SuseFirewall expert pls help

Discussion in 'Installation/Configuration' started by zacch, Mar 14, 2006.

  1. zacch

    zacch New Member

    Hi

    I am new to suse firewall setup and I do need help pls advise if anyone know how to thank you.

    I am currently using Suse9 with Squid/Dansguardian/Webmin and it is acting as a gateway for me.

    The problem is I am not sure how to set suse firewall for securing the network.

    Pls anyone pls advise me on how to do and pls email me if you can @ [email protected] pls and thank you so much

    I am noobie in this so pls bear with me for a while thank you.
     
    zacch, Mar 14, 2006
    #1
  2. falko

    falko Super Moderator Howtoforge Staff

    Have you tried to use yast to configure the firewall?
     
    falko, Mar 14, 2006
    #2
  3. zacch

    zacch New Member

    Hi

    Thank you for your reply

    Yes I have try using Yast to config the Firewall, but somehow there is abt 159 connection going and I don't understand why......my ISP call me up to tell me that... :(

    pls advise
     
    zacch, Mar 15, 2006
    #3
  4. zacch

    zacch New Member

    Hi
    I have manage to extract out the iptables-save to iptables.txt
    I will pas them here pls advise me what to do I have no idea what are all this too many of them don't know which one is important

    Pls advise TQ in advance!

    <INTERNET> -- <building> ------ <firewall> --------------------- <LAN>
    ext NIC:172.x.x.x / int NIC:10.1.x.x LAN : 10.1.x.x

