SuSE 10.0 Firewall auf vServer

Nov 24 02:23:57 v31326 SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. 
Nov 24 02:23:57 v31326 SuSEfirewall2: batch committing... 
Nov 24 02:23:57 v31326 SuSEfirewall2: Error: iptables-batch failed, re-running using iptables 
Nov 24 02:23:58 v31326 SuSEfirewall2: Firewall rules set to CLOSE. 
Nov 24 02:23:58 v31326 SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. 
Nov 24 02:23:58 v31326 SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... 
Nov 24 02:23:58 v31326 SuSEfirewall2: batch committing... 
Nov 24 02:23:58 v31326 SuSEfirewall2: Error: iptables-batch failed, re-running using iptables 
Nov 24 02:23:59 v31326 SuSEfirewall2: Firewall rules successfully set 
Nov 24 02:24:05 v31326 SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. 
Nov 24 02:24:05 v31326 SuSEfirewall2: batch committing... 
Nov 24 02:24:05 v31326 SuSEfirewall2: Error: iptables-batch failed, re-running using iptables 
Nov 24 02:24:05 v31326 SuSEfirewall2: Firewall rules unloaded. 
Nov 24 02:24:05 v31326 SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. 
Nov 24 02:24:05 v31326 SuSEfirewall2: batch committing... 
Nov 24 02:24:05 v31326 SuSEfirewall2: Error: iptables-batch failed, re-running using iptables 
Nov 24 02:24:05 v31326 SuSEfirewall2: Firewall rules set to CLOSE. 
Nov 24 02:24:05 v31326 SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. 
Nov 24 02:24:05 v31326 SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... 
Nov 24 02:24:06 v31326 SuSEfirewall2: batch committing... 
Nov 24 02:24:06 v31326 SuSEfirewall2: Error: iptables-batch failed, re-running using iptables 
Nov 24 02:24:06 v31326 SuSEfirewall2: Firewall rules successfully set 
Nov 24 02:26:42 v31326 SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. 
Nov 24 02:26:42 v31326 SuSEfirewall2: batch committing... 
Nov 24 02:26:42 v31326 SuSEfirewall2: Error: iptables-batch failed, re-running using iptables

#!/bin/bash

echo "Starting firewall"

LOGLIMIT=20
IPTABLES=/usr/sbin/iptables

case "$1" in
start)
        # alle alten Regeln entfernen
        echo "Loesche alte Regeln"
        $IPTABLES -F
        $IPTABLES -X
        $IPTABLES -t nat -F
        # Routing
        # echo 1 > /proc/sys/net/ipv4/ip_forward
        # $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
        # $IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE
        ### ERSTELLE NEUE KETTEN ###
        # Kette fuer's Logging von verworfenen Paketen
        $IPTABLES -N LOGREJECT
        $IPTABLES -A LOGREJECT -m limit --limit $LOGLIMIT/minute -j LOG --log-prefix "FIREWALL REJECT " --log-level notice --log-ip-options --log-tcp-options
        $IPTABLES -A LOGREJECT -j REJECT --reject-with icmp-port-unreachable

        ### PROC MANIPULATION ###
        # auf Broadcast-Pings nicht antworten
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
        # halt die Klappe bei komischen ICMP Nachrichten
        echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
        # Kicke den ganzen IP Spoofing Shit
        # (Source-Validierung anschalten)
        echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
        # Setze Default-TTL auf 61 (Default fuer Linux ist 64)
        echo 61 > /proc/sys/net/ipv4/ip_default_ttl
        # sende RST-Pakete wenn der Buffer voll ist
        echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow
        # warte max. 30 secs auf ein FIN/ACK
        echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
        # unterbreche Verbindungsaufbau nach 3 SYN-Paketen
        # Default ist 6
        echo 3 > /proc/sys/net/ipv4/tcp_syn_retries
        # unterbreche Verbindungsaufbau nach 3 SYN/ACK-Paketen
        # Default ist 6
        echo 3 > /proc/sys/net/ipv4/tcp_synack_retries

        ### MAIN PART ###
        $IPTABLES -P INPUT DROP
        $IPTABLES -P FORWARD DROP
        $IPTABLES -P OUTPUT ACCEPT
        $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        # im Loopback koennen wir jedem trauen
        $IPTABLES -A INPUT -i lo -j ACCEPT
        # erlaube Pings
        $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
        # erlaube SSH
        $IPTABLES -A INPUT -p tcp --dport 22 --tcp-flags ALL SYN -j ACCEPT
        # Webserver
        $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
        # Alle TCP Packete, die bis hier hin kommen, werden
        # geloggt und rejected
        # Der Rest wird eh per Default Policy gedroppt...
        $IPTABLES -A INPUT -p tcp -j LOGREJECT
        $IPTABLES -A FORWARD -p tcp -j LOGREJECT
        ;;
*)
        echo "Usage: `basename $0` {start}" >&2
        exit 64
        ;;
esac

exit 0