How can I translat this VPN Internet Kill Switch firewalld to openSUSE firewall corespondance ??

Hi. 1st I would like to introduce my self. I’m about 1 year user of Linux. I started just about 1 year ago with Linux. I started with Fedora 24 X64 bit Cinnamon edition. My Fedora 24 is near to be EOL (it will die at 11 / 8 / 2017). I was planing to stay with Fedora & upgrade to Fedora 26 … However, many bugs (some of them annoying like DNF autoremove bug, PackageKit bugs, other DNF bugs, Yumex-dnf bugs, … make me feeling hopeless with Fedora & searching for alternative distro. 1st I though with Debian, but it’s old packages is annoying … Finally I found openSUSE (LEAP version). It take midway between distros. being very stable (some say more than Debian) & of recent packages versions (slightly less recent than Fedora).

The chief blockage that stop me from moving to openSUSE is VPN Internet Kill Switch. On Fedora I achieve success with this & post guides in Fedora forum:

http://www.forums.fedoraforum.org/showthread.php?t=312688

http://www.forums.fedoraforum.org/showthread.php?t=312722

http://www.forums.fedoraforum.org/showthread.php?t=314125

I searched how to translate scripts of Kill Switch from firewalld (of Fedora) to openSUSE firewall. Please any one can help me in this??

I like to translate following sets of firewalld rules to their corresponding openSUSE firewall:

1st set:

     sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
     sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
     sudo firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -j DROP
     sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
     sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 999 -j DROP
     sudo firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -j DROP
     sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
     sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
     sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
     sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 999 -j DROP

2nd set:

      sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
      sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
      sudo firewall-cmd --direct --remove-rule ipv6 filter INPUT 0 -j DROP
      sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
      sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 999 -j DROP
      sudo firewall-cmd --direct --remove-rule ipv6 filter OUTPUT 0 -j DROP
      sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
      sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
      sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
      sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 999 -j DROP

3rd set:

     sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
     sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
     sudo firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -j DROP
     sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
     sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -i tun+ -p tcp --dport 443 -j ACCEPT
     sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 999 -j DROP
     sudo firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -j DROP
     sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
     sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
     sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
     sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 999 -j DROP

4th set:

      sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
      sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
      sudo firewall-cmd --direct --remove-rule ipv6 filter INPUT 0 -j DROP
      sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
      sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 1 -i tun+ -p tcp --dport 443 -j ACCEPT
      sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 999 -j DROP
      sudo firewall-cmd --direct --remove-rule ipv6 filter OUTPUT 0 -j DROP
      sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
      sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
      sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
      sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 999 -j DROP

The total script is:

#! /bin/bash
echo
echo "=========================================================================="
echo "Script for VPN Internet Kill Switch + IPv6 Leak Protection using Firewalld"
echo "=========================================================================="
echo
echo "Enter one of following choices (on / off, or ON / OFF):"
echo -e "\e44mon\e0m: to establish unidirectional kill switch"
echo -e "\e44moff\e0m: to remove already established unidirectional kill switch"
echo -e "\e44mON\e0m: to establish bidirectional kill switch"
echo -e "\e44mOFF\e0m: to remove already established bidirectional kill switch"
read var
echo
case $var in
    on ) echo "Toggle ON Unidirectional VPN Internet Kill Switch + IPv6 Leak Protection"
         echo
         echo "Warning: connection to VPN should be established before running this script. Otherwise any Internet connection will be impossible!"
         echo "This script only allows VPN output! It does not provide DNS leak protection!"
         echo
         echo "Establishing firewalld rules is starting!"
         sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
         sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
         sudo firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -j DROP
         sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
         sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 999 -j DROP
         sudo firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -j DROP
         sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
         sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
         sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
         sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 999 -j DROP
         sudo -k
         echo "Establishing firewalld rules is completed!"
         echo
         echo -e "\e32mVPN Internet Kill Switch is enabled! Only VPN output is allowed now!"
         echo -e "\e32mEnjoy surfing Internet safely!\e0m"
         ;;
    off ) echo "Toggle OFF Unidirectional VPN Internet Kill Switch + IPv6 Leak Protection"
          echo
          echo "Removing firewalld rules is starting!"
          sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
          sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
          sudo firewall-cmd --direct --remove-rule ipv6 filter INPUT 0 -j DROP
          sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
          sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 999 -j DROP
          sudo firewall-cmd --direct --remove-rule ipv6 filter OUTPUT 0 -j DROP
          sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
          sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
          sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
          sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 999 -j DROP
          sudo -k
          echo "Removing firewalld rules is completed!"
          echo
          echo "VPN Internet Kill Switch is disabled!"
          ;;
    ON ) echo "Toggle ON Bidirectional VPN Internet Kill Switch + IPv6 Leak Protection"
         echo
         echo "Warning: connection to VPN should be established before running this script. Otherwise any Internet connection will be impossible!"
         echo "This script only allows VPN output! It does not provide DNS leak protection!"
         echo
         echo "Establishing firewalld rules is starting!"
         sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
         sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
         sudo firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -j DROP
         sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
         sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -i tun+ -p tcp --dport 443 -j ACCEPT
         sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 999 -j DROP
         sudo firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -j DROP
         sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
         sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
         sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
         sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 999 -j DROP
         sudo -k
         echo "Establishing firewalld rules is completed!"
         echo
         echo -e "\e32mVPN Internet Kill Switch is enabled! Both VPN output & input are allowed now!"
         echo -e "\e32mEnjoy surfing Internet safely!\e0m"
         ;;
    OFF ) echo "Toggle OFF Bidirectional VPN Internet Kill Switch + IPv6 Leak Protection"
          echo
          echo "Removing firewalld rules is starting!"
          sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
          sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
          sudo firewall-cmd --direct --remove-rule ipv6 filter INPUT 0 -j DROP
          sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
          sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 1 -i tun+ -p tcp --dport 443 -j ACCEPT
          sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 999 -j DROP
          sudo firewall-cmd --direct --remove-rule ipv6 filter OUTPUT 0 -j DROP
          sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
          sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
          sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
          sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 999 -j DROP
          sudo -k
          echo "Removing firewalld rules is completed!"
          echo
          echo "VPN Internet Kill Switch is disabled!"
          ;;
    * ) echo -e "\e31mInvalid input! Please re-run this script with valid choice! If you use --up option of openvpn, you should kill process by Ctrl+C then re-run openvpn\e0m"
esac

