SuseFirewall блокирует выход в интернет

Slava_D · June 24, 2010, 7:31pm

Не уследил после чего это возникло. Заметил, что пропал NAT, поэтому и начал смотреть на сервер.
При отключенном файерволле пользователи нормально выходят в интернет через squid, работают Postfix+Dovecot, ProFTP и т.д. Запускаешь SuseFirewall - всё блокируется. Из локальной сети наружу никак.
Конфиг SuSEfirewall2 прилагаю.


FW_DEV_EXT="any eth1"
FW_DEV_INT="eth0"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="zone:ext"
FW_MASQ_NETS="0/0"
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP="10000 10001 10002 12955 20000 20001 21 40000 40001 40002 40003 40004 40005 5900 9990"
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP="ICMP"
FW_SERVICES_EXT_RPC=""
FW_CONFIGURATIONS_EXT="bind postfix"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_ACCEPT_EXT=""
FW_SERVICES_ACCEPT_DMZ=""
FW_SERVICES_ACCEPT_INT=""
FW_SERVICES_ACCEPT_RELATED_EXT=""
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD=""
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT=""
FW_ALLOW_FW_BROADCAST_INT=""
FW_ALLOW_FW_BROADCAST_DMZ=""
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT=""
FW_REJECT_INT="yes"
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST="no"
FW_ZONES=""
FW_ZONE_DEFAULT=""
FW_USE_IPTABLES_BATCH=""
FW_LOAD_MODULES="nf_conntrack_netbios_ns"
FW_FORWARD_ALWAYS_INOUT_DEV=""
FW_FORWARD_ALLOW_BRIDGING=""
FW_WRITE_STATUS=""
FW_RUNTIME_OVERRIDE=""
FW_LO_NOTRACK=""

Slava_D · June 24, 2010, 8:08pm

Попытка запуска через Webmin SuseFirewall2 выдаёт следующее:


Выполнение /etc/init.d/SuSEfirewall2_init restart ..

Starting Firewall Initialization (phase 1 of 2) SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
..done

Выполнение /etc/init.d/SuSEfirewall2_setup restart ..

Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: Invalid argument. Run `dmesg' for more information.
..done

При включении SuseFirewall2 в логе /var/log/firewall следующее:

Jun 24 20:58:19 termo-gate kernel:   554.941045] SFW2-OUT-ERROR IN= OUT=eth1 SRC=195.69.133.34 DST=79.171.122.244 LEN=178 TOS=0x00 PREC=0x00 TTL=64 ID=13489 DF PROTO=TCP SPT=20000 DPT=62256 WINDOW=7744 RES=0x00 ACK PSH URGP=0 
Jun 24 20:58:19 termo-gate kernel:   554.968292] SFW2-OUT-ERROR IN= OUT=eth1 SRC=195.69.133.34 DST=79.171.122.244 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=13490 DF PROTO=TCP SPT=20000 DPT=62256 WINDOW=7744 RES=0x00 ACK URGP=0 
Jun 24 20:58:19 termo-gate kernel:   554.968318] SFW2-OUT-ERROR IN= OUT=eth1 SRC=195.69.133.34 DST=79.171.122.244 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=13491 DF PROTO=TCP SPT=20000 DPT=62256 WINDOW=7744 RES=0x00 ACK URGP=0 
Jun 24 20:58:19 termo-gate kernel:   555.001922] SFW2-OUT-ERROR IN= OUT=eth1 SRC=195.69.133.34 DST=79.171.122.244 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=13492 DF PROTO=TCP SPT=20000 DPT=62256 WINDOW=7744 RES=0x00 ACK URGP=0 
Jun 24 20:58:19 termo-gate kernel:   555.001945] SFW2-OUT-ERROR IN= OUT=eth1 SRC=195.69.133.34 DST=79.171.122.244 LEN=814 TOS=0x00 PREC=0x00 TTL=64 ID=13493 DF PROTO=TCP SPT=20000 DPT=62256 WINDOW=7744 RES=0x00 ACK PSH FIN URGP=0 
Jun 24 20:58:19 termo-gate kernel:   555.636470] SFW2-INext-ACC-TCP IN=eth1 OUT= MAC=00:1e:58:a7:8f:02:00:0e:0c:72:5d:39:08:00 SRC=217.78.186.12 DST=195.69.133.34 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=16744 DF PROTO=TCP SPT=50879 DPT=12955 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405500103030201010402) 
Jun 24 20:58:19 termo-gate kernel:   555.788905] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth1 SRC=192.168.50.3 DST=87.119.169.36 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=31101 DF PROTO=TCP SPT=1951 DPT=48382 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02043ECA01010402) 
Jun 24 20:58:19 termo-gate kernel:   555.788945] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth1 SRC=192.168.50.3 DST=81.5.84.106 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=31102 DF PROTO=TCP SPT=1952 DPT=25025 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02043ECA01010402) 
Jun 24 20:58:19 termo-gate kernel:   555.788981] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth1 SRC=192.168.50.3 DST=87.226.242.7 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=31103 DF PROTO=TCP SPT=1950 DPT=35691 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02043ECA01010402) 
Jun 24 20:58:19 termo-gate kernel:   555.789322] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth1 SRC=192.168.50.3 DST=77.232.15.242 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=31104 DF PROTO=TCP SPT=1976 DPT=22979 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02043ECA01010402) 
Jun 24 20:58:20 termo-gate kernel:   556.291836] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth1 SRC=192.168.50.3 DST=77.232.15.242 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=31113 DF PROTO=TCP SPT=1976 DPT=22979 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02043ECA01010402) 
Jun 24 20:58:43 termo-gate kernel:   578.985998] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.50.2 DST=192.168.50.9 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=56012 DF PROTO=TCP SPT=35506 DPT=10001 WINDOW=46 RES=0x00 ACK URGP=0 OPT (0101080A000441C9001735F8) 
Jun 24 20:58:46 termo-gate kernel:   581.804033] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth1 SRC=192.168.50.3 DST=212.178.6.106 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=31410 DF PROTO=TCP SPT=1991 DPT=60289 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02043ECA01010402) 
Jun 24 20:58:47 termo-gate kernel:   583.654011] SFW2-INext-ACC-TCP IN=eth1 OUT= MAC=00:1e:58:a7:8f:02:00:0e:0c:72:5d:39:08:00 SRC=91.201.176.184 DST=195.69.133.34 LEN=52 TOS=0x00 PREC=0x00 TTL=119 ID=52565 DF PROTO=TCP SPT=55559 DPT=12955 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405AC0103030201010402) 
Jun 24 20:58:59 termo-gate kernel:   595.220656] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.50.2 DST=192.168.50.3 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=37161 DPT=1999 WINDOW=0 RES=0x00 ACK RST URGP=0 
Jun 24 20:59:02 termo-gate kernel:   597.805876] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth1 SRC=192.168.50.3 DST=188.17.173.154 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=31460 DF PROTO=TCP SPT=2000 DPT=50191 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02043ECA01010402) 
Jun 24 20:59:05 termo-gate kernel:   601.768461] SFW2-INext-ACC-TCP IN=eth1 OUT= MAC=00:1e:58:a7:8f:02:00:0e:0c:72:5d:39:08:00 SRC=94.232.134.16 DST=195.69.133.34 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=12786 DF PROTO=TCP SPT=4386 DPT=12955 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405A001010402) 
Jun 24 20:59:20 termo-gate kernel:   616.320059] SFW2-INext-ACC-TCP IN=eth1 OUT= MAC=00:1e:58:a7:8f:02:00:0e:0c:72:5d:39:08:00 SRC=109.184.251.19 DST=195.69.133.34 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=30001 DF PROTO=TCP SPT=1590 DPT=12955 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405A001010402) 