    will post the iptables file in a few parts

    # Generated by iptables-save v1.2.9 on Wed Mar 15 13:42:01 2006
    *mangle
    :pREROUTING ACCEPT [27204:15872792]
    :INPUT ACCEPT [4691:896244]
    :FORWARD ACCEPT [22513:14976548]
    :OUTPUT ACCEPT [3552:828728]
    :pOSTROUTING ACCEPT [26031:15793591]
    -A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 20 -j TOS --set-tos 0x08
    -A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 20 -j TOS --set-tos 0x08
    -A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08
    -A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j TOS --set-tos 0x08
    -A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 53 -j TOS --set-tos 0x10
    -A PREROUTING -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 53 -j TOS --set-tos 0x10
    -A PREROUTING -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 161 -j TOS --set-tos 0x04
    -A PREROUTING -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 162 -j TOS --set-tos 0x04
    -A PREROUTING -p udp -m udp --dport 514 -j TOS --set-tos 0x04
    -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 20 -j TOS --set-tos 0x08
    -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 20 -j TOS --set-tos 0x08
    -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08
    -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j TOS --set-tos 0x08
    -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 53 -j TOS --set-tos 0x10
    -A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 53 -j TOS --set-tos 0x10
    -A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 161 -j TOS --set-tos 0x04
    -A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 162 -j TOS --set-tos 0x04
    -A OUTPUT -p udp -m udp --dport 514 -j TOS --set-tos 0x04
    COMMIT
    # Completed on Wed Mar 15 13:42:01 2006
    # Generated by iptables-save v1.2.9 on Wed Mar 15 13:42:01 2006
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [2:166]
    :OUTPUT ACCEPT [0:0]
    :forward_dmz - [0:0]
    :forward_ext - [0:0]
    :forward_int - [0:0]
    :input_dmz - [0:0]
    :input_ext - [0:0]
    :input_int - [0:0]
    :reject_func - [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -s 127.0.0.0/255.0.0.0 -j LOG --log-prefix "SFW2-IN-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
    -A INPUT -d 127.0.0.0/255.0.0.0 -j LOG --log-prefix "SFW2-IN-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
    -A INPUT -s 127.0.0.0/255.0.0.0 -j DROP
    -A INPUT -d 127.0.0.0/255.0.0.0 -j DROP
    -A INPUT -s 10.1.0.254 -j LOG --log-prefix "SFW2-IN-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
    -A INPUT -s 10.1.0.254 -j DROP
    -A INPUT -s 172.17.17.20 -j LOG --log-prefix "SFW2-IN-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
    -A INPUT -s 172.17.17.20 -j DROP
    -A INPUT -d 255.255.255.255 -i eth0 -j DROP
    -A INPUT -d 172.17.17.255 -i eth0 -j DROP
    -A INPUT -d 255.255.255.255 -i eth1 -j DROP
    -A INPUT -d 10.1.255.255 -i eth1 -j DROP
    -A INPUT -i eth0 -j input_ext
    -A INPUT -i eth1 -j input_int
    -A INPUT -d 172.17.17.20 -i eth1 -j LOG --log-prefix "SFW2-IN-ACC_DENIED_INT " --log-tcp-options --log-ip-options
    -A INPUT -d 172.17.17.20 -i eth1 -j DROP
    -A INPUT -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
    -A INPUT -j DROP
    -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    -A FORWARD -i eth1 -o eth1 -j ACCEPT
    -A FORWARD -i eth0 -o eth0 -j ACCEPT
    -A FORWARD -i eth0 -j forward_ext
    -A FORWARD -i eth1 -j forward_int
    -A FORWARD -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
    -A FORWARD -j DROP
    -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -j LOG --log-prefix "SFW2-FORWARD-ERROR " --log-tcp-options --log-ip-options
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -p icmp -m icmp --icmp-type 11 -j LOG --log-prefix "SFW2-OUT-TRACERT-ATTEMPT " --log-tcp-options --log-ip-options
    -A OUTPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A OUTPUT -p icmp -m icmp --icmp-type 3/3 -j ACCEPT
    -A OUTPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
    -A OUTPUT -p icmp -m icmp --icmp-type 3/9 -j ACCEPT
    -A OUTPUT -p icmp -m icmp --icmp-type 3/10 -j ACCEPT
    -A OUTPUT -p icmp -m icmp --icmp-type 3/13 -j ACCEPT
    -A OUTPUT -p icmp -m icmp --icmp-type 3 -j DROP
    -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -j LOG --log-prefix "SFW2-OUTPUT-ERROR " --log-tcp-options --log-ip-options
    -A forward_dmz -s 172.17.17.0/255.255.255.0 -j LOG --log-prefix "SFW2-FWDdmz-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
    -A forward_dmz -s 172.17.17.0/255.255.255.0 -j DROP
    -A forward_dmz -s 10.1.0.0/255.255.0.0 -j LOG --log-prefix "SFW2-FWDdmz-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
    -A forward_dmz -s 10.1.0.0/255.255.0.0 -j DROP
    -A forward_dmz -d 10.1.0.254 -j LOG --log-prefix "SFW2-FWDdmz-DROP-CIRCUMV " --log-tcp-options --log-ip-options
    -A forward_dmz -d 10.1.0.254 -j DROP
    -A forward_dmz -d 172.17.17.20 -j LOG --log-prefix "SFW2-FWDdmz-DROP-CIRCUMV " --log-tcp-options --log-ip-options
    -A forward_dmz -d 172.17.17.20 -j DROP
    -A forward_dmz -p icmp -m state --state RELATED -m icmp --icmp-type 3 -j ACCEPT
    -A forward_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
    -A forward_dmz -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A forward_dmz -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A forward_dmz -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_dmz -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_dmz -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_dmz -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_dmz -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_dmz -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_dmz -p udp -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_dmz -m state --state INVALID -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
    -A forward_dmz -j DROP
    -A forward_ext -s 10.1.0.0/255.255.0.0 -j LOG --log-prefix "SFW2-FWDext-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
     
