Having network/kernel issues...

2020-02-24T07:28:39.907745-05:00 hendrix kernel: [221719.560045] nf_conntrack: nf_conntrack: table full, dropping packet
2020-02-24T07:28:40.075270-05:00 hendrix kernel: [221719.727560] nf_conntrack: nf_conntrack: table full, dropping packet
2020-02-24T07:28:40.109000-05:00 hendrix kernel: [221719.761278] nf_conntrack: nf_conntrack: table full, dropping packet

On Sles 12sp4 boxes the network drops for the box in question, and we get these errors in the messages log.
On Sles 12sp5 boxes the machine becomes totaly unresponsive, and we don't get these errors in the messages log.

Found the following online :
https://access.redhat.com/solutions/8721
https://www.pc-freak.net/blog/resolving-nf_conntrack-table-full-dropping-packet-flood-message-in-dmesg-linux-kernel-log/

Wondering if anyone else has seen this?

My current attempts to mitigate are to put the following in /etc/init.d/after.local
echo 131072 > /proc/sys/net/netfilter/nf_conntrack_max

# actual file to track not set
#echo 131072 > /proc/sys/net/netfilter/nf_conntrack_count

echo 32768 > /sys/module/nf_conntrack/parameters/hashsize

echo 120 > /proc/sys/net/netfilter/nf_conntrack_generic_timeout

echo 54000 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established

Any suggestions?

Comments

  • AndreasAndreas Senior Member
    Something is mis configured in your network. Check with:
    # su
    # zypper install conntrack-tools
    # conntrack -L conntrack -o extend
    
  • skunkboyskunkboy Established Member
    There does no appear to be standard package conntrack-tools for sp4 or sp5 Sles12, it is only availible as a third party package from https://software.opensuse.org/download.html?project=security%3Anetfilter&package=conntrack-tools ?

    Thanks,
    Matt
  • AndreasAndreas Senior Member
    According SCC (Suse Customer Center https://scc.suse.com/login => Packages) conntrack-tools is available in "SUSE Linux Enterprise High Availability Extension" for SLES12.

    Check your firewall settings with:

    Netfilter/iptables works only with parameter "ctstate" from modul ConnTrack as a Stateful firewall (with SPI => Stateful packet inspection).
    https://en.wikipedia.org/wiki/Stateful_firewall

    # man iptables-extensions

    # man iptables

    https://people.netfilter.org/pablo/docs/login.pdf

    https://wiki.archlinux.org/index.php/Simple_stateful_firewall

    https://home.regit.org/netfilter-en/secure-use-of-helpers/
    # su
    # iptables -L -n -v -t filter|grep -i ACCEPT
    # ip6tables -L -n -v -t filter|grep -i ACCEPT
    
    => Each ACCEPT line must have a "ctstate NEW" (for new connections) or "ctstate RELATED,ESTABLISHED" entry (for established connections).
    => Each ACCEPT line should have a very strict ip address range for source and destination (=> iptables parameters "-s" (--source) and "-d" (destination))
    => Each ACCEPT line should have a very strict network interface selection for source and destination (=> iptables parameters "-i" (--in-interface) and "-o" (out-interface))

    The policy for each built-in chain in table filter must be set to "DROP":
    # iptables -L INPUT -t filter|grep -i policy
    # iptables -L OUTPUT -t filter|grep -i policy
    # iptables -L FORWARD -t filter|grep -i policy
    

    Activate strict Stateful packet inspection, disable icmp redirects and enable Spoof protection (example for SLED15SP1):
    https://wiki.archlinux.org/index.php/Sysctl#TCP/IP_stack_hardening

    https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

    https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt

    http://conntrack-tools.netfilter.org/manual.html

    https://wiki.archlinux.org/index.php/Simple_stateful_firewall

    https://documentation.suse.com/
    => SLES Hardening Guide => chaptre 2.9 "Security Features in the Kernel"

    /etc/sysctl.conf
    net.netfilter.nf_conntrack_tcp_loose = 0
    
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.all.secure_redirects = 0
    net.ipv4.conf.all.send_redirects = 0
    
    net.ipv4.conf.default.accept_redirects = 0
    net.ipv4.conf.default.secure_redirects = 0
    net.ipv4.conf.default.send_redirects = 0
    
    net.ipv4.conf.lo.accept_redirects = 0
    net.ipv4.conf.lo.secure_redirects = 0
    net.ipv4.conf.lo.send_redirects = 0
    
    net.ipv6.conf.all.accept_redirects = 0
    net.ipv6.conf.default.accept_redirects = 0
    net.ipv6.conf.lo.accept_redirects = 0
    
    net.ipv4.conf.all.accept_source_route = 0
    net.ipv4.conf.default.accept_source_route = 0
    net.ipv4.conf.lo.accept_source_route = 0
    
    net.ipv6.conf.all.accept_source_route = 0
    net.ipv6.conf.default.accept_source_route = 0
    
    net.ipv4.conf.all.rp_filter = 1
    net.ipv4.conf.default.rp_filter = 1
    net.ipv4.conf.lo.rp_filter = 1
    

