Having network/kernel issues...

SUSE Product Topics SLES Configure-Administer
1

2020-02-24T07:28:39.907745-05:00 hendrix kernel: [221719.560045] nf_conntrack: nf_conntrack: table full, dropping packet
2020-02-24T07:28:40.075270-05:00 hendrix kernel: [221719.727560] nf_conntrack: nf_conntrack: table full, dropping packet
2020-02-24T07:28:40.109000-05:00 hendrix kernel: [221719.761278] nf_conntrack: nf_conntrack: table full, dropping packet

On Sles 12sp4 boxes the network drops for the box in question, and we get these errors in the messages log.
On Sles 12sp5 boxes the machine becomes totaly unresponsive, and we don’t get these errors in the messages log.

Found the following online :
https://access.redhat.com/solutions/8721
https://www.pc-freak.net/blog/resolving-nf_conntrack-table-full-dropping-packet-flood-message-in-dmesg-linux-kernel-log/

Wondering if anyone else has seen this?

My current attempts to mitigate are to put the following in /etc/init.d/after.local
echo 131072 > /proc/sys/net/netfilter/nf_conntrack_max

actual file to track not set

#echo 131072 > /proc/sys/net/netfilter/nf_conntrack_count

echo 32768 > /sys/module/nf_conntrack/parameters/hashsize

echo 120 > /proc/sys/net/netfilter/nf_conntrack_generic_timeout

echo 54000 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established

Any suggestions?

2

Something is mis configured in your network. Check with:

[CODE]# su

zypper install conntrack-tools

conntrack -L conntrack -o extend[/CODE]

3

There does no appear to be standard package conntrack-tools for sp4 or sp5 Sles12, it is only availible as a third party package from https://software.opensuse.org/download.html?project=security%3Anetfilter&package=conntrack-tools ?

Thanks,
Matt

4

According SCC (Suse Customer Center https://scc.suse.com/login => Packages) conntrack-tools is available in “SUSE Linux Enterprise High Availability Extension” for SLES12.

Check your firewall settings with:

Netfilter/iptables works only with parameter “ctstate” from modul ConnTrack as a Stateful firewall (with SPI => Stateful packet inspection).
https://en.wikipedia.org/wiki/Stateful_firewall

man iptables-extensions

man iptables

https://people.netfilter.org/pablo/docs/login.pdf

https://wiki.archlinux.org/index.php/Simple_stateful_firewall

https://home.regit.org/netfilter-en/secure-use-of-helpers/

[CODE]# su

iptables -L -n -v -t filter|grep -i ACCEPT

ip6tables -L -n -v -t filter|grep -i ACCEPT[/CODE]

=> Each ACCEPT line must have a “ctstate NEW” (for new connections) or “ctstate RELATED,ESTABLISHED” entry (for established connections).
=> Each ACCEPT line should have a very strict ip address range for source and destination (=> iptables parameters “-s” (–source) and “-d” (destination))
=> Each ACCEPT line should have a very strict network interface selection for source and destination (=> iptables parameters “-i” (–in-interface) and “-o” (out-interface))

The policy for each built-in chain in table filter must be set to “DROP”:

[CODE]# iptables -L INPUT -t filter|grep -i policy

iptables -L OUTPUT -t filter|grep -i policy

iptables -L FORWARD -t filter|grep -i policy[/CODE]

Activate strict Stateful packet inspection, disable icmp redirects and enable Spoof protection (example for SLED15SP1):
https://wiki.archlinux.org/index.php/Sysctl#TCP/IP_stack_hardening

https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt

http://conntrack-tools.netfilter.org/manual.html

https://wiki.archlinux.org/index.php/Simple_stateful_firewall

https://documentation.suse.com/
=> SLES Hardening Guide => chaptre 2.9 “Security Features in the Kernel”

