Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to configure Iptables in OpenSuse?

80 views
Skip to first unread message

Mohan

unread,
Sep 1, 2022, 10:22:58 AM9/1/22
to
Hello Experts,

I am using "openSUSE 12.3" and "iptables version : v1.4.16.3"

I am trying to enable the iptables rules to allow `22` port for all IPs and `80` & `443` for specific IP addresses with the below commands.

1) iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
2) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 80 -j ACCEPT
3) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 443 -j ACCEPT

Then i have restarted the iptables service with below command,

service SuSEfirewall2 restart

However from `10.11.12.50` address web server with `80` & `443` are not accessible.

I can't see the applied rules in the below list.

# iptables -S

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N forward_ext
-N input_ext
-N reject_func
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable

Kindly let me know what i'm missing with the iptables rule settings?

Also let me know even after server reboot the rules needs to be applied. It shouldn't be reset to default.

Bit Twister

unread,
Sep 1, 2022, 10:41:42 AM9/1/22
to
On Thu, 1 Sep 2022 07:22:56 -0700 (PDT), Mohan wrote:
> Hello Experts,
>
> I am using "openSUSE 12.3" and "iptables version : v1.4.16.3"
>
> I am trying to enable the iptables rules to allow `22` port for all IPs and `80` & `443` for specific IP addresses with the below commands.
>
> 1) iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
> 2) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 80 -j ACCEPT
> 3) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 443 -j ACCEPT
>
> Then i have restarted the iptables service with below command,
>
> service SuSEfirewall2 restart
>
> However from `10.11.12.50` address web server with `80` & `443` are not accessible.

I do not know iptables enough to point out where you have the problem, but
I have seen that kind of message when a prior rule prevented the new rule
from being accessed.

Solution for that user was to move the new rule above the rule causing the conflict.

Carlos E.R.

unread,
Sep 1, 2022, 4:00:09 PM9/1/22
to
On 2022-09-01 16:22, Mohan wrote:
> Hello Experts,
>
> I am using "openSUSE 12.3" and "iptables version : v1.4.16.3"

That's obsolete and out of support.

>
> I am trying to enable the iptables rules to allow `22` port for all IPs and `80` & `443` for specific IP addresses with the below commands.
>
> 1) iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
> 2) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 80 -j ACCEPT
> 3) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 443 -j ACCEPT
>
> Then i have restarted the iptables service with below command,
>
> service SuSEfirewall2 restart

I don't think you can use iptables and SuSEfirewall2 simultaneously
unless you know better.

If you want to open those ports with SuSEfirewall2 alone, then I can help.

--
Cheers, Carlos.

marrgol

unread,
Sep 1, 2022, 4:37:58 PM9/1/22
to
On 01/09/2022 at 16.22, Mohan wrote:
> I am using "openSUSE 12.3" and "iptables version : v1.4.16.3"
>
> I am trying to enable the iptables rules to allow `22` port for all IPs and `80` & `443` for specific IP addresses with the below commands.
>
> 1) iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
> 2) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 80 -j ACCEPT
> 3) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 443 -j ACCEPT
>
> Then i have restarted the iptables service with below command,
>
> service SuSEfirewall2 restart

SuSEfirewall2 keeps its own iptables configuration, so that restart
removed the rules you'd entered manually with iptables command.
Use yast to enter your custom rules into the SuSEfirewall2's
configuration permanently. Or edit /etc/sysconfig/SuSEfirewall2
file directly.


--
mrg

Carlos E.R.

unread,
Sep 1, 2022, 6:00:09 PM9/1/22
to
The later. The file contains configuration entries to do exactly what he
tried to do.


--
Cheers, Carlos.

marrgol

unread,
Sep 1, 2022, 8:34:50 PM9/1/22
to
For simple rules like those above it's certainly simpler and quicker
and less error prone to use yast to have them entered into that file
-- no need to manually search through the file for which entry to modify
and how. Unless someone really wants to… :-)


--
mrg

MK

unread,
Sep 2, 2022, 3:35:06 AM9/2/22
to
Hello Carlos E.R,

That means the commands i have executed are applicable for IPTables and it doesn't have any connection with SuSEfirewall2. Thanks for clarifying me.

