Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 1431 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remove IPtables entry Sophos XG

Ben Sanderson

What is the best commands to list IPtables in a Sophos Firewall and also remove a MTU rule?



This thread was automatically locked due to age.
Parents
  • 0

    Hello Ben,

    Thank you for contacting the Sophos Community.

    You can use:

    #ipset -L (To list out all output of IPset tables ipset -L <set name> : To list out detail about particular set)

    #ipset -L | more (To show one page at the time)

    About the MTU rule, what is the command you used to set the MTU?

    Regards,

  • 0 in reply to emmosophos

    iptables -t mangle -I POSTROUTING -d 172.19.0.0/16 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900

    Is the command looking at removing.

  • 0 in reply to Ben Sanderson

    Hello Ben,

    You can run 

    # iptables -t mangle -D POSTROUTING -d 172.19.0.0/16 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900

    This will delete the entry(s) matching 172.19.0.0/16 located in the POSTROUTING, so if you have two entries for example:

    Chain POSTROUTING (policy ACCEPT 4 packets, 240 bytes)
    pkts bytes target prot opt in out source destination optimization
    0 0 TCPMSS tcp -- * * 0.0.0.0/0 172.19.0.0/16 - tcp flags:0x06/0x02 TCPMSS set 900
    0 0 TCPMSS tcp -- * * 0.0.0.0/0 172.19.0.0/16 - tcp flags:0x06/0x02 TCPMSS set 900

    Then this will delete both of them, since they are duplicated, you can then just re-run the command.

    # iptables -t mangle -I POSTROUTING -d 172.19.0.0/16 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900

    Also check if the entries are not part of the start script

    # cat /scripts/system/clientpref/customization_application_startup.sh

    Regards,

  • 0 in reply to emmosophos

    Thanks Emmanuel for the response, if I want to add it in the startup.sh, what is the best way to do that?

    Thanks,

    Ben

  • +1 in reply to Ben Sanderson

    Hello Ben,

    Enable editing of the startup script:


    mount -no remount,rw /
    Use vi to edit /scripts/system/clientpref/customization_application_startup.sh and add the lines. This should then look like:

    #!/bin/sh
    iptables -t mangle -D POSTROUTING -d 172.19.0.0/16 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900
    exit 0;

    Save the changes and exit vi
    Write protect the startup script again:
    mount -no remount,ro /
    Note:

    In High Availability clusters the above will need to be applied on both nodes.

    Regards,

Reply
  • +1 in reply to Ben Sanderson

    Hello Ben,

    Enable editing of the startup script:


    mount -no remount,rw /
    Use vi to edit /scripts/system/clientpref/customization_application_startup.sh and add the lines. This should then look like:

    #!/bin/sh
    iptables -t mangle -D POSTROUTING -d 172.19.0.0/16 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900
    exit 0;

    Save the changes and exit vi
    Write protect the startup script again:
    mount -no remount,ro /
    Note:

    In High Availability clusters the above will need to be applied on both nodes.

    Regards,

Children
No Data