/flush" iptables -N input_int iptables -N input_ext iptables -N forward_int iptables -N forward_ext ip6tables -N input_int ip6tables -N input_ext ip6tables -N forward_int ip6tables -N forward_ext iptables -A input_int -j ACCEPT ip6tables -A input_int -j ACCEPT iptables -A input_ext -m pkttype --pkt-type broadcast -j DROP iptables -A input_ext -j ACCEPT -p icmp --icmp-type source-quench iptables -A input_ext -j ACCEPT -p icmp --icmp-type echo-request ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type echo-request iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type echo-reply iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type destination-unreachable iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type time-exceeded iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type parameter-problem iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type timestamp-reply iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type address-mask-reply iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type protocol-unreachable iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type redirect ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type echo-reply ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type destination-unreachable ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type packet-too-big ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type time-exceeded ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type parameter-problem ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type router-solicitation ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type router-advertisement ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type neighbour-solicitation ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type neighbour-advertisement ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type redirect iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED -p icmp --icmp-type echo-reply ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED -p icmpv6 --icmpv6-type echo-reply iptables -A input_ext -s 0/0 -p tcp --dport 113 -m state --state NEW -j reject_func ip6tables -A input_ext -s 0/0 -p tcp --dport 113 -m state --state NEW -j reject_func iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type echo-reply iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type destination-unreachable iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type time-exceeded iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type parameter-problem iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type timestamp-reply iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type address-mask-reply iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type protocol-unreachable iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type redirect ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type echo-reply ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type destination-unreachable ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type packet-too-big ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type time-exceeded ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type parameter-problem iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type echo-reply iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type destination-unreachable iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type time-exceeded iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type parameter-problem iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type timestamp-reply iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type address-mask-reply iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type protocol-unreachable iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type redirect ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type echo-reply ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type destination-unreachable ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type packet-too-big ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type time-exceeded ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type parameter-problem iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p tcp --syn ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p tcp --syn iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p icmp ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p icmpv6 iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p udp ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p udp iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT-INV -m state --state INVALID ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT-INV -m state --state INVALID iptables -A input_ext -j DROP ip6tables -A input_ext -j DROP iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p tcp --syn ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p tcp --syn iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p icmp ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p icmpv6 iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p udp ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p udp iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT-INV -m state --state INVALID ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT-INV -m state --state INVALID iptables -A forward_int -j DROP ip6tables -A forward_int -j DROP iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p tcp --syn ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p tcp --syn iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p icmp ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p icmpv6 iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p udp ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p udp iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT-INV -m state --state INVALID ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT-INV -m state --state INVALID iptables -A forward_ext -j DROP ip6tables -A forward_ext -j DROP iptables -A INPUT -j input_int -i eth0 iptables -A INPUT -j input_ext iptables -A FORWARD -j forward_int -i eth0 ip6tables -A INPUT -j input_int -i eth0 ip6tables -A INPUT -j input_ext ip6tables -A FORWARD -j forward_int -i eth0 iptables -A INPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-IN-ILL-TARGET iptables -A INPUT -j DROP iptables -A FORWARD -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWD-ILL-ROUTING iptables -A FORWARD -j DROP iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED iptables -A OUTPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-OUT-ERROR ip6tables -A INPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-IN-ILL-TARGET ip6tables -A INPUT -j DROP ip6tables -A FORWARD -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWD-ILL-ROUTING ip6tables -A FORWARD -j DROP ip6tables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED ip6tables -A OUTPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-OUT-ERROR iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu --- I hope, that the size of this message is no problem and thanks in advance for any suggestions! Best, Pelibali
participants (2)
-
Darryl Gregorash -
pelibali