cannot save iptables configuration on opensuse 10.3 I have a server running opensuse
 

I have a server running opensuse 10.3 and am attempting to configure iptables by following the tutorial at iptablesrocksDOTorg (sorry for the DOT, I am blocked from posting a URL).

My problem is that when I reboot the server, the running configuration returns to an "open" state, i.e.

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


I try to save the firewall ruleset script ("primary_firewall") like this:-

cp /root/primary_firewall /etc/sysconfig/iptables

as the tutorial explains that this is how to integrate the setup into the servers boot process. After a reboot iptables was back to the open state, so I tried this:-

iptables-save > /etc/sysconfig/iptables

as a search on google indicated that the file format might be incorrect otherwise. After a reboot iptables was back to the open state.

I checked all of the (modified today) log files in /var/log/ for the string "iptables" to see whether I could see any errors during boot up, but I can't see any.

It may be that I am either putting the ruleset script in the wrong place, or another process is altering the rules during boot. I have read the iptables man page, but can't see any reference to restoring a ruleset script during boot.

I am a newbie with Linux, so would appreciate it if someone could suggest how I debug my installation, or point me in the direction of a manual that explains how to configure this on Opensuse.

Thanks for any help.

Firstly SuSE is a bit different and the tutorial may only be mostly correct, if it doesn't note the differences that are specific to SuSE.

Secondly, you don't seem to be restoring the ruleset, so you shouldn't be surprised that the ruleset doesn't get restored.

To the first point, by default SuSE uses its own system for configuring the firewall and that involves an 'early' block-anything-not-needed-for-boot stage and then a more precisely configured late stage. You could be tripping over either of these stages, so you need to check from the run level editor in yast that this isn't going to be the case. (This also raises the question why you aren't going with the flow and using the SuSE firewall system, but that is, of course, up to you. If you do change your mind, configure from YAST.)

The firewall is only persistent if you make it so, in other words, if you restore. The iptables-save/iptables-restore system does have advantages if you need to preserve counters across reboots, which is difficult to do otherwise. OTOH, if you aren't interested in the counters, this isn't really an advantage.

To do it this way, you need to use iptable-save to dump the contents to a file and iptables-restore to put things back in place - you'll need the -c switch to do the counter thing. So, somewhere in the boot process, you need to execute a script that does this, either get the YAST runlevel editor to do it, or run a trivial script from the appropriate /etc/rc.

There is usually good documentation on networking, etc, in

• the SuSE books
• the SuSE website

but its sometimes a bit difficult to find what you want if you don't have the books.

Thanks for the pointers salasi.

I'm off to buy a decent SuSE book...:)