/etc/sysctl.conf

[CODE]
net.netfilter.nf_conntrack_tcp_loose = 0

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.secure_redirects = 0
net.ipv4.conf.lo.send_redirects = 0

net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.lo.accept_redirects = 0

net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0

net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1[/CODE]

Check this new sysctl settings with sysctl after reboot:

[CODE]# su

sysctl -ar ‘conntrack_tcp_loose’

sysctl -ar ‘redirects’

sysctl -ar ‘source_route’

sysctl -ar ‘rp_filter’[/CODE]

Check Spoof protection for IPv6:

# ip6tables -L PREROUTING -v -n -t raw |grep -i DROP 0 0 DROP all * * ::/0 ::/0 rpfilter invert

https://wiki.archlinux.org/index.php/Simple_stateful_firewall

man iptables-extensions

In case of SYN flood (denial-of-service attack) you should use SYNPROXY:

https://en.wikipedia.org/wiki/SYN_flood

https://www.redhat.com/en/blog/mitigate-tcp-syn-flood-attacks-red-hat-enterprise-linux-7-beta

https://people.netfilter.org/hawk/presentations/devconf2014/iptables-ddos-mitigation_JesperBrouer.pdf

man iptables-extensions

5

Firewall rulesets from firewalld, SuSEfirewall2 or ufw are not strict enough. Here a simple solution for firewall ruleset “tuning”. Example for SLED15 SP1 with firewalld and Netfilter/iptables:

/usr/local/sbin/firewallFineTuning.sh

[CODE]#!/bin/bash
########################################################

/usr/local/sbin/firewallFineTuning.sh

Andreas Meyer, 29.02.2020

Firewall-Einstellungen korrigieren

########################################################

echo “Firewall-Einstellungen korrigieren…”

Spoof-Schutz für IPv4 aktivieren => wegen NetworkManager < v1.14.6

/usr/sbin/iptables -w 20 -t raw -A PREROUTING -m rpfilter --invert -j DROP

ICMPv6-Regeln entfernen

/usr/sbin/ip6tables -w 20 -t raw -D PREROUTING -p icmpv6 --icmpv6-type 135 -j ACCEPT
/usr/sbin/ip6tables -w 20 -t raw -D PREROUTING -p icmpv6 --icmpv6-type 134 -j ACCEPT

Zugelassene Dienste ausgehend für IPv4 vorbereiten

/usr/sbin/iptables -w 20 -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -w 20 -t filter -A OUTPUT -m conntrack --ctstate INVALID -j DROP

Zugelassene Dienste ausgehend für IPv6 vorbereiten

/usr/sbin/ip6tables -w 20 -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/ip6tables -w 20 -t filter -A OUTPUT -m conntrack --ctstate INVALID -j DROP

Lasche Loopback-Regeln von IPv4 entfernen

/usr/sbin/iptables -w 20 -t filter -D INPUT -i lo -j ACCEPT
/usr/sbin/iptables -w 20 -t filter -D FORWARD -i lo -j ACCEPT

Strengere Loopback-Regeln für IPv4 einsetzen

/usr/sbin/iptables -w 20 -t filter -A INPUT -i lo -p tcp -s 127.0.0.0/8 -d 127.0.0.0/8 -m conntrack --ctstate NEW -j ACCEPT
/usr/sbin/iptables -w 20 -t filter -A INPUT -i lo -p udp -s 127.0.0.0/8 -d 127.0.0.0/8 -m conntrack --ctstate NEW -j ACCEPT

/usr/sbin/iptables -w 20 -t filter -A OUTPUT -o lo -p tcp -s 127.0.0.0/8 -d 127.0.0.0/8 -m conntrack --ctstate NEW -j ACCEPT
/usr/sbin/iptables -w 20 -t filter -A OUTPUT -o lo -p udp -s 127.0.0.0/8 -d 127.0.0.0/8 -m conntrack --ctstate NEW -j ACCEPT