    Check this new sysctl settings with sysctl after reboot:
    # su
    # sysctl -ar 'conntrack_tcp_loose'
    # sysctl -ar 'redirects'
    # sysctl -ar 'source_route'
    # sysctl -ar 'rp_filter'
    

    Check Spoof protection for IPv6:
    # ip6tables -L PREROUTING -v -n -t raw |grep -i DROP
        0     0 DROP       all      *      *       ::/0                 ::/0                 rpfilter invert
    

    https://wiki.archlinux.org/index.php/Simple_stateful_firewall

    # man iptables-extensions

    In case of SYN flood (denial-of-service attack) you should use SYNPROXY:

    https://en.wikipedia.org/wiki/SYN_flood

    https://www.redhat.com/en/blog/mitigate-tcp-syn-flood-attacks-red-hat-enterprise-linux-7-beta

    https://people.netfilter.org/hawk/presentations/devconf2014/iptables-ddos-mitigation_JesperBrouer.pdf

    # man iptables-extensions
  • AndreasAndreas Senior Member
    Firewall rulesets from firewalld, SuSEfirewall2 or ufw are not strict enough. Here a simple solution for firewall ruleset "tuning". Example for SLED15 SP1 with firewalld and Netfilter/iptables:

    /usr/local/sbin/firewallFineTuning.sh
    #!/bin/bash
    ########################################################
    # /usr/local/sbin/firewallFineTuning.sh                #
    # Andreas Meyer, 29.02.2020                            #
    #                                                      #
    # Firewall-Einstellungen korrigieren                   #
    #                                                      #
    ########################################################
    
    echo "Firewall-Einstellungen korrigieren..."
    
    # Spoof-Schutz für IPv4 aktivieren => wegen NetworkManager < v1.14.6
    /usr/sbin/iptables -w 20 -t raw -A PREROUTING -m rpfilter --invert -j DROP
    
    # ICMPv6-Regeln entfernen
    /usr/sbin/ip6tables -w 20 -t raw -D PREROUTING -p icmpv6 --icmpv6-type 135 -j ACCEPT
    /usr/sbin/ip6tables -w 20 -t raw -D PREROUTING -p icmpv6 --icmpv6-type 134 -j ACCEPT
    
    # Zugelassene Dienste ausgehend für IPv4 vorbereiten
    /usr/sbin/iptables -w 20 -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    /usr/sbin/iptables -w 20 -t filter -A OUTPUT -m conntrack --ctstate INVALID -j DROP
    
    # Zugelassene Dienste ausgehend für IPv6 vorbereiten
    /usr/sbin/ip6tables -w 20 -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    /usr/sbin/ip6tables -w 20 -t filter -A OUTPUT -m conntrack --ctstate INVALID -j DROP
    
    # Lasche Loopback-Regeln von IPv4 entfernen
    /usr/sbin/iptables -w 20 -t filter -D INPUT -i lo -j ACCEPT
    /usr/sbin/iptables -w 20 -t filter -D FORWARD -i lo -j ACCEPT
    
    # Strengere Loopback-Regeln für IPv4 einsetzen
    /usr/sbin/iptables -w 20 -t filter -A INPUT -i lo -p tcp -s 127.0.0.0/8 -d 127.0.0.0/8 -m conntrack --ctstate NEW -j ACCEPT
    /usr/sbin/iptables -w 20 -t filter -A INPUT -i lo -p udp -s 127.0.0.0/8 -d 127.0.0.0/8 -m conntrack --ctstate NEW -j ACCEPT
    
    /usr/sbin/iptables -w 20 -t filter -A OUTPUT -o lo -p tcp -s 127.0.0.0/8 -d 127.0.0.0/8 -m conntrack --ctstate NEW -j ACCEPT
    /usr/sbin/iptables -w 20 -t filter -A OUTPUT -o lo -p udp -s 127.0.0.0/8 -d 127.0.0.0/8 -m conntrack --ctstate NEW -j ACCEPT
    
    # Lasche Loopback-Regeln von IPv6 entfernen
    /usr/sbin/ip6tables -w 20 -t filter -D INPUT -i lo -j ACCEPT
    /usr/sbin/ip6tables -w 20 -t filter -D FORWARD -i lo -j ACCEPT
    
