vodoo,
So what I can figure, your changing rules on the default filter table. My rules are being added to the nat table. Am not quite sure why my changes only work when the iptables are flushed via iptables --flush or stopping the SuSEFirewall2 service.
Worst of all, you can not see the results of the nat table or the rules applied like you can on the filter table using iptables -S.
John
To view a non-default table, use -t.
iptables -t nat -S
Does anyone have a link to a good writeup explaining the OpenSuSE implementation of SuSEFirewall2?
Unfortunately: no. Your best bet is to have a close look at the script implementing the firewall, /sbin/SuSEfirewall2. Start reading it from line 2308 (ymmv) to see where the different hooks are called to insert custom rules. Knowing this you can decide to which hook you should add your rules to get the sequence right.
What doesn’t make sense according to what I have read, packets pass thru the NAT table first before for the FILTER table. So it really shouldn’t matter what order they are entered, my 5 rules should come first since I am adding to the NAT table.
John
BTW: I feel like an idiot now. I never thought to try iptables -t nat -S or --list.
You need to do more reading. There are PREROUTING and POSTROUTING. You can find a diagram of the packet flow in a good iptables tutorial.
So I have been looking at Security Guide => Network Security => Masquerading and Firewalls => Packet filtering an IPTables.
It looks as if OUTPUT is the only chain in the nat table which can accept both the redirect an the search of owner.
John
Default iptables setup from SuSEFirewall2
acer:/home/jmoore # iptables -t mangle -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
acer:/home/jmoore # iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
acer:/home/jmoore # iptables -t filter -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N forward_ext
-N input_ext
-N reject_func
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -i eth0 -j input_ext
-A INPUT -i wlan0 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j DROP
-A input_ext -p udp -m udp --dport 80 -m conntrack --ctstate NEW -j DROP
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
It looks like everything is added to the filter table.
Dang Ken,
Thats some real reading. My brain is hurting… LOL
After reading some more directed sections, I am still at a loss as too why the internet request fails.
I guess I need to see if I am getting multiple request to squid indicating I am in a infinite loop. Whats even odder is that with SuSEfirewall2 off, it works fine.
John