Lasche Loopback-Regeln von IPv6 entfernen

/usr/sbin/ip6tables -w 20 -t filter -D INPUT -i lo -j ACCEPT
/usr/sbin/ip6tables -w 20 -t filter -D FORWARD -i lo -j ACCEPT

Strengere Loopback-Regeln für IPv6 einsetzen

/usr/sbin/ip6tables -w 20 -t filter -A INPUT -i lo -p tcp -s ::1/128 -d ::1/128 -m conntrack --ctstate NEW -j ACCEPT
/usr/sbin/ip6tables -w 20 -t filter -A INPUT -i lo -p udp -s ::1/128 -d ::1/128 -m conntrack --ctstate NEW -j ACCEPT

/usr/sbin/ip6tables -w 20 -t filter -A OUTPUT -o lo -p tcp -s ::1/128 -d ::1/128 -m conntrack --ctstate NEW -j ACCEPT
/usr/sbin/ip6tables -w 20 -t filter -A OUTPUT -o lo -p udp -s ::1/128 -d ::1/128 -m conntrack --ctstate NEW -j ACCEPT

Zugelassene Dienste ausgehend

DNS (ausgehend)

/usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p tcp --dport=53 -m conntrack --ctstate NEW -j ACCEPT
/usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p udp --dport=53 -m conntrack --ctstate NEW -j ACCEPT

DHCP (ausgehend)

/usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p udp --dport=67 -m conntrack --ctstate NEW -j ACCEPT

NTP (ausgehend)

/usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p udp --dport=123 -m conntrack --ctstate NEW -j ACCEPT

ICMP Echo (Ping) (ausgehend)

/usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -j ACCEPT

HTTP (ausgehend)

/usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p tcp --dport=80 -m conntrack --ctstate NEW -j ACCEPT

HTTPS (ausgehend)

/usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p tcp --dport=443 -m conntrack --ctstate NEW -j ACCEPT

POP3S (ausgehend)

/usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p tcp --dport=995 -m conntrack --ctstate NEW -j ACCEPT

SMTPS (ausgehend)

/usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p tcp --dport=465 -m conntrack --ctstate NEW -j ACCEPT

SSH (ausgehend)

/usr/sbin/iptables -w 20 -t filter -A OUTPUT -o eth0 -p tcp --dport=22 -m conntrack --ctstate NEW -j ACCEPT

Policies der Default-Chains von IPv4 anpassen

/usr/sbin/iptables -w 20 -t filter --policy INPUT DROP
/usr/sbin/iptables -w 20 -t filter --policy OUTPUT DROP
/usr/sbin/iptables -w 20 -t filter --policy FORWARD DROP

Policies der Default-Chains von IPv6 anpassen

/usr/sbin/ip6tables -w 20 -t filter --policy INPUT DROP
/usr/sbin/ip6tables -w 20 -t filter --policy OUTPUT DROP
/usr/sbin/ip6tables -w 20 -t filter --policy FORWARD DROP

Drop-Regeln in IPv4 entfernen

/usr/sbin/iptables -w 20 -t filter -D IN_public -j DROP
/usr/sbin/iptables -w 20 -t filter -D FWDI_public -j DROP
/usr/sbin/iptables -w 20 -t filter -D FWDO_public -j DROP

Drop-Regeln in IPv6 entfernen

/usr/sbin/ip6tables -w 20 -t filter -D IN_public -j DROP
/usr/sbin/ip6tables -w 20 -t filter -D FWDI_public -j DROP
/usr/sbin/ip6tables -w 20 -t filter -D FWDO_public -j DROP

Reject-Regeln in IPv4 entfernen

/usr/sbin/iptables -w 20 -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited
/usr/sbin/iptables -w 20 -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited

Reject-Regeln in IPv6 entfernen

/usr/sbin/ip6tables -w 20 -t filter -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
/usr/sbin/ip6tables -w 20 -t filter -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited

Strikte Paketkontrollen in der SPI-Firewall aktivieren

/usr/sbin/sysctl -w net.netfilter.nf_conntrack_tcp_loose=0[/CODE]

/etc/systemd/system/firewallFineTuning.service

[CODE][Unit]
Description=firewallFineTuning

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/firewallFineTuning.sh[/CODE]

/etc/systemd/system/firewallFineTuning.timer

[CODE][Unit]
Description=firewallFineTuning.timer

[Timer]
OnStartupSec=1min
AccuracySec=1s

[Install]
WantedBy=multi-user.target[/CODE]

Set file permissions:

[CODE]# su

chmod u=rwx,g=,o= /usr/local/sbin/firewallFineTuning.sh

chmod u=rw,g=r,o=r /etc/systemd/system/firewallFineTuning.service

chmod u=rw,g=r,o=r /etc/systemd/system/firewallFineTuning.timer[/CODE]

Enable this new systemd unit:

[CODE]# su

systemctl enable firewallFineTuning.timer

systemctl start firewallFineTuning.timer

systemctl status firewallFineTuning.timer

systemctl status firewallFineTuning.service[/CODE]

Reboot and check the new systemd unit:

[CODE]# su

systemctl status firewallFineTuning.timer

systemctl status firewallFineTuning.service

iptables -t raw -L -n -v|more

ip6tables -t raw -L -n -v|more

iptables -t filter -L -n -v|more

ip6tables -t filter -L -n -v|more

sysctl net.netfilter.nf_conntrack_tcp_loose[/CODE]

6

The simplest solution for stricter firwall ruleset works with iptables-save and iptables-restore. Example for SLED15 SP1 and Netfilter/iptables:

https://wiki.archlinux.org/index.php/Iptables

man iptables-save

man iptables-restore

Save your current firewall ruleset:

[CODE]# su

mkdir /etc/firewall

chmod g-rwx,o-rwx /etc/firewall

iptables-save -f /etc/firewall/firewall_rules_ipv4.txt

ip6tables-save -f /etc/firewall/firewall_rules_ipv6.txt

chmod u=rw,g=,o= /etc/firewall/firewall_rules_ipv4.txt

chmod u=rw,g=,o= /etc/firewall/firewall_rules_ipv6.txt[/CODE]

Modify firewall_rules_ipv4.txt and firewall_rules_ipv6.txt in an editor that the firewall rulesets fits your needs. For example:

/etc/firewall/firewall_rules_ipv4.txt

[CODE]################################################################################

/etc/firewall/firewall_rules_ipv4.txt

Andreas Meyer, 07.03.2020

################################################################################
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
#-------------------------------------------------------------------------------
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
#-------------------------------------------------------------------------------
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -m rpfilter --invert -j DROP
COMMIT
#-------------------------------------------------------------------------------
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
#-------------------------------------------------------------------------------
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -p udp -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -p udp -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 465 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
#-------------------------------------------------------------------------------[/CODE]

/etc/firewall/firewall_rules_ipv6.txt

[CODE]################################################################################

/etc/firewall/firewall_rules_ipv6.txt

Andreas Meyer, 07.03.2020

################################################################################
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
#-------------------------------------------------------------------------------
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
#-------------------------------------------------------------------------------
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -m rpfilter --invert -j DROP
COMMIT
#-------------------------------------------------------------------------------
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
#-------------------------------------------------------------------------------
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -s ::1/128 -d ::1/128 -i lo -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s ::1/128 -d ::1/128 -i lo -p udp -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -s ::1/128 -d ::1/128 -o lo -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -s ::1/128 -d ::1/128 -o lo -p udp -m conntrack --ctstate NEW -j ACCEPT
COMMIT
#-------------------------------------------------------------------------------[/CODE]

Deinstall firewalld

[CODE]# su

systemctl stop firewalld.service

systemctl disable firewalld.service

zypper remove firewalld[/CODE]