    # Strengere Loopback-Regeln für IPv6 einsetzen
    /usr/sbin/ip6tables -w 20 -t filter -A INPUT -i lo -p tcp -s ::1/128 -d ::1/128 -m conntrack --ctstate NEW -j ACCEPT
    /usr/sbin/ip6tables -w 20 -t filter -A INPUT -i lo -p udp -s ::1/128 -d ::1/128 -m conntrack --ctstate NEW -j ACCEPT
    
    /usr/sbin/ip6tables -w 20 -t filter -A OUTPUT -o lo -p tcp -s ::1/128 -d ::1/128 -m conntrack --ctstate NEW -j ACCEPT
    /usr/sbin/ip6tables -w 20 -t filter -A OUTPUT -o lo -p udp -s ::1/128 -d ::1/128 -m conntrack --ctstate NEW -j ACCEPT
    
    # Zugelassene Dienste ausgehend
    
    # DNS (ausgehend)
    /usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p tcp --dport=53 -m conntrack --ctstate NEW -j ACCEPT
    /usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p udp --dport=53 -m conntrack --ctstate NEW -j ACCEPT
    
    # DHCP (ausgehend)
    /usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p udp --dport=67 -m conntrack --ctstate NEW -j ACCEPT
    
    # NTP (ausgehend)
    /usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p udp --dport=123 -m conntrack --ctstate NEW -j ACCEPT
    
    # ICMP Echo (Ping) (ausgehend)
    /usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -j ACCEPT
    
    # HTTP (ausgehend)
    /usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p tcp --dport=80 -m conntrack --ctstate NEW -j ACCEPT
    
    # HTTPS (ausgehend)
    /usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p tcp --dport=443 -m conntrack --ctstate NEW -j ACCEPT
    
    # POP3S (ausgehend)
    /usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p tcp --dport=995 -m conntrack --ctstate NEW -j ACCEPT
    
    # SMTPS (ausgehend)
    /usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p tcp --dport=465 -m conntrack --ctstate NEW -j ACCEPT
    
    # SSH (ausgehend)
    /usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p tcp --dport=22 -m conntrack --ctstate NEW -j ACCEPT
    
    # Policies der Default-Chains von IPv4 anpassen
    /usr/sbin/iptables -w 20 -t filter --policy INPUT DROP
    /usr/sbin/iptables -w 20 -t filter --policy OUTPUT DROP
    /usr/sbin/iptables -w 20 -t filter --policy FORWARD DROP
    
    # Policies der Default-Chains von IPv6 anpassen
    /usr/sbin/ip6tables -w 20 -t filter --policy INPUT DROP
    /usr/sbin/ip6tables -w 20 -t filter --policy OUTPUT DROP
    /usr/sbin/ip6tables -w 20 -t filter --policy FORWARD DROP
    
    # Drop-Regeln in IPv4 entfernen
    /usr/sbin/iptables -w 20 -t filter -D IN_public -j DROP
    /usr/sbin/iptables -w 20 -t filter -D FWDI_public -j DROP
    /usr/sbin/iptables -w 20 -t filter -D FWDO_public -j DROP
    
    # Drop-Regeln in IPv6 entfernen
    /usr/sbin/ip6tables -w 20 -t filter -D IN_public -j DROP
    /usr/sbin/ip6tables -w 20 -t filter -D FWDI_public -j DROP
    /usr/sbin/ip6tables -w 20 -t filter -D FWDO_public -j DROP
    
    # Reject-Regeln in IPv4 entfernen
    /usr/sbin/iptables -w 20 -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited
    /usr/sbin/iptables -w 20 -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited
    
    # Reject-Regeln in IPv6 entfernen
    /usr/sbin/ip6tables -w 20 -t filter -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
    /usr/sbin/ip6tables -w 20 -t filter -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
    
    # Strikte Paketkontrollen in der SPI-Firewall aktivieren
    /usr/sbin/sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
    

    /etc/systemd/system/firewallFineTuning.service
    [Unit]
    Description=firewallFineTuning
    
    [Service]
    Type=oneshot
    ExecStart=/usr/local/sbin/firewallFineTuning.sh
    

    /etc/systemd/system/firewallFineTuning.timer
    [Unit]
    Description=firewallFineTuning.timer
    
