On Thursday 17 November 2005 19:49, Darryl Gregorash wrote:
First, put your actual internal netmask, eg. 192.168.1.0/24, into FW_MASQ_NETS in the firewall config file -- you can simply edit the file to do this, but run "/etc/init.d/SuSEfirewall_setup restart" immediately after, if you are already connect to the internet.
Next, while connected to the internet, as root, run "/sbin/SuSEfirewall2 debug" and see what you get. Your output *should* include lines like these:
The entry in /etc/sysconfig/SuSEfirewall2 is now: FW_MASQ_NETS="192.168.2.0/24" I ran "/etc/init.d/SuSEfirewall2_setup restart", then connected via modem0, then ran "/sbin/SuSEfirewall2 debug": modprobe ip_tables modprobe ip_conntrack modprobe ip6table_filter modprobe ip6table_mangle iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -N reject_func iptables -A reject_func -p tcp -j REJECT --reject-with tcp-reset iptables -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A reject_func -j REJECT --reject-with icmp-proto-unreachable iptables -A INPUT -j ACCEPT -i lo iptables -A OUTPUT -j ACCEPT -o lo ip6tables -F INPUT ip6tables -F OUTPUT ip6tables -F FORWARD ip6tables -P INPUT DROP ip6tables -P OUTPUT ACCEPT ip6tables -P FORWARD DROP ip6tables -F ip6tables -X ip6tables -t mangle -F ip6tables -t mangle -X ip6tables -N reject_func ip6tables -A reject_func -p tcp -j REJECT --reject-with tcp-reset ip6tables -A reject_func -p udp -j REJECT --reject-with port-unreach ip6tables -A reject_func -j REJECT --reject-with addr-unreach ip6tables -A reject_func -j DROP ip6tables -A INPUT -j ACCEPT -i lo ip6tables -A OUTPUT -j ACCEPT -o lo iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED ip6tables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED echo "1" > "/proc/sys/net/ipv4/ip_forward" echo "1" > "/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" echo "1" > "/proc/sys/net/ipv4/tcp_syncookies" echo "0" > "/proc/sys/net/ipv4/tcp_ecn" echo "1" > "/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses" echo "20" > "/proc/sys/net/ipv4/ipfrag_time" echo "1" > "/proc/sys/net/ipv4/igmp_max_memberships" echo "1024 29999" > "/proc/sys/net/ipv4/ip_local_port_range" echo "1" > "/proc/sys/net/ipv4/conf/all/log_martians" echo "0" > "/proc/sys/net/ipv4/conf/all/bootp_relay" echo "0" > "/proc/sys/net/ipv4/conf/all/proxy_arp" echo "1" > "/proc/sys/net/ipv4/conf/all/secure_redirects" echo "0" > "/proc/sys/net/ipv4/conf/all/accept_source_route" echo "1" > "/proc/sys/net/ipv4/conf/all/rp_filter" echo "1" > "/proc/sys/net/ipv4/conf/default/log_martians" echo "0" > "/proc/sys/net/ipv4/conf/default/bootp_relay" echo "0" > "/proc/sys/net/ipv4/conf/default/proxy_arp" echo "1" > "/proc/sys/net/ipv4/conf/default/secure_redirects" echo "0" > "/proc/sys/net/ipv4/conf/default/accept_source_route" echo "1" > "/proc/sys/net/ipv4/conf/default/rp_filter" echo "1" > "/proc/sys/net/ipv4/conf/eth0/log_martians" echo "0" > "/proc/sys/net/ipv4/conf/eth0/bootp_relay" echo "0" > "/proc/sys/net/ipv4/conf/eth0/proxy_arp" echo "1" > "/proc/sys/net/ipv4/conf/eth0/secure_redirects" echo "0" > "/proc/sys/net/ipv4/conf/eth0/accept_source_route" echo "1" > "/proc/sys/net/ipv4/conf/eth0/rp_filter" echo "1" > "/proc/sys/net/ipv4/conf/lo/log_martians" echo "0" > "/proc/sys/net/ipv4/conf/lo/bootp_relay" echo "0" > "/proc/sys/net/ipv4/conf/lo/proxy_arp" echo "1" > "/proc/sys/net/ipv4/conf/lo/secure_redirects" echo "0" > "/proc/sys/net/ipv4/conf/lo/accept_source_route" echo "1" > "/proc/sys/net/ipv4/conf/lo/rp_filter" echo "1" > "/proc/sys/net/ipv4/conf/modem0/log_martians" echo "0" > "/proc/sys/net/ipv4/conf/modem0/bootp_relay" echo "0" > "/proc/sys/net/ipv4/conf/modem0/proxy_arp" echo "1" > "/proc/sys/net/ipv4/conf/modem0/secure_redirects" echo "0" > "/proc/sys/net/ipv4/conf/modem0/accept_source_route" echo "1" > "/proc/sys/net/ipv4/conf/modem0/rp_filter" echo "1" > "/proc/sys/net/ipv4/route/flush" iptables -N input_int iptables -N input_ext iptables -N forward_int iptables -N forward_ext ip6tables -N input_int ip6tables -N input_ext ip6tables -N forward_int ip6tables -N forward_ext iptables -A input_int -j ACCEPT ip6tables -A input_int -j ACCEPT iptables -A input_ext -m pkttype --pkt-type broadcast -j DROP iptables -A input_ext -j ACCEPT -p icmp --icmp-type source-quench iptables -A input_ext -j ACCEPT -p icmp --icmp-type echo-request ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type echo-request iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type echo-reply iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type destination-unreachable iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type time-exceeded iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type parameter-problem iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type timestamp-reply iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type address-mask-reply iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type protocol-unreachable iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type redirect ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type echo-reply ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type destination-unreachable ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type packet-too-big ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type time-exceeded ip6tables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type parameter-problem ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type router-solicitation ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type router-advertisement ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type neighbour-solicitation ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type neighbour-advertisement ip6tables -A input_ext -j ACCEPT -p icmpv6 --icmpv6-type