iptables on Suse 8.0

Loke · 01-18-2003, 01:27 PM

Beeing fairly new to Linux I am a bit pussled with iptables on Suse 8.0. I (think) I understand iptables alone; what confuses me is the SuSEfirewall and the personal-firewall. I have configures written a iptables-script and installed it thus:

# sh /root/firewall.conf

which gives no syntax errors, so I save the rules thus

# iptables-save

and then reboot.

When booting I get the following messages:

Starting Firewall Initialization (Phase 1 of 3)
.
.
Starting Firewall Initialization (Phase 2 of 3)
.
.
Starting Firewall Initialization (Phase 3 of 3)

which looks OK. Moreover, the firewall seems to be working as intended: it block what should be blocked and lets through what I want to let through. However, whan listing the rules, e.g:

# iptables -v -L INPUT

the output contaings warning messages that I do not have in my script. The warnings of the type:

LOG level warning tcp-options ip-otions prefix `SuSE-FW-DROP-ANTI_S......

What bothers me is that I do not know where (which script) those messages come from.

What is the relation between netfilet/iptables, the SuSEfirewall and personaø-firewall?
Anyway, I managed to switch off personal firewall in Yast and the boot process shows that it isn't in use.
Could it be that SuSEfirewall is equivalent with iptables?
I would in any case sleep better if I knew the details.

The following files are located under /etc/init.d

/etc/init.d/SuSEfirewall2_init
/etc/init.d/SuSEfirewall2_setup
/etc/init.d/SuSEfirewall2_final

/etc/init.d/personal-firewall.initial
/etc/init.d/personal-firewall.final

Also, why are there two versions of the iptables files in /usr/sbin?

/usr/sbin/ip6tables
/usr/sbin/ip6tables-restore
/usr/sbin/ip6tables-save

/usr/sbin/iptables
/usr/sbin/iptables-restore
/usr/sbin/iptables-save

Regards

Mara · 01-18-2003, 04:03 PM

I guess SUSEfirewall uses iptables. And ip6tables looks like IPv6 version of iptables.

peter_robb · 01-23-2003, 04:46 PM

One of the common problems with using "many" scripts is identifying which one is doing which rule...

The good news is that you can ask each script to echo to the screen as it runs.
I'd guess that there are three scripts, each echoing as "Phase x of 3"
Have a look inside the scripts you have found for text like that...

There is a good reason for using consecutive scripts like this, but if you want to be the master of them, you will need to discover what is really happening before you make any manual changes...

The last script to run controls the rules...
So, if you have a script that starts by flushing and clearing the rulesets, it won't matter what comes before...

Have a look at this iptables tutorial