[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] Custom iptables command doesn't work as expected



Hans-Peter Jansen wrote:
I try to use an iptables command in conjunction with SuSEfirewall2
(version 3.6.295 on openSUSE 12.2, kernel-desktop-3.4.47-2.38.1.x86_64).

Using it standalone, it works as expected:

SuSEfirewall2 stop
iptables -t nat -A OUTPUT -p tcp --dport 1935 -m owner \! --uid-owner root -j REDIRECT
[...]
If this iptables command is integrated in

/etc/sysconfig/scripts/SuSEfirewall2-custom

it doesn't work anymore: rtmpsuck doesn't detect any streams.

Your problem is probably not related to OUTPUT but to INPUT. Check
"SuSEfirewall2 status" before and after running your program. Compare the
packet counters. The packets in question might have been dropped so
some drop rule should have increased it's counter.

SuSEfirewall2 non-default settings (LAN-client):
FW_DEV_INT="eth0 eth1"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_PROTECT_FROM_INT="no"
FW_KERNEL_SECURITY="no"
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

The yes and no settings are an attempt to fix the issue in question.

If eth0 and eth1 are your only interfaces a firewall config like the
above one doesn't make much sense really. Just switch it off to avoid
all the problems.

cu
Ludwig

--
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx