Bug 30191

Description of problem: MCC internet connection sharing Installed on a firewall/router system with muliple nic's installed Bind, DHCP-server and Squid 
and told me eveything was configured correctly.... but didn't


Version-Release number of selected component (if applicable):
Drakconf 13.27-1mga8 noarch 

How reproducible: PC x64
NetXtreme BCM5752 Gigabit Ethernet PCI Express/ LAN 
RTL8169 PCI Gigabit Ethernet Controller/ ICP

Mageia 8 clean install as firewall/router in secure mode
The ICP connection is in bridged mode

Steps to Reproduce:
1. internet connection sharing is started correctly
2. Internet nic is correctly recognized 
3. Lan nic is selected withe a 192.168.1.1, standard configuration
4. Bind, DHCP-server & Squid are installed, seems like normal
5. Installation is finnished and the network connections restart automatically like normal.
6. The first thing i Noticed is that from the server i had still internet. normally I get an Squid proxy page danying me internet acces.
7. The LAN connection is good. DHCP works fine exept there's no NAT configuration.
The standard iptables look as if untouched by the MCC configuration wizard:
# Completed on Thu Mar 17 19:06:36 2022
# Generated by iptables-save v1.8.7 on Thu Mar 17 19:06:36 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:Ifw - [0:0]
:dynamic - [0:0]
:enp1s4_fwd - [0:0]
:enp1s4_in - [0:0]
:enp1s4_out - [0:0]
:enp1s9_fwd - [0:0]
:enp1s9_in - [0:0]
:enp1s9_out - [0:0]
:fw-fw - [0:0]
:fw-loc - [0:0]
:fw-net - [0:0]
:loc-fw - [0:0]
:loc-net - [0:0]
:loc_frwd - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net-fw - [0:0]
:net-loc - [0:0]
:net_frwd - [0:0]
:reject - [0:0]
:sfilter - [0:0]
:sha-lh-74b4a0d88b08308c0105 - [0:0]
:sha-rh-ea13dde65a77b03a2d29 - [0:0]
:shorewall - [0:0]
:tcpflags - [0:0]
:tun6to4_fwd - [0:0]
:tun6to4_in - [0:0]
:tun6to4_out - [0:0]
-A INPUT -j Ifw
-A INPUT -i enp31s0 -j loc-fw
-A INPUT -i enp1s4 -j enp1s4_in
-A INPUT -i enp1s9 -j enp1s9_in
-A INPUT -i tun6to4 -j tun6to4_in
-A INPUT -i lo -j ACCEPT
-A INPUT -m addrtype --dst-type BROADCAST -j DROP
-A INPUT -m addrtype --dst-type ANYCAST -j DROP
-A INPUT -m addrtype --dst-type MULTICAST -j DROP
-A INPUT -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "INPUT REJECT " --log-level 6
-A INPUT -g reject
-A INPUT -s 192.168.0.1/32 -j ACCEPT
-A FORWARD -i enp31s0 -j loc_frwd
-A FORWARD -i enp1s4 -j enp1s4_fwd
-A FORWARD -i enp1s9 -j enp1s9_fwd
-A FORWARD -i tun6to4 -j tun6to4_fwd
-A FORWARD -m addrtype --dst-type BROADCAST -j DROP
-A FORWARD -m addrtype --dst-type ANYCAST -j DROP
-A FORWARD -m addrtype --dst-type MULTICAST -j DROP
-A FORWARD -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "FORWARD REJECT " --log-level 6
-A FORWARD -g reject
-A OUTPUT -o enp31s0 -j fw-loc
-A OUTPUT -o enp1s4 -j enp1s4_out
-A OUTPUT -o enp1s9 -j enp1s9_out
-A OUTPUT -o tun6to4 -j tun6to4_out
-A OUTPUT -o lo -j fw-fw
-A OUTPUT -m addrtype --dst-type BROADCAST -j DROP
-A OUTPUT -m addrtype --dst-type ANYCAST -j DROP
-A OUTPUT -m addrtype --dst-type MULTICAST -j DROP
-A OUTPUT -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "OUTPUT REJECT " --log-level 6
-A OUTPUT -g reject
-A OUTPUT -d 192.168.0.1/32 -j ACCEPT
-A Ifw -m set --match-set ifw_wl src -j RETURN
