Pegasi Wiki

This wiki acts as a memo for our own work so why not share them? Feel free to browse and use out notes and leave a note while at it.

Replace SuSE Firewall with /etc/sysconfig/iptables

I tried to say it in a decent manner but I just cannot keep this inside me. SuSEfirewall is just terrible. But that is just me who has used /etc/sysconfig/iptables since its arrival to CentOS / RHEL. I am sure it manages to do well when in client use but still I think it is important to learn to use iptables so you know what you're really doing. And if you're ever into servers then you must do it like this anyway.

Remove SuSEfirewall and install iptables

zypper rm SuSEfirewall2
zypper in iptables

Set up basic firewall rules

Open iptables configuration file

vim /etc/sysconfig/iptables

Put basic stuff inside to make your Linux safe. Example content would be:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -j LOG
COMMIT

Put the rules in effect:

iptables-restore /etc/sysconfig/iptables

Add or remove rules afterwards

Add and save new rule from command line for example add access with ssh from 1.2.3.4:

iptables -I INPUT -p tcp -m tcp -s 1.2.3.4 --dport 22 -j ACCEPT
iptables-save > /etc/sysconfig/iptables

Remove is easiest to do by removing the corresponding line from config file and running:

iptables-restore /etc/sysconfig/iptables

Make it persistant

Is it persistant or persistent? :)

First lets make a systemd configuration file /usr/lib/systemd/system/iptables.service with contents:

[Unit]
Description=IPv4 firewall with iptables
After=syslog.target
Before=ip6tables.service
AssertPathExists=/etc/sysconfig/iptables

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/iptables-restore /etc/sysconfig/iptables
ExecReload=/usr/sbin/iptables-restore /etc/sysconfig/iptables
ExecStop=/usr/sbin/iptables -F
Environment=BOOTUP=serial
Environment=CONSOLETYPE=serial
StandardOutput=syslog
StandardError=syslog

[Install]
WantedBy=basic.target

The systemd script above does not properly flush all of the iptables rules when using systemctl stop iptables but I do not want it to. If you need to do it make a script which issues the following commands:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

And put it to the script above as stop command.

Finally we enable the service:

systemctl enable iptables

Now with every reboot we have iptable rules loaded.

 stars  from 0 votes

Leave a comment

Enter your comment:
P M L M Q
 

  //check if we are running within the DokuWiki environment if (!defined("DOKU_INC")){ die(); } //place the needed HTML source codes BELOW this line