0

I need to set up a firewall configuration rule so any requests sent to a specific port for a specific destination address get (transparently to the connecting application) redirected to a specific port on the same machine. I know the iptables command for this and I have set it up to work with FirewallD on other systems before.

The trouble is that this time I need to set it up on OpenSuse (Leap). I am able to run my iptables command and have verified that the command works. The problem, of course, is that the setting is not persistent and is lost upon reboot.

I have learned that OpenSuse uses something called SuseFirewall2 and that it allows setting up custom iptables rules by adding them to the /etc/sysconfig/scripts/SuSEfirewall2-custom file inside some functions. I have tried that and it doesn't seem to have any effect. I have also ensured that the FW_CUSTOMRULES setting in both /etc/sysconfig/SuSEfirewall2 and /sbin/SuSEfirewall2 is set to /etc/sysconfig/scripts/SuSEfirewall2-custom.

I haven't found much useful information on the web and am not sure how to troubleshoot this issue. Is there something obvious that I am missing? Any suggestions as to what I should try are welcome too.

Ideally I would like to solve this within the SuseFirewall2 setup and not throw it out completely and replace with pure iptables scripts.

Improve this question
2
  • Why the down vote? Commented Mar 27, 2018 at 4:35
  • I see that OpenSuse also has the Firewalld software. The advantage would be that it's available on other distributions too, for example Fedora, RHEL, Arch and Ubuntu. Commented Apr 4, 2018 at 19:36

1 Answer 1

Reset to default
2

UPDATE

I had missed this critical detail - you want to redirect to the same machine. SuSEFirewall2 doesn't really support this.

So you either create an aliased interface, and redirect from your real interface to the alias; or you put your existing iptables rules into the appropriate script.

This might be /etc/sysconfig/network/scripts/firewall in the "net-reconfig-done" section:

           net-reconfig-done)
                    [ "$FIREWALL" = 'yes' ] || exit 2
                    sfw2_active || exit 3
                    /sbin/SuSEfirewall2 --bootunlock start

                    /usr/sbin/iptables ...YOUR_RULES...

but you risk it being overwritten at the next upgrade. Or you prepare a custom executable start script in init.d (you can copy from one of the existing ones), assuming that you are in runlevel 5

# runlevel
5

then you will use rc5.d and create the script in

/etc/init.d/rc5.d/S55Redirector

The key part of the script would be:

case "$1" in
    start)
        echo -n "Applying redirect rules"
        /usr/sbin/iptables ...YOUR_RULES...
        /usr/sbin/iptables ...YOUR_RULES...
        /usr/sbin/iptables ...YOUR_RULES...
        rc_status -v
        ;;

OLD ANSWER

The fastest way to be sure that this is working is set it up from yast.

From the root shell:

yast

from the menu on the left, choose "Security"; from the one on the right, "Firewall". enter image description here

In the "allowed services", add the services you need to have them accepted.

enter image description here

Depending on exact SuSE version, go down to "Masquerading". There you should be able to specify destination host as well as destination port.

As luck would have it, my only LEAP machinemy only other LEAP machine is at home, currently down, and the other is not a firewall, so I can't verify or supply a third screenshot.

I suspect that you got the Custom rules right, but forgot to allow the incoming packets in the config file (it should go in /etc/sysconfig/SuSEfirewall2.d/services). If it doesn't work, you can get back to me ([email protected]) after Thursday when I'll be back home.

Improve this answer
9
  • The Masquerading options are disabled for me as it says "Masquerading needs atleast one external interface and one other interface". Not sure what that means. Commented Apr 4, 2018 at 22:52
  • Assuming as you suspect that I forgot to allow the incoming packets in the config file, how do I do that? Commented Apr 4, 2018 at 22:53
  • I am, as usual, a dimwit. Corrected answer, and accept my apologies (oh, you still need to accept the incoming packets for the externally visible ports in the "Allowed Services" section of the firewall) Commented Apr 4, 2018 at 23:49
  • I went ahead and implemented the /etc/init.d/rc5.d/S55Redirector script as you suggested. Restarted the machine and my iptables rules were not automatically applied. I am not sure if that script actually ran at all. How do I debug this? Commented Apr 5, 2018 at 10:44
  • You can first verify whether the script runs correctly by starting it manually with 'start' as first argument. Inside the script you can write to /var/log/messages with echo "Message" | logger -t myfirewall. Commented Apr 5, 2018 at 10:50

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.