How to configure firewall on OpenSuse (Leap) to set up NAT redirection?

iptables opensuse firewall suse

7,985

UPDATE

I had missed this critical detail - you want to redirect to the same machine. SuSEFirewall2 doesn't really support this.

So you either create an aliased interface, and redirect from your real interface to the alias; or you put your existing iptables rules into the appropriate script.

This might be /etc/sysconfig/network/scripts/firewall in the "net-reconfig-done" section:

           net-reconfig-done)
                    [ "$FIREWALL" = 'yes' ] || exit 2
                    sfw2_active || exit 3
                    /sbin/SuSEfirewall2 --bootunlock start

                    /usr/sbin/iptables ...YOUR_RULES...

but you risk it being overwritten at the next upgrade. Or you prepare a custom executable start script in init.d (you can copy from one of the existing ones), assuming that you are in runlevel 5

# runlevel
5

then you will use rc5.d and create the script in

/etc/init.d/rc5.d/S55Redirector

The key part of the script would be:

case "$1" in
    start)
        echo -n "Applying redirect rules"
        /usr/sbin/iptables ...YOUR_RULES...
        /usr/sbin/iptables ...YOUR_RULES...
        /usr/sbin/iptables ...YOUR_RULES...
        rc_status -v
        ;;

OLD ANSWER

The fastest way to be sure that this is working is set it up from yast.

From the root shell:

yast

from the menu on the left, choose "Security"; from the one on the right, "Firewall".

In the "allowed services", add the services you need to have them accepted.

Depending on exact SuSE version, go down to "Masquerading". There you should be able to specify destination host as well as destination port.

As luck would have it, ~~my only LEAP machine~~my only other LEAP machine is at home, currently down, and the other is not a firewall, so I can't verify or supply a third screenshot.

I suspect that you got the Custom rules right, but forgot to allow the incoming packets in the config file (it should go in /etc/sysconfig/SuSEfirewall2.d/services). If it doesn't work, you can get back to me ([email protected]) after Thursday when I'll be back home.

7,985

SBhojani

Updated on September 18, 2022

Comments

SBhojani over 1 year

I need to set up a firewall configuration rule so any requests sent to a specific port for a specific destination address get (transparently to the connecting application) redirected to a specific port on the same machine. I know the iptables command for this and I have set it up to work with FirewallD on other systems before.

The trouble is that this time I need to set it up on OpenSuse (Leap). I am able to run my iptables command and have verified that the command works. The problem, of course, is that the setting is not persistent and is lost upon reboot.

I have learned that OpenSuse uses something called SuseFirewall2 and that it allows setting up custom iptables rules by adding them to the /etc/sysconfig/scripts/SuSEfirewall2-custom file inside some functions. I have tried that and it doesn't seem to have any effect. I have also ensured that the FW_CUSTOMRULES setting in both /etc/sysconfig/SuSEfirewall2 and /sbin/SuSEfirewall2 is set to /etc/sysconfig/scripts/SuSEfirewall2-custom.

I haven't found much useful information on the web and am not sure how to troubleshoot this issue. Is there something obvious that I am missing? Any suggestions as to what I should try are welcome too.

Ideally I would like to solve this within the SuseFirewall2 setup and not throw it out completely and replace with pure iptables scripts.
- SBhojani about 6 years
  
  Why the down vote?
- Cristian Ciupitu about 6 years
  
  I see that OpenSuse also has the Firewalld software. The advantage would be that it's available on other distributions too, for example Fedora, RHEL, Arch and Ubuntu.
SBhojani about 6 years

The Masquerading options are disabled for me as it says "Masquerading needs atleast one external interface and one other interface". Not sure what that means.
SBhojani about 6 years

Assuming as you suspect that I forgot to allow the incoming packets in the config file, how do I do that?
LSerni about 6 years

I am, as usual, a dimwit. Corrected answer, and accept my apologies (oh, you still need to accept the incoming packets for the externally visible ports in the "Allowed Services" section of the firewall)
SBhojani about 6 years

I went ahead and implemented the /etc/init.d/rc5.d/S55Redirector script as you suggested. Restarted the machine and my iptables rules were not automatically applied. I am not sure if that script actually ran at all. How do I debug this?
LSerni about 6 years

You can first verify whether the script runs correctly by starting it manually with 'start' as first argument. Inside the script you can write to /var/log/messages with echo "Message" | logger -t myfirewall.
SBhojani about 6 years

Just ran it manually and it said that it needs to be run as root so I ran it with sudo. That applied my rules and produced the output rc_status: command not found. Is the rc_status even needed, as it did successfully apply my rules? So, the script seems fine (enough?), how do I check whether/why doesn't the script run at start up?
LSerni about 6 years

There is a rc include at the beginning of S scripts (you can find it in any other S script). To see when and how it runs, you set a logger inside the script as describe above, then you can check /var/log/messages. Verify that you are indeed now in runlevel 5 by running the command runlevel.
SBhojani about 6 years

Got the rc_status thing resolved by copying the include. Now, there's no /var/log/messages file. I manually ran echo "Message" | logger -t myfirewall but that didn't create it either.
SBhojani about 6 years

I ended up adding my iptables command to /etc/init.d/after.local as descried @ unix.stackexchange.com/a/43255/162588.