?
Solved

SuSE firewall kills all active connections

Posted on 2003-03-17
4
Medium Priority
?
267 Views
Last Modified: 2010-03-18
hi all,
I'm running an internal network with my linux box as diallup gateway.

I used the yaST firewall configuration with the following:
external int ppp0
internal int = eth0
Allow traceroute = yes
forward traffic, do masq = yes
protect all running services = no
protect from internal network = no

Everything seems to work fine except when the modem connects.
Then the firewall drops all active connections from the internal network.
This is bad since i use VNC and ssh to work on it.

Any ideas?
Cheers,
0
Comment
Question by:thorsteinn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 3

Expert Comment

by:Ustas
ID: 8151772
I guess you need to build a custom firewall..

Another firewall script that I've used myself and which should work for you is Bastille-Firewall

Here is the script:
http://www.tux.org/~peterw/linux/bastille-firewall-scripts.tar.gz
0
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 150 total points
ID: 8151888
or, maybe you could use this simple script:

Of course, you need to get rid of the suse firewall and setup this on a file. I usually name it /etc/rc.d/rc.firewall and call it from /etc/rc.d/rc.local.
---
# I think you have DSL. if it's already starting, then
# delete the "adsl-start" line:
adsl-start

#Activate IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

ipt="/usr/local/sbin/iptables"
outside=ppp0
inside=eth1
other=eth0

$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
$ipt -P FORWARD DROP

$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i $inside -j ACCEPT
$ipt -A OUTPUT -i $inside -j ACCEPT
$ipt -A FORWARD -i $inside -j ACCEPT

$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Accept at least traffic to ssh into this host.
$ipt -A INPUT -p tcp --dport 22 -j ACCEPT
#Accept 11 sessions of VNC:
$ipt -A INPUT -p tcp --dport 5900:5910 -j ACCEPT
#now the nat thing.
$ipt -t nat -A POSTROUTING -o $outside -j MASQUERADE

---
This script will not forward anything from eth0 to eth1.
as you asked to be, but forwards (it does not nat) from eth1 to eth0, and NAT from eth1 to ppp0, any ip they could have.


Hope this helps
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8168869
thorsteinn: any news?
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8169541
:-(
why the 'B'??
I just wanted to know if this was your answer, or if you needed some tuning or something like that.
but a "B"?
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question