I feel very sad for this blockage that block me from such great distro. like openSUSE. I’m tired from Fedora problems. It’s SELinux power was very atractive to me, but vital bugs in other packages like DNF, GUI package manager, PackageKit conflictions with DNF …

I need this script because it working 100% without any need to enter VPN IP addresses.

Best.

Although we normally manage iptables using SuSEfirewall, you can install a different firewall or manage your firewall using another firewall manager if you wish.

You can use your firewalld rules if you install firewalld.
I don’t use firewalld, but I do notice it uses ebtables instead of iptables.
To avoid confusion I recommend you uninstall SuSEfirewall to avoid confusion.

You can run the following commands in an elevated console (Unlike other distros, we support invoking su to elevate a console instead of invoking sudo repitiously)

zypper rm SuSEfirewall2 yast2-firewall

Install firewalld

zypper in firewalld

I took a brief look at what is installed, it looks very complete with plenty of documentation.
Like any other freshly installed app, the app is stopped.
Run the following to start your firewalld daemon

systemctl start firewalld

Run the following command to configure your firewall to start automatically on boot

systemctl enable firewalld

Remember that running firewalld is an unusual configuration, so if you ever ask for help you will need to state up front that you’re running firewalld instead of SuSEfirewall and iptables.

HTH,
TSU

What amazes me is the liberal usage of sudo in about every statement. Like a plague.

You better run the script as root (one sudo, if you want to use sudo for running things as root) and remove all those in the script.

Yes you are correct but NOT WITH FEDORA ! In Fedora it is not possible because the configuration of sudo differ from that of other distro. In Fedora if I delete “sudo” from script & run it as “sudo scriptname.sh” then I will be asked to enter sudo password for every line need it !!! So, no mean for script in this case. This quit true if you store script in convenient place “home/username/.local/bin” as I do. If you like to run script as sudo without put sudo inside script & at same time you like Fedora not to ask you to enter sudo every script command need it, then you need to store script in special folder you can not touch it unless by “sudo su” (root #) which is very dangerous & better to avoid logging as root at all … Again this is special for Fedora which is SUPERSECURE disto.

Thank you for your kind response. I have 2 point:

  1. Do you know an iptables script to achieve VPN Kill Switch that DO NOT ASK FOR VPN IPs ? VPN IP(s) is a sever pain ! I have to change them every time I like to change location (country). Also each country has many servers & each of these has it’s own IP or IPs … It is really a pain.

If you know iptables script not need VPN IP(s), then you will solve this issue.

  1. you said “(Unlike other distros, we support invoking su to elevate a console instead of invoking sudo repitiously)” !!!

What you mean ?
Do you mean that openSUSE has no sudo package at all ?!
Do you mean that I can not use zyper with sudo ?
Do you mean that openSUSE use only su ??

I tried to install openSUSE leap 42.2 months ago on my old laptop. During installation it ask me to enter 1st user account password to be sudo password & in this case 1st user account will be administrator (sudo power) user. Also, it gave me, “If I wish to gain additional layer of security”, option to activate root account & enter a root password (su password) … So, how you say that openSUSE use su instead of sudo ?? Please your kind explination about this point. I feel that there is a misunderstanding about this …

No.
No
No.

Sudo is there and it is used by many (influenced by using other distributions?), but I personally prefer

su -

Maybe better read this: SDB:Login as root - openSUSE Wiki

I understand now. It was confusion. It is your opinion as openSUSE community & users to use su better than sudo … Like Redhat opinion that activation of root account is of better (& additional security layer as you also agree with them) while Debian saying, contrary, disabling root account is better for security …

The Unix world started with su. For the user that uses su to “become the superuser root” knowledge of root’s password is required.