redirect iptables -A input_ext -s 0/0 -p tcp --dport 113 -m state --state NEW -j reject_func ip6tables -A input_ext -s 0/0 -p tcp --dport 113 -m state --state NEW -j reject_func iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type echo-reply iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type destination-unreachable iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type time-exceeded iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type parameter-problem iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type timestamp-reply iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type address-mask-reply iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type protocol-unreachable iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type redirect ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type echo-reply ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type destination-unreachable ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type packet-too-big ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type time-exceeded ip6tables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type parameter-problem iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type echo-reply iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type destination-unreachable iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type time-exceeded iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type parameter-problem iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type timestamp-reply iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type address-mask-reply iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type protocol-unreachable iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type redirect ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type echo-reply ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type destination-unreachable ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type packet-too-big ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type time-exceeded ip6tables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type parameter-problem iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p tcp --syn ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p tcp --syn iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p icmp ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p icmpv6 iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p udp ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p udp iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT-INV -m state --state INVALID ip6tables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT-INV -m state --state INVALID iptables -A input_ext -j DROP ip6tables -A input_ext -j DROP iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p tcp --syn ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p tcp --syn iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p icmp ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p icmpv6 iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p udp ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p udp iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT-INV -m state --state INVALID ip6tables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT-INV -m state --state INVALID iptables -A forward_int -j DROP ip6tables -A forward_int -j DROP iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p tcp --syn ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p tcp --syn iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p icmp ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p icmpv6 iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p udp ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p udp iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT-INV -m state --state INVALID ip6tables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT-INV -m state --state INVALID iptables -A forward_ext -j DROP ip6tables -A forward_ext -j DROP iptables -A INPUT -j input_int -i eth0 iptables -A INPUT -j input_ext -i modem0 iptables -A FORWARD -j forward_int -i eth0 iptables -A FORWARD -j forward_ext -i modem0 ip6tables -A INPUT -j input_int -i eth0 ip6tables -A INPUT -j input_ext -i modem0 ip6tables -A FORWARD -j forward_int -i eth0 ip6tables -A FORWARD -j forward_ext -i modem0 iptables -A INPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-IN-ILL-TARGET iptables -A INPUT -j DROP iptables -A FORWARD -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWD-ILL-ROUTING iptables -A FORWARD -j DROP iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED iptables -A OUTPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-OUT-ERROR ip6tables -A INPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-IN-ILL-TARGET ip6tables -A INPUT -j DROP ip6tables -A FORWARD -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWD-ILL-ROUTING ip6tables -A FORWARD -j DROP ip6tables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED ip6tables -A OUTPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-OUT-ERROR iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu And of course, the inevitable diff between SuSE 9.3 ("<") and 10.0 (">") : :-) 3,4d2 < modprobe ip_conntrack_ftp < modprobe ip_nat_ftp 38a37
ip6tables -A reject_func -j DROP 142,146d140 < iptables -A forward_int -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -s 0/0 -o modem0 < iptables -A forward_int -d 0/0 -i modem0 -j ACCEPT -m state --state ESTABLISHED,RELATED < iptables -A forward_ext -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -s 0/0 -o modem0 < iptables -A forward_ext -d 0/0 -i modem0 -j ACCEPT -m state --state ESTABLISHED,RELATED < iptables -A POSTROUTING -j MASQUERADE -t nat -s 0/0 -o modem0
Thank you, Peter Taylor