Re: [suse-security] Redirect traffic for transparent proxy

28 Dec 2005

      Hi Vladislav,
...
And what did you use rules in another table (FILTERED) ?
It's important too.
The output of iptables -nL is:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED 
input_int  all  --  0.0.0.0/0            0.0.0.0/0           
input_ext  all  --  0.0.0.0/0            0.0.0.0/0           
input_ext  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
flags:0x06/0x02 TCPMSS clamp to PMTU 
forward_int  all  --  0.0.0.0/0            0.0.0.0/0           
forward_ext  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
NEW,RELATED,ESTABLISHED 
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR ' 

Chain forward_ext (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 0 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 3 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 11 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 12 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 14 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 18 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 3 code 2 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 5 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
NEW,RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix 
`SFW2-FWDext-DROP-DEFLT ' 
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' 
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' 
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT-INV 
' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain forward_int (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 0 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 3 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 11 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 12 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 14 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 18 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 3 code 2 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 5 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
NEW,RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix 
`SFW2-FWDint-DROP-DEFLT ' 
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' 
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' 
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT-INV 
' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain input_ext (2 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           PKTTYPE = 
broadcast 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 4 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 0 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 3 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 11 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 12 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 14 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 18 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 3 code 2 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED icmp type 5 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix 
`SFW2-INext-ACC-TCP ' 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 state NEW udp dpt:111 LOG flags 6 level 4 prefix `SFW2-INext-ACC-RPC 
' 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:111 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 state NEW tcp dpt:111 LOG flags 6 level 4 prefix `SFW2-INext-ACC-RPC 
' 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:111 
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 state NEW udp dpt:32769 LOG flags 6 level 4 prefix 
`SFW2-INext-ACC-RPC ' 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:32769 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 state NEW tcp dpt:32771 LOG flags 6 level 4 prefix 
`SFW2-INext-ACC-RPC ' 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:32771 
reject_func  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:113 
state NEW 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT 
' 
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min 
burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain input_int (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain reject_func (1 references)
target     prot opt source               destination         
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with 
tcp-reset 
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           reject-with 
icmp-port-unreachable 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with 
icmp-proto-unreachable 

But I think the real problem is why the SuSEFirewall2 rules doesn't works.

TIA.

Re: [suse-security] Redirect traffic for transparent proxy

Jordi Espasa Clofent