Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
Re: [suse-security] Redirect traffic for transparent proxy
  • From: Jordi Espasa Clofent <jespasac@xxxxxxxx>
  • Date: Wed, 28 Dec 2005 17:01:45 +0100
  • Message-id: <200512281701.57030.jespasac@xxxxxxxx>
Hi Vladislav,

> And what did you use rules in another table (FILTERED) ?
> It's important too.

The output of iptables -nL is:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
input_int all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x02 TCPMSS clamp to PMTU
forward_int all -- 0.0.0.0/0 0.0.0.0/0
forward_ext all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '

Chain forward_ext (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDext-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT-INV
'
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain forward_int (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDint-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT-INV
'
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain input_ext (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
broadcast
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-INext-ACC-TCP '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 state NEW udp dpt:111 LOG flags 6 level 4 prefix `SFW2-INext-ACC-RPC
'
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 state NEW tcp dpt:111 LOG flags 6 level 4 prefix `SFW2-INext-ACC-RPC
'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 state NEW udp dpt:32769 LOG flags 6 level 4 prefix
`SFW2-INext-ACC-RPC '
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:32769
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 state NEW tcp dpt:32771 LOG flags 6 level 4 prefix
`SFW2-INext-ACC-RPC '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:32771
reject_func tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
state NEW
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT
'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV '
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain input_int (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with
tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-proto-unreachable

But I think the real problem is why the SuSEFirewall2 rules doesn't works.

TIA.
< Previous Next >
Follow Ups