-A Ifw -m set --match-set ifw_bl src -j DROP
-A Ifw -m conntrack --ctstate INVALID,NEW -m psd--psd-weight-threshold 10 --psd-delay-threshold 10000 --psd-lo-ports-weight 2 --psd-hi-ports-weight 1  -j IFWLOG--log-prefix "SCAN"
-A enp1s4_fwd -o enp1s4 -g sfilter
-A enp1s4_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A enp1s4_fwd -p tcp -j tcpflags
-A enp1s4_fwd -j net_frwd
-A enp1s4_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A enp1s4_in -p tcp -j tcpflags
-A enp1s4_in -j net-fw
-A enp1s4_out -j fw-net
-A enp1s9_fwd -o enp1s9 -g sfilter
-A enp1s9_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A enp1s9_fwd -p tcp -j tcpflags
-A enp1s9_fwd -j net_frwd
-A enp1s9_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A enp1s9_in -p tcp -j tcpflags
-A enp1s9_in -j net-fw
-A enp1s9_out -j fw-net
-A fw-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-fw -p tcp -m tcp --dport 3128 -m conntrack --ctorigdstport 80 -j ACCEPT
-A fw-fw -j ACCEPT
-A fw-loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-loc -j ACCEPT
-A fw-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-net -p tcp -m tcp --dport 80 -m owner --uid-owner 979 -j ACCEPT
-A fw-net -j ACCEPT
-A loc-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A loc-fw -p tcp -j tcpflags
-A loc-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A loc-fw -p tcp -m tcp --dport 3128 -m conntrack --ctorigdstport 80 -j ACCEPT
-A loc-fw -j ACCEPT
-A loc-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A loc-net -j ACCEPT
-A loc_frwd -o enp31s0 -g sfilter
-A loc_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A loc_frwd -p tcp -j tcpflags
-A loc_frwd -o enp1s4 -j loc-net
-A loc_frwd -o enp1s9 -j loc-net
-A loc_frwd -o tun6to4 -j loc-net
-A logdrop -j DROP
-A logflags -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "logflags DROP " --log-level 6 --log-ip-options
-A logflags -j DROP
-A logreject -j reject
-A net-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-fw -m addrtype --dst-type BROADCAST -j DROP
-A net-fw -m addrtype --dst-type ANYCAST -j DROP
-A net-fw -m addrtype --dst-type MULTICAST -j DROP
-A net-fw -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "net-fw DROP " --log-level 6
-A net-fw -j DROP
-A net-loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-loc -m addrtype --dst-type BROADCAST -j DROP
-A net-loc -m addrtype --dst-type ANYCAST -j DROP
-A net-loc -m addrtype --dst-type MULTICAST -j DROP
-A net-loc -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "net-loc DROP " --log-level 6
-A net-loc -j DROP
-A net_frwd -o enp31s0 -j net-loc
-A net_frwd -o enp1s4 -j ACCEPT
-A net_frwd -o enp1s9 -j ACCEPT
-A net_frwd -o tun6to4 -j ACCEPT
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A sfilter -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "sfilter DROP " --log-level 6
-A sfilter -j DROP
-A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
-A tun6to4_fwd -o tun6to4 -g sfilter
-A tun6to4_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A tun6to4_fwd -p tcp -j tcpflags
-A tun6to4_fwd -j net_frwd
-A tun6to4_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A tun6to4_in -p tcp -j tcpflags
-A tun6to4_in -j net-fw
-A tun6to4_out -j fw-net
COMMIT