Re: SuSEfirewall2 and NAT help : i am so lost!

["P.Italiaander" <pc-secure@home.nl>]

>Op vrijdag 16 mei 2003 17:16, schreef David T-G:
> Florent, et al --
>
> ...and then Aide Florent said...
> %
> % Le Vendredi 16 Mai 2003 00:45, David T-G a écrit :
> % > Hi again, all --
> ...
> % > I've attached `iptables -L` so that you can see if anything looks
> wrong. %
> % you should try
> %
> % iptables -t nat -nvL
> %
> % if you want to see what is "NATed" by your machine.
>
> Ah.  Oops!  Now *that* is attached.
>
>
> %
> % Hope it helps.
>
> I don't really know what I'm reading, but I admit that it looks somewhat
> sparse.  I hope someone can tell me what pieces I'm missing!
>
>
> %
> % Florent AIDE
>
>
> Thanks again & HAND
>
> :-D


At first I thought somebody would notice ,but you have a hugh hole in your 
firewall :
so you do:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state 
RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             255.255.255.255    udp spt:bootps 
dpt:bootpc
ACCEPT     icmp --  anywhere             anywhere           icmp echo-request
ACCEPT     udp  --  dns1.rcsntx.sbcglobal.net  anywhere           state NEW 
udp spt:domain dpts:1024:65535
ACCEPT     udp  --  dns1.snfcca.sbcglobal.net  anywhere           state NEW 
udp spt:domain dpts:1024:65535
LOG        tcp  --  anywhere             anywhere           tcp 
flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix 
`SuSE-FW-DROP-NEW-CONNECT '
ACCEPT     udp  --  anywhere             anywhere           state ESTABLISHED 
udp dpts:61000:65095
input_ext  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Iptables behaviour is , the first match counts !!
so if you set the first rule  INPUT chain : ACCEPT all -- anywhere   anywhere 
it means that all traffic both ways may pass.This behaviour is not acceptable.
Actualy ALL the other rules 2,3,4 enz. of the INPUT chain are not matched.
You could be more filtering by interface.
 
Then the FORWARD chain: 

Chain FORWARD (policy DROP)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere           tcp 
flags:SYN,RST/SYN TCPMSS clamp to PMTU
reject_func  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

it seems you have an ppp adapter , but only a clamp to PMTU is not enough to 
get it working.it only corrects the PMTU value .
Your Policy says DROP , but your reject_func , rejects furder traffic , so the 
ACCEPT   all -- anywhere   anywhere is not matched , you override your own 
POLICY  if it did. 

So you have to make a rule with an state NEW , before the reject_func, and let 
everything pass from 
intern network to WWW .

example:      
iptables -A FORWARD -m state --state NEW -i $int_if -o $ext_if -j ACCEPT

Now the firewall knows how to forward between interfaces.

this should do the job , let us know !!

Pascal