[Firewall] Restart for firewall rules only

Shalom, Hai hai at ti.com
Mon Nov 1 15:20:45 CET 2010


Here's the complete output:

# arno-iptables-firewall restart
Arno's Iptables Firewall Script v1.9.2m
-------------------------------------------------------------------------------
Sanity checks passed...OK
Stopping (user) plugins...
Checking/probing IPv4 Iptables modules:
 Loaded kernel module ip_tables.
 Loaded kernel module nf_conntrack.
 Loaded kernel module nf_conntrack_ftp.
 Loaded kernel module xt_conntrack.
 Loaded kernel module xt_limit.
 Loaded kernel module xt_state.
 Loaded kernel module xt_multiport.
 Loaded kernel module iptable_filter.
 Loaded kernel module iptable_mangle.
 Loaded kernel module ipt_REJECT.
 Loaded kernel module ipt_LOG.
 Loaded kernel module xt_TCPMSS.
 Loaded kernel module xt_DSCP.
 Loaded kernel module nf_nat_ftp.
 Loaded kernel module iptable_nat.
 Loaded kernel module ipt_MASQUERADE.
 Module check done...
Setup kernel settings:
 Setting the max. amount of simultaneous connections to 16384
  net.ipv4.netfilter.ip_conntrack_max = 16384
 Setting default conntrack timeouts
  net.ipv4.conf.lo.send_redirects = 0
  net.ipv4.conf.default.send_redirects = 0
  net.ipv4.conf.all.send_redirects = 0
 Enabling protection against source routed packets
  net.ipv4.conf.lo.accept_source_route = 0
  net.ipv4.conf.default.accept_source_route = 0
  net.ipv4.conf.all.accept_source_route = 0
  net.ipv4.icmp_echo_ignore_broadcasts = 1
  net.ipv4.icmp_ignore_bogus_error_responses = 1
 Enabling packet forwarding
  net.ipv4.ip_forward = 1
 Setting some kernel performance options
  net.ipv4.tcp_window_scaling = 1
  net.ipv4.tcp_timestamps = 1
  net.ipv4.tcp_sack = 1
  net.ipv4.tcp_dsack = 1
  net.ipv4.tcp_fack = 1
  net.ipv4.tcp_low_latency = 0
 Enabling reduction of the DoS'ing ability
  net.ipv4.tcp_fin_timeout = 30
  net.ipv4.tcp_keepalive_time = 1800
  net.ipv4.tcp_syn_retries = 3
  net.ipv4.tcp_synack_retries = 2
  net.ipv4.tcp_rfc1337 = 1
  net.ipv4.ip_local_port_range = 32768 61000
 Enabling anti-spoof with rp_filter
  net.ipv4.conf.lo.rp_filter = 1
  net.ipv4.conf.default.rp_filter = 1
  net.ipv4.conf.all.rp_filter = 1
  net.ipv4.icmp_echo_ignore_all = 0
 Enabling SYN-flood protection via SYN-cookies
  net.ipv4.tcp_syncookies = 1
 Disabling the logging of martians
  net.ipv4.conf.lo.log_martians = 0
  net.ipv4.conf.default.log_martians = 0
  net.ipv4.conf.all.log_martians = 0
 Disabling the acception of ICMP-redirect messages
  net.ipv4.conf.lo.accept_redirects = 0
  net.ipv4.conf.default.accept_redirects = 0
  net.ipv4.conf.all.accept_redirects = 0
 Setting default TTL=64
  net.ipv4.ip_default_ttl = 64
 Disabling ECN (Explicit Congestion Notification)
  net.ipv4.tcp_ecn = 0
 Enabling kernel support for dynamic IPs
  net.ipv4.ip_dynaddr = 1
  net.ipv4.ip_no_pmtu_disc = 0
 Flushing route table
  net.ipv4.route.flush = 1
 Kernel setup done...
Reinitializing firewall chains
NAT Table update all sessions flushed
NAT Table update all sessions flushed
NAT Table update all sessions flushed
NAT Table update all sessions flushed
NAT Table update all sessions flushed
 Setting all default policies to DROP while "setting up firewall rules"
IPv4 mode selected but IPv6 available, setting simple default policy for IPv6
Using loglevel "info" for syslogd