    [Timer]
    OnStartupSec=1min
    AccuracySec=1s
    
    [Install]
    WantedBy=multi-user.target
    

    Set file permissions:
    # su
    # chmod u=rwx,g=,o= /usr/local/sbin/firewallFineTuning.sh
    # chmod u=rw,g=r,o=r /etc/systemd/system/firewallFineTuning.service
    # chmod u=rw,g=r,o=r /etc/systemd/system/firewallFineTuning.timer
    

    Enable this new systemd unit:
    # su
    # systemctl enable firewallFineTuning.timer
    # systemctl start firewallFineTuning.timer
    # systemctl status firewallFineTuning.timer
    # systemctl status firewallFineTuning.service
    

    Reboot and check the new systemd unit:
    # su
    # systemctl status firewallFineTuning.timer
    # systemctl status firewallFineTuning.service
    # iptables -t raw -L -n -v|more
    # ip6tables -t raw -L -n -v|more
    # iptables -t filter -L -n -v|more
    # ip6tables -t filter -L -n -v|more
    # sysctl net.netfilter.nf_conntrack_tcp_loose
    
  • AndreasAndreas Senior Member
    The simplest solution for stricter firwall ruleset works with iptables-save and iptables-restore. Example for SLED15 SP1 and Netfilter/iptables:

    https://wiki.archlinux.org/index.php/Iptables

    # man iptables-save
    # man iptables-restore

    # Save your current firewall ruleset:
    # su
    # mkdir /etc/firewall
    # chmod g-rwx,o-rwx /etc/firewall
    # iptables-save -f /etc/firewall/firewall_rules_ipv4.txt
    # ip6tables-save -f /etc/firewall/firewall_rules_ipv6.txt
    # chmod u=rw,g=,o= /etc/firewall/firewall_rules_ipv4.txt
    # chmod u=rw,g=,o= /etc/firewall/firewall_rules_ipv6.txt
    

    Modify firewall_rules_ipv4.txt and firewall_rules_ipv6.txt in an editor that the firewall rulesets fits your needs. For example:

    /etc/firewall/firewall_rules_ipv4.txt
    ################################################################################
    # /etc/firewall/firewall_rules_ipv4.txt                                        #
    #                                                                              #
    # Andreas Meyer, 07.03.2020                                                    #
    ################################################################################
    *nat
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    COMMIT
    #-------------------------------------------------------------------------------
    *mangle
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    COMMIT
    #-------------------------------------------------------------------------------
    *raw
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A PREROUTING -m rpfilter --invert -j DROP
    COMMIT
    #-------------------------------------------------------------------------------
    *security
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT
    #-------------------------------------------------------------------------------
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m conntrack --ctstate INVALID -j DROP
    -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -p tcp -m conntrack --ctstate NEW -j ACCEPT
    -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -p udp -m conntrack --ctstate NEW -j ACCEPT
    -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -m conntrack --ctstate INVALID -j DROP
    -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -m conntrack --ctstate INVALID -j DROP
    -A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -p tcp -m conntrack --ctstate NEW -j ACCEPT
    -A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -p udp -m conntrack --ctstate NEW -j ACCEPT
    -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
    -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
    -A OUTPUT -o eth0 -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
    -A OUTPUT -o eth0 -p udp -m udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT
    -A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
    -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
    -A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
    -A OUTPUT -o eth0 -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW -j ACCEPT
    -A OUTPUT -o eth0 -p tcp -m tcp --dport 465 -m conntrack --ctstate NEW -j ACCEPT
    -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
    COMMIT
    #-------------------------------------------------------------------------------
    

    /etc/firewall/firewall_rules_ipv6.txt
    ################################################################################
    # /etc/firewall/firewall_rules_ipv6.txt                                        #
    #                                                                              #
    # Andreas Meyer, 07.03.2020                                                    #
    ################################################################################
    *nat
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    COMMIT
    #-------------------------------------------------------------------------------
    *mangle
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    COMMIT
    #-------------------------------------------------------------------------------
    *raw
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A PREROUTING -m rpfilter --invert -j DROP
    COMMIT
    #-------------------------------------------------------------------------------
    *security
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT
    #-------------------------------------------------------------------------------
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m conntrack --ctstate INVALID -j DROP
    -A INPUT -s ::1/128 -d ::1/128 -i lo -p tcp -m conntrack --ctstate NEW -j ACCEPT
    -A INPUT -s ::1/128 -d ::1/128 -i lo -p udp -m conntrack --ctstate NEW -j ACCEPT
    -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -m conntrack --ctstate INVALID -j DROP
    -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -m conntrack --ctstate INVALID -j DROP
    -A OUTPUT -s ::1/128 -d ::1/128 -o lo -p tcp -m conntrack --ctstate NEW -j ACCEPT
    -A OUTPUT -s ::1/128 -d ::1/128 -o lo -p udp -m conntrack --ctstate NEW -j ACCEPT
    COMMIT
    #-------------------------------------------------------------------------------
    

