How to configure firewall on OpenSuse (Leap) to set up NAT redirection?
UPDATE
I had missed this critical detail - you want to redirect to the same machine. SuSEFirewall2 doesn't really support this.
So you either create an aliased interface, and redirect from your real interface to the alias; or you put your existing iptables
rules into the appropriate script.
This might be /etc/sysconfig/network/scripts/firewall
in the "net-reconfig-done" section:
net-reconfig-done)
[ "$FIREWALL" = 'yes' ] || exit 2
sfw2_active || exit 3
/sbin/SuSEfirewall2 --bootunlock start
/usr/sbin/iptables ...YOUR_RULES...
but you risk it being overwritten at the next upgrade. Or you prepare a custom executable start script in init.d (you can copy from one of the existing ones), assuming that you are in runlevel 5
# runlevel
5
then you will use rc5.d and create the script in
/etc/init.d/rc5.d/S55Redirector
The key part of the script would be:
case "$1" in
start)
echo -n "Applying redirect rules"
/usr/sbin/iptables ...YOUR_RULES...
/usr/sbin/iptables ...YOUR_RULES...
/usr/sbin/iptables ...YOUR_RULES...
rc_status -v
;;
OLD ANSWER
The fastest way to be sure that this is working is set it up from yast
.
From the root shell:
yast
from the menu on the left, choose "Security"; from the one on the right, "Firewall".
In the "allowed services", add the services you need to have them accepted.
Depending on exact SuSE version, go down to "Masquerading". There you should be able to specify destination host as well as destination port.
As luck would have it, my only LEAP machinemy only other LEAP machine is at home, currently down, and the other is not a firewall, so I can't verify or supply a third screenshot.
I suspect that you got the Custom rules right, but forgot to allow the incoming packets in the config file (it should go in /etc/sysconfig/SuSEfirewall2.d/services
). If it doesn't work, you can get back to me ([email protected]) after Thursday when I'll be back home.
Related videos on Youtube
SBhojani
Updated on September 18, 2022Comments
-
SBhojani over 1 year
I need to set up a firewall configuration rule so any requests sent to a specific port for a specific destination address get (transparently to the connecting application) redirected to a specific port on the same machine. I know the
iptables
command for this and I have set it up to work with FirewallD on other systems before.The trouble is that this time I need to set it up on OpenSuse (Leap). I am able to run my
iptables
command and have verified that the command works. The problem, of course, is that the setting is not persistent and is lost upon reboot.I have learned that OpenSuse uses something called
SuseFirewall2
and that it allows setting up customiptables
rules by adding them to the/etc/sysconfig/scripts/SuSEfirewall2-custom
file inside some functions. I have tried that and it doesn't seem to have any effect. I have also ensured that theFW_CUSTOMRULES
setting in both/etc/sysconfig/SuSEfirewall2
and/sbin/SuSEfirewall2
is set to/etc/sysconfig/scripts/SuSEfirewall2-custom
.I haven't found much useful information on the web and am not sure how to troubleshoot this issue. Is there something obvious that I am missing? Any suggestions as to what I should try are welcome too.
Ideally I would like to solve this within the
SuseFirewall2
setup and not throw it out completely and replace with pureiptables
scripts. -
SBhojani about 6 yearsThe Masquerading options are disabled for me as it says "Masquerading needs atleast one external interface and one other interface". Not sure what that means.
-
SBhojani about 6 yearsAssuming as you suspect that I forgot to allow the incoming packets in the config file, how do I do that?
-
LSerni about 6 yearsI am, as usual, a dimwit. Corrected answer, and accept my apologies (oh, you still need to accept the incoming packets for the externally visible ports in the "Allowed Services" section of the firewall)
-
SBhojani about 6 yearsI went ahead and implemented the
/etc/init.d/rc5.d/S55Redirector
script as you suggested. Restarted the machine and myiptables
rules were not automatically applied. I am not sure if that script actually ran at all. How do I debug this? -
LSerni about 6 yearsYou can first verify whether the script runs correctly by starting it manually with 'start' as first argument. Inside the script you can write to /var/log/messages with
echo "Message" | logger -t myfirewall
. -
SBhojani about 6 yearsJust ran it manually and it said that it needs to be run as root so I ran it with
sudo
. That applied my rules and produced the outputrc_status: command not found
. Is therc_status
even needed, as it did successfully apply my rules? So, the script seems fine (enough?), how do I check whether/why doesn't the script run at start up? -
LSerni about 6 yearsThere is a rc include at the beginning of S scripts (you can find it in any other S script). To see when and how it runs, you set a logger inside the script as describe above, then you can check
/var/log/messages
. Verify that you are indeed now in runlevel 5 by running the commandrunlevel
. -
SBhojani about 6 yearsGot the
rc_status
thing resolved by copying theinclude
. Now, there's no/var/log/messages
file. I manually ranecho "Message" | logger -t myfirewall
but that didn't create it either. -
SBhojani about 6 yearsI ended up adding my
iptables
command to/etc/init.d/after.local
as descried @ unix.stackexchange.com/a/43255/162588.