• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

weird issue with iptables on suse

Red Squirrel

Red Squirrel

No Lifer
This is really weird, so it looks like iptables is running, yet I do not see a startup script in the startup script section, and I do not see it when I do ps aux. But it is running, because if I use the command to flush the rules and allow all, it has an effect.

Basically what I'm trying to do is open up a port. I am having trouble getting my startup script to run after whatever process is initializing iptables because there is no rc.local script in suse for some reason. Normally I put all my startup stuff in there because it executes after everything else.

I tried making a "service" that starts my script but that failed pretty hard. It's not a service I'm trying to run, but just a script.

Any way I can find out what is initializing iptables? I don't want to turn it off completely, I just want to use my script with my own rules instead of the default ones. Come to think of it, where does it store rules anyway? I've never been able to figure this out, hence why I always just make my own script that flushes the rules and puts in my own.
 
First off, iptables doesn't "run" because it's not a daemon, it's just a command interface to the kernel's firewall. If the kernel is running and the ip_tables module is loaded, then iptables is running regardless of the ruleset it's using.

I don't know where SuSE loads it's rules from by default, but it would probably be best to find that and modify it. I'm sure YaST has a module for that or you can just 'grep iptables /etc/init.d/*' to see which script loads it, probably with iptables-restore.
 
Websearch for "suse firewall" hints that suse is peculiar. I do guess that it does have more than one /etc/init.d/* file for firewall, and they do something, like loading the kernel module and populating the netfilter with rules. However, there might be a config file (in /etc/sysconfig ?) that defines the rules, but not in iptables syntax. If so, YaST or whatever "graphical" configuration tool, is the only way to adjust the ruleset.

In no case should one use rc.local for this kind of operation: firewall should be up early, and a firewall with only half of its rules until boot completes sounds really bad™.
 
No idea if it's systemD, I did not change anything major so if that's the default then it is most likely that.

I managed to find the service, it's SuSEfirewall2_init and SuSEfirewall2_setup respectively. I was looking for iptables, ipchains, firewall, never thought of looking under "s"'s. 😛

I still have no idea where iptables stores it's config though, even on RH. It's always been a mystery. So my script will do for now. It's not the 5 seconds of no firewall that will cause me to be hacked especially considering I'm the only person on this network. In fact I think my script is running even earlier. It kept being overwritten by the service being started. I used to just run with no firewall but considering iptables is trivial to add rules once a proper init script is setup I may as well run it.
 
On Redhat-based distros the config is in /etc/sysconfig/iptables and one should not edit it directly. One uses iptables to adjust the in-memory rules and then calls "service iptables save" to store them in file.
 
Red Squirrel said:
No idea if it's systemD, I did not change anything major so if that's the default then it is most likely that.

I managed to find the service, it's SuSEfirewall2_init and SuSEfirewall2_setup respectively. I was looking for iptables, ipchains, firewall, never thought of looking under "s"'s. 😛

I still have no idea where iptables stores it's config though, even on RH. It's always been a mystery. So my script will do for now. It's not the 5 seconds of no firewall that will cause me to be hacked especially considering I'm the only person on this network. In fact I think my script is running even earlier. It kept being overwritten by the service being started. I used to just run with no firewall but considering iptables is trivial to add rules once a proper init script is setup I may as well run it.
Click to expand...

So you should probably spend a few minutes looking, it can't be too difficult. I bet if you open those scripts even you'll be able to find the file they use in under 2min. And then you can do it the proper way the distro expects it instead of writing your own scripts for no good reason.
 
Nothinman said:
So you should probably spend a few minutes looking, it can't be too difficult. I bet if you open those scripts even you'll be able to find the file they use in under 2min. And then you can do it the proper way the distro expects it instead of writing your own scripts for no good reason.
Click to expand...

Well how would I know, where would I look? You're making it sound like there would be a check box somewhere that says "Use SystemD". First time I even hear of it.

And open what scripts?

But anyway, I got it going so all is good. I prefer having a list of all the ACLs that I can edit than to blindly start shooting commands at the command line. At least with the list I can get an immediate visual of what all the rules are and what order they're in and easily alter it. It's essentially equivalent to putting them in the command line anyway, except it's a script.
 
xSauronx said:
google
Click to expand...

I did not even know that system existed before it was mentioned, how would I even know to look for it. 🙄

Some things are not really that easily searchable if you don't know what to search for. I had previously searched for "iptables config file" and other similar terms which lead nowhere.
 
Indeed. It takes some educated guessing before any websearch hits a ballpark. By now, we have heard about "susefirewall2_setup". That hits something:
http://gitorious.org/opensuse/susef...a9dc0349f356af09ddab1e721/SuSEfirewall2_setup

That (if appropriate here) unfortunately only says that Suse uses a separate command:

SUSEFWALL="/sbin/SuSEfirewall2"
echo -n "Loading firewall rules "
$SUSEFWALL -q --bootunlock start

Be it script or binary, it ain't iptables directly, but I would look at it and its documentation to find out what it reads by default on "start".
 
mv2devnull said:
Indeed. It takes some educated guessing before any websearch hits a ballpark. By now, we have heard about "susefirewall2_setup". That hits something:
Click to expand...

Sometimes simpler is better. This seems to pull up many relevant results...

https://duckduckgo.com/?q=suse+firewall

When searching, start with the basics, and throw out preconceived notions. What do I want to do? Firewall suse. Then if you need more particulars, drill down from there.
 
Red Squirrel said:
Well how would I know, where would I look? You're making it sound like there would be a check box somewhere that says "Use SystemD". First time I even hear of it.

And open what scripts?

But anyway, I got it going so all is good. I prefer having a list of all the ACLs that I can edit than to blindly start shooting commands at the command line. At least with the list I can get an immediate visual of what all the rules are and what order they're in and easily alter it. It's essentially equivalent to putting them in the command line anyway, except it's a script.
Click to expand...

I installed OpenSuSE in a VM today and it took me less than 2 minutes to figure out that /sbin/SuSEfirewall2 is the script that sets up the firewall and that it's config file is /etc/sysconfig/SuSEfirewall2. It sucks that it's not the normal format that iptables-save and iptables-restore take, but it looks like a very well documented config file.
 
Nothinman said:
I installed OpenSuSE in a VM today and it took me less than 2 minutes to figure out that /sbin/SuSEfirewall2 is the script that sets up the firewall and that it's config file is /etc/sysconfig/SuSEfirewall2. It sucks that it's not the normal format that iptables-save and iptables-restore take, but it looks like a very well documented config file.
Click to expand...

Well you know more about Linux than I do. I'm still learning.
 
FWIW, in Suse they use /etc/init.d/after.local as opposed to rc.local. You just have to create the file and make it executable.
 
Red Squirrel said:
Well you know more about Linux than I do. I'm still learning.
Click to expand...

Technically we're all still learning because everything changes over time. But I told you how to find it before I spent the time doing so myself. I'm sure you've heard of grep before, so using it to search through the startup scripts in /etc/init.d/ for iptables should have been the first logical step. That will tell you which script loads the firewall rules regardless of it's name, then that script would have told you that it runs /sbin/SuSEfirewall2 which is also a script that is very well documented and tells you where its config file is located.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top