Later sudo was created and designed to make it possible for certain users to do certain tasks that require Superuser processes. Configurable in sudoers. You can configure to ask for the password of the user that is to be used (mostly root again), or the password of the user executing sudo (this user then does not need to know the root password, but there is some protection against passers by at an open session).

The default openSUSE installation installs a sudoers that it will ask for the root password and that is the same behaviour as su will do. My conclusion, why should I use a more complicated tool like sudo where su does the same.

Thus I use

su - -c "one command"

or

su -
.......
.......
exit

when I need a more elaborate Superuser session. That one either direct, but much more often by using the Konsole (root) (Terminal) menu item, which does the same su -. In fact I have a direct icon to “Konsole as root” in my KDE panel.

I have no comment on how other distributions do this.

On Wed 19 Jul 2017 11:36:01 AM CDT, Nokia808 wrote:

hcvv;2830514 Wrote:
> No.
> No
> No.
>
> Sudo is there and it is used by many (influenced by using other
> distributions?), but I personally prefer
> >
Code:

> > su -

> >
>
> Maybe better read this: SDB:Login as root - openSUSE Wiki

I understand now. It was confusion. It is your opinion as openSUSE
community & users to use su better than sudo … Like Redhat opinion
that activation of root account is of better (& additional security
layer as you also agree with them) while Debian saying, contrary,
disabling root account is better for security …

Hi
If there is something specific you want to run, then edit with visudo
and add user and command, in openSUSE it’s not configured like other
distros… In the install you can add your user (I always uncheck
this…) For example I use osc and add the build command and my username
to the sudoers file so it doesn’t ask for the password.

For everything else I use su - (the - to gain root user environment).


Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.2|GNOME 3.20.2|4.4.74-18.20-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

Dear friends please not to post out scope of this thread. Let we stop from discuss su & sudo. I know about them. It was just a confusion about what “tsu2” was mean …

Let we return to the subject of this thread:

  1. is there any one know how to translate this script from firewalld to openSUSE firewall ? If not, then

  2. is there an alternative iptables script do VPN internet kill switch but never need to include VPN IP(s) within it ?

Yes, that’s not too difficult. Start by translateing the frewalld rules to iptables rules I guess…



sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -j DROP
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 999 -j DROP
sudo firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -j DROP
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 999 -j DROP

I’ll make it clear here that I am no expert with iptables, but have a basic working knowledge. So this is a best effort and you may want to consult the man pages as well. The iptables command is used for IPv4 rules and the ip6tables command used for the IPv6 rues. The -I option used to insert rules within a chain eg index=1, and -A used to add rules to end of a chain, so something like the following…

iptables -I FORWARD 1 -o tun+ -j ACCEPT 
iptables -I FORWARD 1 -i tun+ -j ACCEPT
ip6tables -I INPUT 1 -j DROP
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT  -j DROP
ip6tables -I OUTPUT 1 -j DROP
iptables -I OUTPUT 1 -o lo -j ACCEPT
iptables -I OUTPUT 1 -o tun+ -j ACCEPT
iptables -I OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -j DROP

You can check the rules with

iptables -nL -v --line-numbers
ip6tables -nL -v --line-numbers

For reference, the rules above result in the following…

# iptables -nL -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       12  1248 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
2        0     0 ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           
2        2   208 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
4       12   912 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0      

The second ruleset to delete the added custom rules (ruleset 1) might look like…

iptables -D FORWARD 2
iptables -D FORWARD 1
ip6tables -D INPUT 1
iptables -D INPUT 2
iptables -D INPUT 1
ip6tables -D OUTPUT 1
iptables -D OUTPUT 4
iptables -D OUTPUT 3
iptables -D OUTPUT 2
iptables -D OUTPUT 1

I’ll leave it as an exercise for you to convert the other rules. My apologies in advance if any mistakes here.

A quick look at the the third and fourth rulesets shows that they are a just a repeat of the first and second respectively, so you should be able to modify your script fairly easily now.

My suggestion is to use your firewalld rules, unchanged and don’t use iptables.
Thus, the steps I described to remove the GUI manager for iptables (SUSEfirewall2) and installing firewalld which should give you the same firewall you were running in Fedora, and your rules can be applied without any changes.

Your liberal use of “sudo” is required in many distros including Fedora (and Ubuntu).
Well, actually there is a workaround that’s not often discussed… There is a command to temporarily “lock in” sudo for a running session.
In openSUSE you can use “sudo” the same way (there are only very minor differences how sudo is configured) as in other distros but we also endorse saving effort and just invoking a root console with “su” or “su-” (Other distros often block this)
When you’re running in a root console, you’ll notice that the command prompt will be colorized red in most default terminals (It’s an openSUSE enhancement. The only unenhanced console is Xterm, so unless you want a barebones terminal, don’t use that).

Getting back to your firewalld rules,
I found only one CentOS article describing converting firewalld rules to iptables.
In summary, it said that rules were almost the same except that firewalld rules have a hierarchical structure that doesn’t exist in iptables. So, <generaly> rules can be simply modified but if your firewalld rules utilize a hierarchy, that would have to be re-written to “flatten” the hierarchy.

TSU