    zacch, Mar 15, 2006
    #4
  5. zacch

    zacch New Member

    -A forward_ext -s 10.1.0.0/255.255.0.0 -j DROP
    -A forward_ext -d 10.1.0.254 -j LOG --log-prefix "SFW2-FWDext-DROP-CIRCUMV " --log-tcp-options --log-ip-options
    -A forward_ext -d 10.1.0.254 -j DROP
    -A forward_ext -p icmp -m state --state RELATED -m icmp --icmp-type 3 -j ACCEPT
    -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
    -A forward_ext -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A forward_ext -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A forward_ext -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_ext -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_ext -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_ext -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_ext -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_ext -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_ext -p udp -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_ext -m state --state INVALID -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
    -A forward_ext -j DROP
    -A forward_int -s 172.17.17.0/255.255.255.0 -j LOG --log-prefix "SFW2-FWDint-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
    -A forward_int -s 172.17.17.0/255.255.255.0 -j DROP
    -A forward_int -d 172.17.17.20 -j LOG --log-prefix "SFW2-FWDint-DROP-CIRCUMV " --log-tcp-options --log-ip-options
    -A forward_int -d 172.17.17.20 -j DROP
    -A forward_int -p icmp -m state --state RELATED -m icmp --icmp-type 3 -j ACCEPT
    -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
    -A forward_int -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A forward_int -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A forward_int -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_int -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_int -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_int -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_int -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_int -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_int -p udp -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A forward_int -m state --state INVALID -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
    -A forward_int -j DROP
    -A input_dmz -s 172.17.17.0/255.255.255.0 -j LOG --log-prefix "SFW2-INdmz-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
    -A input_dmz -s 172.17.17.0/255.255.255.0 -j DROP
    -A input_dmz -s 10.1.0.0/255.255.0.0 -j LOG --log-prefix "SFW2-INdmz-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
    -A input_dmz -s 10.1.0.0/255.255.0.0 -j DROP
    -A input_dmz -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
    -A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
    -A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
    -A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
    -A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
    -A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
    -A input_dmz -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-INdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
    -A input_dmz -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
    -A input_dmz -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-INdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
    -A input_dmz -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-INdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
    -A input_dmz -p icmp -m icmp --icmp-type 2 -j LOG --log-prefix "SFW2-INdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
    -A input_dmz -p icmp -j DROP
    -A input_dmz -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j reject_func
    -A input_dmz -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options
    -A input_dmz -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
    -A input_dmz -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options
    -A input_dmz -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j DROP
    -A input_dmz -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options
    -A input_dmz -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j DROP
    -A input_dmz -p tcp -m tcp --dport 631 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options
    -A input_dmz -p tcp -m tcp --dport 631 --tcp-flags SYN,RST,ACK SYN -j DROP
    -A input_dmz -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options
    -A input_dmz -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j DROP
    -A input_dmz -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options
    -A input_dmz -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -j DROP
    -A input_dmz -p tcp -m tcp --dport 10000 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options
    -A input_dmz -p tcp -m tcp --dport 10000 --tcp-flags SYN,RST,ACK SYN -j DROP
    -A input_dmz -p tcp -m state --state RELATED,ESTABLISHED -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-ACC-HiTCP " --log-tcp-options --log-ip-options
    -A input_dmz -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A input_dmz -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A input_dmz -p udp -m udp --dport 22 -m state --state NEW -j DROP
    -A input_dmz -p udp -m udp --dport 80 -m state --state NEW -j DROP
    -A input_dmz -p udp -m udp --dport 111 -m state --state NEW -j DROP
    -A input_dmz -p udp -m udp --dport 111 -m state --state NEW -j DROP
    -A input_dmz -p udp -m udp --dport 631 -m state --state NEW -j DROP
    -A input_dmz -p udp -m udp --dport 631 -m state --state NEW -j DROP
    -A input_dmz -p udp -m udp --dport 1024 -m state --state NEW -j DROP
    -A input_dmz -p udp -m udp --dport 1025 -m state --state NEW -j DROP
    -A input_dmz -p udp -m udp --dport 1026 -m state --state NEW -j DROP
    -A input_dmz -p udp -m udp --dport 3128 -m state --state NEW -j DROP
    -A input_dmz -p udp -m udp --dport 3130 -m state --state NEW -j DROP
    -A input_dmz -p udp -m udp --dport 3401 -m state --state NEW -j DROP
    -A input_dmz -p udp -m udp --dport 8080 -m state --state NEW -j DROP
    -A input_dmz -p udp -m udp --dport 10000 -m state --state NEW -j DROP
    -A input_dmz -p udp -m udp --dport 10000 -m state --state NEW -j DROP
    -A input_dmz -p udp -m state --state NEW -m udp --dport 1024:65535 -j ACCEPT
    -A input_dmz -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_dmz -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_dmz -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_dmz -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_dmz -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_dmz -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_dmz -p udp -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_dmz -m state --state INVALID -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
    -A input_dmz -j DROP
    -A input_ext -s 10.1.0.0/255.255.0.0 -j LOG --log-prefix "SFW2-INext-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
    -A input_ext -s 10.1.0.0/255.255.0.0 -j DROP
    -A input_ext -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INext-ACC-SOURCEQUENCH " --log-tcp-options --log-ip-options
    -A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
    -A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
    -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
     
