LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Suse/Novell
User Name
Password
Suse/Novell This Forum is for the discussion of Suse Linux.

Notices

Reply
 
Search this Thread
Old 03-05-2009, 09:18 AM   #1
polemon
Member
 
Registered: Jun 2005
Distribution: Fedora 18, Ubuntu 11.10, Ubuntu Server 11.10, DamnSmallLinux 3.4.4, FreeDOS 1.1, OpenBSD 5.0
Posts: 194

Rep: Reputation: 31
SuSE SLES 10: YaST Firewall


Hi!

I have to use the YaST firewall as my, well, firewall.
The standard settings and everything that I change in the setup tool, add or change quite a lot of iptables settings. It's impractical to change setting afterwards with iptables, since YaST adds large amounts of lines to it, making even reading it somewhat complicated.

What I'm missing is some sort of file, where those settings are saved. I'm used to Debian systems, where those files are loaded with iptables-restore from a file that was usually generated by iptables-save.
Is there such a file on SuSE SLES? And if yes, where is it?
And where does SLES save those settings?

On Debian, I've got the following settings in one of my iface definitions in /etc/network/interfaces:
Code:
	pre-up iptables-restore < /etc/iptables.up.rules
	post-down iptables-restore < /etc/iptables.down.rules
[...]
Both rules files were generated with iptables-save.
I assume there is something similar on SLES, but I couldn't find where it is.

Cheers,
--polemon

Last edited by polemon; 03-05-2009 at 09:19 AM. Reason: none, really...
 
Old 03-06-2009, 01:03 PM   #2
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,902

Rep: Reputation: 775Reputation: 775Reputation: 775Reputation: 775Reputation: 775Reputation: 775Reputation: 775
Quote:
Originally Posted by polemon View Post
Hi!

I have to use the YaST firewall as my, well, firewall.
Technically, that'll be SuSEFirewall2, then.


Quote:
On Debian, I've got the following settings in one of my iface definitions in /etc/network/interfaces:
Code:
	pre-up iptables-restore < /etc/iptables.up.rules
	post-down iptables-restore < /etc/iptables.down.rules
[...]
Both rules files were generated with iptables-save.
I assume there is something similar on SLES, but I couldn't find where it is.
iptables-save and iptables-restore work as you are used to on any other system (covered in the man pages, but, short of things that change with version changes, I'm sure it will all be the same...you'll already be aware that there is no default file to which iptables-save writes; it writes to stdout, oddly); the problem that you actually have is that yast believes that it is managing the firewall and you are fighting with it. There seem to be several possibilities
  • you could let yast carry on managing things and modify the entries from the GUI
  • you could let yast carry on thinking that it is managing things and use something else (-save and -restore, if that's what you are happy with, but a firewall gui could be made to work, too). This means after yast has run you clear all its rules and instantiate your own (if using -save and -restore, you just have to make sure that it all happens after yast has wasted its time doing its own thing). This doesn't sound like a particularly clean way of doing things, but you do get a firewall all through the boot process (except for the very brief periods of instantiation - the paranoid can turn off the interfaces while that's happening)
  • you could tell yast not to do anything with the firewall and do it all yourself in pretty much the way that you are used to. Under SuSE, I don't think the 'interfaces' works as you are used to, but you just put the -restore in the appropriate places in the startup and shutdown processes. As yast runs the firewall in two phases (one early 'just block stuff, with a few exceptions, while we are booting' phase, and a later phase when booting is pretty much done), you might still want to run a similar ruleset to that generated by phase 1 early on, and then run your full ruleset as your ph2. Once you have the two rulesets, -save and -restore will do it for you instead of yast. (Although I don't know of anyone else who does this 'two phase' stuff, so you might find that unduly paranoid. Paranoid, is good when dealing with security, though.)
 
Old 04-12-2009, 11:38 AM   #3
Matteus Blanc
LQ Newbie
 
Registered: Dec 2006
Location: London
Distribution: SuSE 11.1, Debian 5, Centos5
Posts: 6

Rep: Reputation: 1
opensuse IP tables load a boot

hi,
I just spent a day try to get openSUSE11.0 to load some custom iptables settings in conjunction with the SUSEfirewall at boot. I've got it working now so I thought I'd share:

1. forget about trying to set up a script to run like a service with chkconfig. It just won't work (even with S99!). I suspect the firewall flushes the settings later, after these rc.d scripts are executed, it's not clear how or why the settings get ignored but trust me - they will be ignored.

2. You'll need to edit /etc/sysconfig/scripts/SuSEfirewall2-custom. Put the custom iptables commands where appropriate, details are given in the file itself. Do read what is in the file because there is no man page for this.

3. Edit
Code:
 /etc/sysconfig/SuSEfirewall2
change
Code:
FW_CUSTOMRULES=""
to
Code:
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
What I wanted this for was to get postfix to listen on another port as well as 25. Fiddling with postfix itself can produce an open relay and so is not advised. A more elegant solution is to use iptables with the following command:
Code:
iptables -t nat -A PREROUTING -p tcp --dport 1025 -j REDIRECT --to-ports 25
The three steps above show how I got the custom port mapping rule to auto load at boot. If you don't follow the steps then the settings are lost on reboot - a common complaint.

regards
Matteus Blanc
 
  


Reply

Tags
firewall, iptables, sles10, suse, yast2


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to configure LDAP for SAMBA with Yast in SLES 10 Saad Shahid Linux - Server 2 10-17-2008 02:16 PM
urgent: how to configure LDAP for SAMBA with Yast in SLES 10 Saad Shahid Linux - Server 1 10-16-2008 02:14 PM
SLES 10 no network but configured in YaST?? p33kabo0 Linux - Hardware 1 12-08-2006 02:51 PM
YaST Firewall & X-server access for SuSE 10.0 WebDrake Linux - Security 0 12-16-2005 04:06 PM
firewall with Yast and suse 9.x Kumado Linux - Networking 1 06-21-2005 09:08 AM


All times are GMT -5. The time now is 05:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration