LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Suse/Novell (http://www.linuxquestions.org/questions/suse-novell-60/)
-   -   SuSE SLES 10: YaST Firewall (http://www.linuxquestions.org/questions/suse-novell-60/suse-sles-10-yast-firewall-709379/)

polemon 03-05-2009 09:18 AM

SuSE SLES 10: YaST Firewall
 
Hi!

I have to use the YaST firewall as my, well, firewall.
The standard settings and everything that I change in the setup tool, add or change quite a lot of iptables settings. It's impractical to change setting afterwards with iptables, since YaST adds large amounts of lines to it, making even reading it somewhat complicated.

What I'm missing is some sort of file, where those settings are saved. I'm used to Debian systems, where those files are loaded with iptables-restore from a file that was usually generated by iptables-save.
Is there such a file on SuSE SLES? And if yes, where is it?
And where does SLES save those settings?

On Debian, I've got the following settings in one of my iface definitions in /etc/network/interfaces:
Code:

        pre-up iptables-restore < /etc/iptables.up.rules
        post-down iptables-restore < /etc/iptables.down.rules

[...]
Both rules files were generated with iptables-save.
I assume there is something similar on SLES, but I couldn't find where it is.

Cheers,
--polemon

salasi 03-06-2009 01:03 PM

Quote:

Originally Posted by polemon (Post 3465791)
Hi!

I have to use the YaST firewall as my, well, firewall.

Technically, that'll be SuSEFirewall2, then.


Quote:

On Debian, I've got the following settings in one of my iface definitions in /etc/network/interfaces:
Code:

        pre-up iptables-restore < /etc/iptables.up.rules
        post-down iptables-restore < /etc/iptables.down.rules

[...]
Both rules files were generated with iptables-save.
I assume there is something similar on SLES, but I couldn't find where it is.
iptables-save and iptables-restore work as you are used to on any other system (covered in the man pages, but, short of things that change with version changes, I'm sure it will all be the same...you'll already be aware that there is no default file to which iptables-save writes; it writes to stdout, oddly); the problem that you actually have is that yast believes that it is managing the firewall and you are fighting with it. There seem to be several possibilities
  • you could let yast carry on managing things and modify the entries from the GUI
  • you could let yast carry on thinking that it is managing things and use something else (-save and -restore, if that's what you are happy with, but a firewall gui could be made to work, too). This means after yast has run you clear all its rules and instantiate your own (if using -save and -restore, you just have to make sure that it all happens after yast has wasted its time doing its own thing). This doesn't sound like a particularly clean way of doing things, but you do get a firewall all through the boot process (except for the very brief periods of instantiation - the paranoid can turn off the interfaces while that's happening)
  • you could tell yast not to do anything with the firewall and do it all yourself in pretty much the way that you are used to. Under SuSE, I don't think the 'interfaces' works as you are used to, but you just put the -restore in the appropriate places in the startup and shutdown processes. As yast runs the firewall in two phases (one early 'just block stuff, with a few exceptions, while we are booting' phase, and a later phase when booting is pretty much done), you might still want to run a similar ruleset to that generated by phase 1 early on, and then run your full ruleset as your ph2. Once you have the two rulesets, -save and -restore will do it for you instead of yast. (Although I don't know of anyone else who does this 'two phase' stuff, so you might find that unduly paranoid. Paranoid, is good when dealing with security, though.)

Matteus Blanc 04-12-2009 11:38 AM

opensuse IP tables load a boot
 
hi,
I just spent a day try to get openSUSE11.0 to load some custom iptables settings in conjunction with the SUSEfirewall at boot. I've got it working now so I thought I'd share:

1. forget about trying to set up a script to run like a service with chkconfig. It just won't work (even with S99!). I suspect the firewall flushes the settings later, after these rc.d scripts are executed, it's not clear how or why the settings get ignored but trust me - they will be ignored.

2. You'll need to edit /etc/sysconfig/scripts/SuSEfirewall2-custom. Put the custom iptables commands where appropriate, details are given in the file itself. Do read what is in the file because there is no man page for this.

3. Edit
Code:

/etc/sysconfig/SuSEfirewall2
change
Code:

FW_CUSTOMRULES=""
to
Code:

FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
What I wanted this for was to get postfix to listen on another port as well as 25. Fiddling with postfix itself can produce an open relay and so is not advised. A more elegant solution is to use iptables with the following command:
Code:

iptables -t nat -A PREROUTING -p tcp --dport 1025 -j REDIRECT --to-ports 25
The three steps above show how I got the custom port mapping rule to auto load at boot. If you don't follow the steps then the settings are lost on reboot - a common complaint.

regards
Matteus Blanc


All times are GMT -5. The time now is 12:42 PM.