    zacch, Mar 15, 2006
    #5
  6. zacch

    zacch New Member

    -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
    -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
    -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
    -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
    -A input_ext -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-INext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
    -A input_ext -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
    -A input_ext -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-INext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
    -A input_ext -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-INext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
    -A input_ext -p icmp -m icmp --icmp-type 2 -j LOG --log-prefix "SFW2-INext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
    -A input_ext -p icmp -j DROP
    -A input_ext -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j reject_func
    -A input_ext -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options
    -A input_ext -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
    -A input_ext -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options
    -A input_ext -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j DROP
    -A input_ext -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options
    -A input_ext -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j DROP
    -A input_ext -p tcp -m tcp --dport 427 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options
    -A input_ext -p tcp -m tcp --dport 427 --tcp-flags SYN,RST,ACK SYN -j DROP
    -A input_ext -p tcp -m tcp --dport 631 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options
    -A input_ext -p tcp -m tcp --dport 631 --tcp-flags SYN,RST,ACK SYN -j DROP
    -A input_ext -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options
    -A input_ext -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j DROP
    -A input_ext -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options
    -A input_ext -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -j DROP
    -A input_ext -p tcp -m tcp --dport 10000 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options
    -A input_ext -p tcp -m tcp --dport 10000 --tcp-flags SYN,RST,ACK SYN -j DROP
    -A input_ext -p tcp -m state --state RELATED,ESTABLISHED -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-HiTCP " --log-tcp-options --log-ip-options
    -A input_ext -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A input_ext -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A input_ext -p udp -m udp --dport 22 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 80 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 111 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 111 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 427 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 427 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 631 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 631 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 1024 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 1025 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 1026 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 3128 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 3130 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 3401 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 5353 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 8080 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 10000 -m state --state NEW -j DROP
    -A input_ext -p udp -m udp --dport 10000 -m state --state NEW -j DROP
    -A input_ext -p udp -m state --state NEW -m udp --dport 1024:65535 -j ACCEPT
    -A input_ext -p udp -m state --state ESTABLISHED -m udp --dport 61000:65095 -j ACCEPT
    -A input_ext -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_ext -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_ext -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_ext -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_ext -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_ext -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_ext -p udp -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_ext -m state --state INVALID -j LOG --log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
    -A input_ext -j DROP
    -A input_int -s 172.17.17.0/255.255.255.0 -j LOG --log-prefix "SFW2-INint-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
    -A input_int -s 172.17.17.0/255.255.255.0 -j DROP
    -A input_int -j ACCEPT
    -A input_int -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
    -A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
    -A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
    -A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
    -A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
    -A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
    -A input_int -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-INint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
    -A input_int -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
    -A input_int -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-INint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
    -A input_int -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-INint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
    -A input_int -p icmp -m icmp --icmp-type 2 -j LOG --log-prefix "SFW2-INint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
    -A input_int -p icmp -j DROP
    -A input_int -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j reject_func
    -A input_int -p tcp -m state --state RELATED,ESTABLISHED -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-HiTCP " --log-tcp-options --log-ip-options
    -A input_int -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A input_int -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A input_int -p udp -m state --state NEW -m udp --dport 1024:65535 -j ACCEPT
    -A input_int -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_int -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_int -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_int -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_int -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_int -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_int -p udp -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_int -m state --state INVALID -j LOG --log-prefix "SFW2-INint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
    -A input_int -j DROP
    -A reject_func -p tcp -j REJECT --reject-with tcp-reset
    -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
    -A reject_func -j REJECT --reject-with icmp-proto-unreachable
    COMMIT
    # Completed on Wed Mar 15 13:42:01 2006
    # Generated by iptables-save v1.2.9 on Wed Mar 15 13:42:01 2006
    *nat
    :pREROUTING ACCEPT [1647:189000]
    :pOSTROUTING ACCEPT [100:6439]
    :OUTPUT ACCEPT [0:0]
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT
    # Completed on Wed Mar 15 13:42:01 2006
     