Now please let me know in Opensuse which one is better and let me know how do i block IPs and allow access only to specific IPs?

Example:
I have Jenkins web server (IP - 10.50.60.70) this server SSH port - 22, and 80, 443 should be allowed to specific addresses.
Lets say (1.10.11.12.50 2.10.11.12.51, 3) 10.11.12.53).

Only above three given IPs should allowed to access 22, 80 & 443 of Jenkins web server.



Carlos E.R.

unread,
Sep 2, 2022, 7:44:10 AM9/2/22
to
On 2022-09-02 09:35, MK wrote:
> On Friday, September 2, 2022 at 6:04:50 AM UTC+5:30, marrgol wrote:
>> On 01/09/2022 at 23.57, Carlos E.R. wrote:
>>>>> I am using "openSUSE 12.3" and "iptables version : v1.4.16.3"
>>>>>
>>>>> I am trying to enable the iptables rules to allow `22` port for all
>>>>> IPs and `80` & `443` for specific IP addresses with the below commands.
>>>>>
>>>>> 1) iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
>>>>> 2) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 80 -j ACCEPT
>>>>> 3) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 443 -j ACCEPT
>>>>>
>>>>> Then i have restarted the iptables service with below command,
>>>>>
>>>>> service SuSEfirewall2 restart
>>>>
>>>> SuSEfirewall2 keeps its own iptables configuration, so that restart
>>>> removed the rules you'd entered manually with iptables command.
>>>> Use yast to enter your custom rules into the SuSEfirewall2's
>>>> configuration permanently. Or edit /etc/sysconfig/SuSEfirewall2
>>>> file directly.
>>>
>>> The later. The file contains configuration entries to do exactly what he
>>> tried to do.
>> For simple rules like those above it's certainly simpler and quicker
>> and less error prone to use yast to have them entered into that file
>> -- no need to manually search through the file for which entry to modify
>> and how. Unless someone really wants to… :-)
>>

>
> Hello Carlos E.R,
>
> That means the commands i have executed are applicable for IPTables and it doesn't have any connection with SuSEfirewall2. Thanks for clarifying me.
>
> Now please let me know in Opensuse which one is better and let me know how do i block IPs and allow access only to specific IPs?
>
> Example:
> I have Jenkins web server (IP - 10.50.60.70) this server SSH port - 22, and 80, 443 should be allowed to specific addresses.
> Lets say (1.10.11.12.50 2.10.11.12.51, 3) 10.11.12.53).
>
> Only above three given IPs should allowed to access 22, 80 & 443 of Jenkins web server.

As others said, you use YaST.


Or, edit /etc/sysconfig/SuSEfirewall2

FW_TRUSTED_NETS="1.10.11.12.50,tcp,ssh 2.10.11.12.51,tcp,ssh \
1.10.11.12.50,tcp,http 2.10.11.12.51,tcp,http \
1.10.11.12.50,tcp,https 2.10.11.12.51,tcp,https \
"

Then run "SuSEfirewall2" to activate the changes (assuming you have it
active by default already).

--
Cheers, Carlos.

MK

unread,
Sep 5, 2022, 6:11:23 AM9/5/22
to
Hello Carlos,
I have edited the /etc/sysconfig/SuSEfirewall2 file then added the below content

FW_TRUSTED_NETS="10.11.12.50,tcp,ssh 10.11.12.51,tcp,ssh \
10.11.12.50,tcp,http 10.11.12.51,tcp,http \
10.11.12.50,tcp,https 10.11.12.51,tcp,https \
"
To activate executed “SuSEfirewall2” on terminal, Now (http & https) working as excepted. But (ssh port -22) access works even other than above enabled IPs.

Still am i missing something?

Carlos E.R.

unread,
Sep 5, 2022, 9:08:09 AM9/5/22
to
Check the entire file, it will also be opened on another entry somewhere.

cat /etc/sysconfig/SuSEfirewall2 | \
egrep -v "^[[:space:]]*$|^#" | less -S


And search for ssh.


--
Cheers, Carlos.
0 new messages