Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 273
  • Last Modified:

SuSE firewall kills all active connections

hi all,
I'm running an internal network with my linux box as diallup gateway.

I used the yaST firewall configuration with the following:
external int ppp0
internal int = eth0
Allow traceroute = yes
forward traffic, do masq = yes
protect all running services = no
protect from internal network = no

Everything seems to work fine except when the modem connects.
Then the firewall drops all active connections from the internal network.
This is bad since i use VNC and ssh to work on it.

Any ideas?
Cheers,
0
thorsteinn
Asked:
thorsteinn
  • 3
1 Solution
 
UstasCommented:
I guess you need to build a custom firewall..

Another firewall script that I've used myself and which should work for you is Bastille-Firewall

Here is the script:
http://www.tux.org/~peterw/linux/bastille-firewall-scripts.tar.gz
0
 
Gabriel OrozcoSolution ArchitectCommented:
or, maybe you could use this simple script:

Of course, you need to get rid of the suse firewall and setup this on a file. I usually name it /etc/rc.d/rc.firewall and call it from /etc/rc.d/rc.local.
---
# I think you have DSL. if it's already starting, then
# delete the "adsl-start" line:
adsl-start

#Activate IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

ipt="/usr/local/sbin/iptables"
outside=ppp0
inside=eth1
other=eth0

$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
$ipt -P FORWARD DROP

$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i $inside -j ACCEPT
$ipt -A OUTPUT -i $inside -j ACCEPT
$ipt -A FORWARD -i $inside -j ACCEPT

$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Accept at least traffic to ssh into this host.
$ipt -A INPUT -p tcp --dport 22 -j ACCEPT
#Accept 11 sessions of VNC:
$ipt -A INPUT -p tcp --dport 5900:5910 -j ACCEPT
#now the nat thing.
$ipt -t nat -A POSTROUTING -o $outside -j MASQUERADE

---
This script will not forward anything from eth0 to eth1.
as you asked to be, but forwards (it does not nat) from eth1 to eth0, and NAT from eth1 to ppp0, any ip they could have.


Hope this helps
0
 
Gabriel OrozcoSolution ArchitectCommented:
thorsteinn: any news?
0
 
Gabriel OrozcoSolution ArchitectCommented:
:-(
why the 'B'??
I just wanted to know if this was your answer, or if you needed some tuning or something like that.
but a "B"?
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now