    zacch, Mar 15, 2006
    #6
  7. zacch

    zacch New Member

    The above mention is a example of after I have config which ...oh my god....

    As you can see the above is too many of them and I am blur abt it

    use Yast to config it but seems too many line i guess

    Pls advise me how and what I should do abt it as I am newbie to SuseFirewall or iptables thank you.
     
    zacch, Mar 15, 2006
    #7
  8. falko

    falko Super Moderator Howtoforge Staff

    If your server is behind a router (with a firewall). I'd simply switch off the SuSE firewall and try to configure it again from scratch.
     
    falko, Mar 15, 2006
    #8
  9. zacch

    zacch New Member

    Hi

    Thank you for your reply

    I think i will do what you have told me to, but one thing is I am not good with iptables and I do not think I will use SuSEFirewall2 again lol

    I might be using iptables only without Yast Configuring SuSEFirewall2

    So there is a few question that I need to ask and to be guided pls?

    Here is one of them for ICMP to ping

    #ICMP Rules
    #For Me to Ping Outside
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A FORWARD -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A FORWARD -p icmp -m icmp --icmp-type 12 -j ACCEPT
    #For Outside To Ping Me
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A OUTPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A OUTPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT

    As you can see this is the setting of ICMP rules I have set and somehow other PC in the LAN can ping me but whereas I cannot ping them,

    I try to do a ping yahoo.com but it seems not able to go out from my pc

    pls advise thank you
     
    zacch, Mar 16, 2006
    #9
  10. zacch

    zacch New Member

    I have try this and it works

    #For Outside to Ping Intside
    #ICMP Rules
    #For Outside To Ping Inside
    #-A INPUT -s 127.0.0.1 -p icmp -j DROP
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    #For Inside To Ping Outside
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
    -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

    For DNS
    #Accept DNS
    -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
    -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT

    anyway still building up the iptables thing pls advise if there is anyting wrong thank you
     
    zacch, Mar 16, 2006
    #10
  11. kaptk2

    kaptk2 New Member

    For something pretty easy try shorewall. It is a frontend for IPTables and very very powerful. You can start off with one of the example configurations and customize it from there. Check out http://www.shorewall.net for more info. It is the best documented piece of software that I have ever seen. Makes firewalls a snap!
     
    kaptk2, Mar 16, 2006
    #11
  12. zacch

    zacch New Member

    Hi

    TQ for the reply I will look into it and try it out, better then doing the iptables from nothing lol
     
    zacch, Mar 17, 2006
    #12

Share This Page