Well, I manage to find solution but I still do not know where was the problem. This is virtual host (plesk, virtuozzo) so I think that this problem is some incompatibility between plesk (virtuozzo) and SuSE.
SuSEFirewall iptables settings do not work for some reason. Server is accessable from outside (shh, web server, ...) but no outbound connection is possible. Here are iptables set by SuSEFirewall:
Code:
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
Chain forward_ext (0 references)
target prot opt source destination
Chain input_ext (2 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT udp -- anywhere anywhere udp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:ftp-data
DROP all -- anywhere anywhere
Chain reject_func (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
iptables set by plesk power panel are working but after initial setup it is impossible to change them. Also after reboot they are lost and that was the reason I wanted to try with SuSEFirewall. Here are working iptables:
Code:
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-VSFTPD tcp -- anywhere anywhere tcp dpt:ftp
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
VZ_INPUT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
VZ_FORWARD all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
VZ_OUTPUT all -- anywhere anywhere
Chain VZ_FORWARD (1 references)
target prot opt source destination
Chain VZ_INPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpts:filenet-tms:65535
ACCEPT udp -- anywhere anywhere udp dpts:filenet-tms:65535
ACCEPT tcp -- localhost localhost
ACCEPT udp -- localhost localhost
Chain VZ_OUTPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere
ACCEPT tcp -- localhost localhost
ACCEPT udp -- localhost localhost
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-VSFTPD (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
I manage to create (using iptables-save and iptables-restore) boot up script so that now working iptables are restored after rebooting. My problem solved, but as I sead, because of my week knowledge of iptables I still do not know which iptables rules are missing in SuSEFirewall setup.