Setting up firewall rules:
-------------------------------------------------------------------------------
Enabling setting the maximum packet size via MSS
NAT Table update all sessions flushed
Enabling mangling TOS
NAT Table update all sessions flushed
NAT Table update all sessions flushed
Logging of stealth scans (nmap probes etc.) disabled
Logging of packets with bad TCP-flags disabled
Logging of INVALID TCP packets disabled
Logging of INVALID UDP packets disabled
Logging of INVALID ICMP packets disabled
Logging of fragmented packets disabled
Logging of access from reserved addresses disabled
Setting up antispoof for INTERNAL net(s): 192.168.1.0/24
Reading custom rules from /etc/arno-iptables-firewall/custom-rules
Checking for (user) plugins in /usr/local/share/arno-iptables-firewall/plugins...None found
Setting up external(INET) INPUT policy
 Logging of ICMP flooding disabled
 Enabling support for DHCP-assigned-IP (DHCP client)
 Logging of explicitly blocked hosts disabled
 Logging of denied local output connections disabled
 Packets will NOT be checked for private source addresses
 Allowing ANYHOST for TCP port(s): 80
 Allowing ANYHOST for UDP port(s): 161
 Allowing ANYHOST to send ICMP-requests(ping)
 Logging of dropped ICMP-request(ping) packets disabled
 Logging of dropped other ICMP packets disabled
 Logging of possible stealth scans disabled
 Logging of (other) packets to PRIVILEGED TCP ports disabled
 Logging of (other) packets to PRIVILEGED UDP ports disabled
 Logging of (other) packets to UNPRIVILEGED TCP ports disabled
Logging of (other) packets to UNPRIVILEGED UDP ports disabled
 Logging of IGMP packets disabled
 Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets disabled
Setting up external(INET) OUTPUT policy
Applying external(INET) policy to interface: erouter0 (without an external subnet specified)
Setting up internal(LAN) INPUT policy
 Allowing ICMP-requests(ping)
 Allowing all (other) ports/protocols
Applying internal(LAN) policy to interface: br0
Accepting ALL INPUT traffic from trusted interface(s): wan0 mta0 ip6tnl1
Accepting ALL FORWARD traffic for trusted interface(s): wan0 mta0 ip6tnl1
Setting up trust FORWARD policy for interface(s): wan0 mta0 ip6tnl1
Setting up internal(LAN) FORWARD policy
 Logging of denied LAN->INET FORWARD connections disabled
 Setting up LAN->INET policy
  Allowing ICMP-requests(ping)
  Allowing all (other) TCP ports
  Allowing all (other) UDP ports
  Allowing all (other) protocols
Applying internal(LAN) FORWARD policy to interface: br0
Enabling masquerading(NAT) via external interface(s): erouter0
 Adding (internal) host(s): 192.168.1.0/24 NAT Table update all sessions flushed

Security is ENFORCED for external interface(s) in the FORWARD chain
NAT Table update all sessions flushed
NAT Table update all sessions flushed

Jan 01 04:02:34 All firewall rules applied. 

=====================================================================================

# iptables --version
iptables v1.4.7

=====================================================================================

# cat /proc/version
Linux version 2.6.18_pro500 (a0387511 at lxcpu1) (gcc version 4.2.0) #4 PREEMPT Thu Oct 28 10:34:14 IST 2010

Regards,
Hai Shalom.
 

-----Original Message-----
From: firewall-bounces at rocky.eld.leidenuniv.nl [mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of Lonnie Abelbeck
Sent: Monday, November 01, 2010 4:15 PM
To: Arno's IPTABLES firewall script
Subject: Re: [Firewall] Restart for firewall rules only

Hai Shalom,

Hmmm, I'm not seeing the "NAT Table update all sessions flushed" messages, and my sessions are maintained on a 'restart'.

Possibly send more details of your system, (kernel version, iptables version, distro, etc...)

Do you have any "custom-rules" defined?

Lonnie


On Nov 1, 2010, at 8:53 AM, Shalom, Hai wrote:

> Lonnie,
> 
> I am using 1.9.2m, and I see the following messages when I restart:
> 
> Reinitializing firewall chains
> NAT Table update all sessions flushed
> NAT Table update all sessions flushed
> NAT Table update all sessions flushed
> NAT Table update all sessions flushed
> NAT Table update all sessions flushed
> 
> 
> Regards,
> Hai Shalom.
> 
> 
> -----Original Message-----
> From: firewall-bounces at rocky.eld.leidenuniv.nl 
> [mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of Lonnie 
> Abelbeck
> Sent: Monday, November 01, 2010 3:49 PM
> To: Arno's IPTABLES firewall script
> Subject: Re: [Firewall] Restart for firewall rules only
> 
> 
> On Nov 1, 2010, at 6:20 AM, Shalom, Hai wrote:
> 
>> Hello,
>> 
>> I use arno script in my system to configure NAT and firewall rules.
>> When I want to add a new firewall rule, I need to run the firewall script with restart parameter.
>> However, in this case, it flushes all NAT sessions.. :-(
>> 
>> Is it possible to restart it without flushing the NAT sessions?
> 
> What version of AIF are you using?
> 
> $ arno-iptables-firewall restart
> 
> should maintain all pre-existing conntrack sessions.
> 
> Lonnie
> 
> 
>> 
>> Thanks!
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 
> 

_______________________________________________
Firewall mailing list
Firewall at rocky.eld.leidenuniv.nl
http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl


More information about the Firewall mailing list