/usr/local/sbin/firewallStart.sh

[CODE]#!/bin/bash
########################################################

/usr/local/sbin/firewallStart.sh

Andreas Meyer, 07.03.2020

Firewall starten

########################################################

echo “Alle vorhandenen Firewall-Regeln löschen…”

Alle vorhandenen Firewall-Regeln löschen (IPv4)

/usr/sbin/iptables -w 20 -t filter -F
/usr/sbin/iptables -w 20 -t filter -X
/usr/sbin/iptables -w 20 -t nat -F
/usr/sbin/iptables -w 20 -t nat -X
/usr/sbin/iptables -w 20 -t mangle -F
/usr/sbin/iptables -w 20 -t mangle -X
/usr/sbin/iptables -w 20 -t raw -F
/usr/sbin/iptables -w 20 -t raw -X
/usr/sbin/iptables -w 20 -t security -F
/usr/sbin/iptables -w 20 -t security -X

Alle vorhandenen Firewall-Regeln löschen (IPv6)

/usr/sbin/ip6tables -w 20 -t filter -F
/usr/sbin/ip6tables -w 20 -t filter -X
/usr/sbin/ip6tables -w 20 -t nat -F
/usr/sbin/ip6tables -w 20 -t nat -X
/usr/sbin/ip6tables -w 20 -t mangle -F
/usr/sbin/ip6tables -w 20 -t mangle -X
/usr/sbin/ip6tables -w 20 -t raw -F
/usr/sbin/ip6tables -w 20 -t raw -X
/usr/sbin/ip6tables -w 20 -t security -F
/usr/sbin/ip6tables -w 20 -t security -X

Policies der Default-Chains von IPv4 anpassen

/usr/sbin/iptables -w 20 -t filter --policy INPUT DROP
/usr/sbin/iptables -w 20 -t filter --policy OUTPUT DROP
/usr/sbin/iptables -w 20 -t filter --policy FORWARD DROP

Policies der Default-Chains von IPv6 anpassen

/usr/sbin/ip6tables -w 20 -t filter --policy INPUT DROP
/usr/sbin/ip6tables -w 20 -t filter --policy OUTPUT DROP
/usr/sbin/ip6tables -w 20 -t filter --policy FORWARD DROP

echo “Strikte Paketkontrollen in der SPI-Firewall aktivieren…”

Strikte Paketkontrollen in der SPI-Firewall aktivieren

/usr/sbin/sysctl -w net.netfilter.nf_conntrack_tcp_loose=0

echo “Neue Firewall-Regeln einlesen und setzen…”

Firewall-Regeln einlesen und setzen (IPv4)

/usr/sbin/iptables-restore -w 20 /etc/firewall/firewall_rules_ipv4.txt

Firewall-Regeln einlesen und setzen (IPv6)

/usr/sbin/ip6tables-restore -w 20 /etc/firewall/firewall_rules_ipv6.txt[/CODE]

/etc/systemd/system/firewallStart.service

[CODE][Unit]
Description=firewallStart
Before=network-pre.target
Wants=network-pre.target
Conflicts=iptables.service ip6tables.service firewalld.service ufw.service

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/firewallStart.sh
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target[/CODE]

Set file permissions:

[CODE]# su

chmod u=rwx,g=,o= /usr/local/sbin/firewallStart.sh

chmod u=rw,g=r,o=r /etc/systemd/system/firewallStart.service[/CODE]

Enable this new systemd unit:

[CODE]# su

systemctl enable firewallStart.service

systemctl start firewallStart.service

systemctl status firewallStart.service[/CODE]

Reboot and check the new systemd unit:

[CODE]# su

systemctl status firewallStart.service

iptables -t raw -L -n -v|more

ip6tables -t raw -L -n -v|more

iptables -t filter -L -n -v|more

ip6tables -t filter -L -n -v|more

sysctl net.netfilter.nf_conntrack_tcp_loose[/CODE]