Jun 24 20:59:20 termo-gate kernel:   616.320103] SFW2-OUT-ERROR IN= OUT=eth1 SRC=195.69.133.34 DST=109.184.251.19 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=12955 DPT=1590 WINDOW=5840 RES=0x00 ACK SYN URGP=0 OPT (020405B401010402) 
Jun 24 20:59:22 termo-gate kernel:   617.805996] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth1 SRC=192.168.50.3 DST=87.126.21.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=31543 DF PROTO=TCP SPT=2012 DPT=48350 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02043ECA01010402) 
Jun 24 20:59:40 termo-gate kernel:   635.866048] SFW2-OUT-ERROR IN= OUT=eth1 SRC=195.69.133.34 DST=195.82.146.123 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27034 DF PROTO=TCP SPT=54798 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A00051FFA0000000001030307) 
Jun 24 20:59:43 termo-gate kernel:   638.815798] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth1 SRC=192.168.50.3 DST=81.30.181.42 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=31593 DF PROTO=TCP SPT=2019 DPT=33682 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02043ECA01010402) 
Jun 24 20:59:59 termo-gate kernel:   654.941013] SFW2-OUT-ERROR IN= OUT=eth1 SRC=195.69.133.34 DST=195.82.146.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2041 DF PROTO=TCP SPT=33061 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A00056A7D0000000001030307) 
Jun 24 21:00:01 termo-gate kernel:   656.795994] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth1 SRC=192.168.50.3 DST=95.181.12.221 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=31642 DF PROTO=TCP SPT=2024 DPT=45341 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02043ECA01010402) 
Jun 24 21:00:19 termo-gate kernel:   675.422844] SFW2-OUT-ERROR IN= OUT=eth1 SRC=195.69.133.34 DST=193.0.14.129 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=8792 PROTO=UDP SPT=49868 DPT=53 LEN=43 
Jun 24 21:00:20 termo-gate kernel:   675.825537] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth1 SRC=192.168.50.3 DST=95.66.173.47 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=31746 DF PROTO=TCP SPT=2042 DPT=28931 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02043ECA01010402) 
Jun 24 21:00:39 termo-gate kernel:   694.976385] SFW2-OUT-ERROR IN= OUT=eth1 SRC=195.69.133.34 DST=198.41.0.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=6319 PROTO=UDP SPT=29356 DPT=53 LEN=44 
Jun 24 21:00:46 termo-gate kernel:   701.810267] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth1 SRC=192.168.50.3 DST=195.91.129.243 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=31830 DF PROTO=TCP SPT=2057 DPT=41254 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02043ECA01010402) 
Jun 24 21:00:59 termo-gate kernel:   715.102857] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.50.2 DST=192.168.50.3 LEN=106 TOS=0x00 PREC=0xC0 TTL=64 ID=10416 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.50.3 DST=192.168.50.2 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=32124 PROTO=UDP SPT=137 DPT=137 LEN=58 ] 
Jun 24 21:01:03 termo-gate kernel:   718.830677] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth1 SRC=192.168.50.3 DST=95.37.179.108 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=32144 DF PROTO=TCP SPT=2072 DPT=35691 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02043ECA01010402) 
Jun 24 21:01:19 termo-gate kernel:   735.286931] SFW2-OUT-ERROR IN= OUT=eth1 SRC=195.69.133.34 DST=86.57.152.250 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=62581 DF PROTO=TCP SPT=12955 DPT=4678 WINDOW=6432 RES=0x00 ACK URGP=0 
Jun 24 21:01:20 termo-gate kernel:   735.821766] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth1 SRC=192.168.50.3 DST=94.41.202.4 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=32361 DF PROTO=TCP SPT=2083 DPT=64388 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02043ECA01010402)

Gankov · June 25, 2010, 11:07am

Клиенты должны ходить через squid?
Если да то в настройках клиента указан прокси? или хотите сделать прозрачное проксирование?

Какой DNS настроен на клиентах? Есть подозрение что блокируется DNS, для проверки попробуйте с включенный фаерволом с клиентской машины открыть сайт Google

Gankov · June 25, 2010, 11:18am

Открыть надо именно с таким адресом

http://74.125.77.104/

Странно как это движок форума по адресу определил что это гугль, и изменил ссылку…

Slava_D · June 25, 2010, 8:40pm

Все ходят через прокси, хотя некоторым (например бухгалтерии для клиент-банка) разрешен и нат.

Пришлось-таки пользоваться просто обычным файерволом. Сейчас настроено всё по манам. Настроен файервол через вэбмин.

Такое ощущение, что после какого-то момента (апдейт/патч/новый софт) SuseFirewall начал делать неверные правила.

Подожду 11.3.

k0da · June 25, 2010, 9:39pm

дык сравните полученные правила