    Deinstall firewalld
    # su
    # systemctl stop firewalld.service
    # systemctl disable firewalld.service
    # zypper remove firewalld
    

    /usr/local/sbin/firewallStart.sh
    #!/bin/bash
    ########################################################
    # /usr/local/sbin/firewallStart.sh                     #
    # Andreas Meyer, 07.03.2020                            #
    #                                                      #
    # Firewall starten                                     #
    #                                                      #
    ########################################################
    
    echo "Alle vorhandenen Firewall-Regeln löschen..."
    
    # Alle vorhandenen Firewall-Regeln löschen (IPv4)
    /usr/sbin/iptables -w 20 -t filter -F
    /usr/sbin/iptables -w 20 -t filter -X
    /usr/sbin/iptables -w 20 -t nat -F
    /usr/sbin/iptables -w 20 -t nat -X
    /usr/sbin/iptables -w 20 -t mangle -F
    /usr/sbin/iptables -w 20 -t mangle -X
    /usr/sbin/iptables -w 20 -t raw -F
    /usr/sbin/iptables -w 20 -t raw -X
    /usr/sbin/iptables -w 20 -t security -F
    /usr/sbin/iptables -w 20 -t security -X
    
    # Alle vorhandenen Firewall-Regeln löschen (IPv6)
    /usr/sbin/ip6tables -w 20 -t filter -F
    /usr/sbin/ip6tables -w 20 -t filter -X
    /usr/sbin/ip6tables -w 20 -t nat -F
    /usr/sbin/ip6tables -w 20 -t nat -X
    /usr/sbin/ip6tables -w 20 -t mangle -F
    /usr/sbin/ip6tables -w 20 -t mangle -X
    /usr/sbin/ip6tables -w 20 -t raw -F
    /usr/sbin/ip6tables -w 20 -t raw -X
    /usr/sbin/ip6tables -w 20 -t security -F
    /usr/sbin/ip6tables -w 20 -t security -X
    
    # Policies der Default-Chains von IPv4 anpassen
    /usr/sbin/iptables -w 20 -t filter --policy INPUT DROP
    /usr/sbin/iptables -w 20 -t filter --policy OUTPUT DROP
    /usr/sbin/iptables -w 20 -t filter --policy FORWARD DROP
    
    # Policies der Default-Chains von IPv6 anpassen
    /usr/sbin/ip6tables -w 20 -t filter --policy INPUT DROP
    /usr/sbin/ip6tables -w 20 -t filter --policy OUTPUT DROP
    /usr/sbin/ip6tables -w 20 -t filter --policy FORWARD DROP
    
    echo "Strikte Paketkontrollen in der SPI-Firewall aktivieren..."
    
    # Strikte Paketkontrollen in der SPI-Firewall aktivieren
    /usr/sbin/sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
    
    echo "Neue Firewall-Regeln einlesen und setzen..."
    
    # Firewall-Regeln einlesen und setzen (IPv4)
    /usr/sbin/iptables-restore -w 20 /etc/firewall/firewall_rules_ipv4.txt
    
    # Firewall-Regeln einlesen und setzen (IPv6)
    /usr/sbin/ip6tables-restore -w 20 /etc/firewall/firewall_rules_ipv6.txt
    

    /etc/systemd/system/firewallStart.service
    [Unit]
    Description=firewallStart
    Before=network-pre.target
    Wants=network-pre.target
    Conflicts=iptables.service ip6tables.service firewalld.service ufw.service
    
    [Service]
    Type=oneshot
    ExecStart=/usr/local/sbin/firewallStart.sh
    RemainAfterExit=yes
    
    [Install]
    WantedBy=multi-user.target
    

    Set file permissions:
    # su
    # chmod u=rwx,g=,o= /usr/local/sbin/firewallStart.sh
    # chmod u=rw,g=r,o=r /etc/systemd/system/firewallStart.service
    

    Enable this new systemd unit:
    # su
    # systemctl enable firewallStart.service
    # systemctl start firewallStart.service
    # systemctl status firewallStart.service
    

    Reboot and check the new systemd unit:
    # su
    # systemctl status firewallStart.service
    # iptables -t raw -L -n -v|more
    # ip6tables -t raw -L -n -v|more
    # iptables -t filter -L -n -v|more
    # ip6tables -t filter -L -n -v|more
    # sysctl net.netfilter.nf_conntrack_tcp_loose
    
Sign In or Register to comment.