IPTable redirects on the fly via CLI

I’m looking for a programmatic way to run the equivalent of the below statement using SuSEfirewall2 and make it persistent:

iptables -t nat -A PREROUTING -s 192.168.1.4/32 -p udp --dport 514 -j REDIRECT --to-ports 51414

Yes I know I can add it to FW_REDIRECT in the config, but I really need to handle this on the CLI at run time (which the above statement does do), however… is there an iptables-save equivalent in SuSEfirewall2?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just to be sure you understand, SuSEfirewall2 uses NetFilter, which is the
exact same technology that iptables uses. They are one and the same; the
only difference is that iptables does not do anything persistently (which
is good considering what it is) and SuSEfirewall2 is all about keeping
things the same across reboots (which is good considering what it is) but
in the end they are the same. As you make changes to your firewall in
YaST you will see those changes reflected as you run your iptables or
iptables-save commands.

So how do you make changes now as well as keep them persistent? Make them
now with iptables, and make them persistent by modifying the appropriate
SuSEfirewall2 config script. You could also write your own scripts to
manage the firewall (NetFilter) and disable SuSEfirewall2 completely if
you desired and that can be really useful for those wanting a lot of
customization power. I did this once and on a shutdown the current rules
are written out and then on startup they are read back in so setting
something dynamically leads to its persistence as long as the system shuts
down properly.

Good luck.

On 09/15/2010 09:06 AM, mgargiullo wrote:
>
> I’m looking for a programmatic way to run the equivalent of the below
> statement using SuSEfirewall2 and make it persistent:
>
> iptables -t nat -A PREROUTING -s 192.168.1.4/32 -p udp --dport 514 -j
> REDIRECT --to-ports 51414
>
> Yes I know I can add it to FW_REDIRECT in the config, but I really need
> to handle this on the CLI at run time (which the above statement does
> do), however… is there an iptables-save equivalent in SuSEfirewall2?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMkPfiAAoJEF+XTK08PnB5g3UQAJ7VBlv/9bEw4uMnCGSCFBMr
NktCX1+R9fUQp1xgz1oJva2HcgYKSOXrG9jb8Kc2crrVIWbjIqeuqoX1xT0Ae08C
kAv58m3URWiicaGIQBbUd3z1yrRo94AFrxUuyYBm/mO/IANvcY2BfvIoDJ8bUwHI
yP0PM4q12KAdsbUYDNSEpkXKp7Qyek+MriB5ypxHz5USFZnmJLaaMf6lkSHSHdnn
8ar6AVhK/+FAP+OZc/JAEagX4o+B9VuLD9cdtiy1ZhcP2lvvm82KDmt1nxmRtVDL
GURGnEKESxAkE9zSNlhGXjhHxvxM0s0r5AikzRf7fznSlt6LhpxGwqJgCdxyxO0y
gdbyQg0Q11IP+JHr/ujaHPHhY+9MHO5xRgO23J+kWB0siQ0qXmsIiXKgzH+T6Bml
CFJRaMrAbHl8VSNAU2IJA6FFYACRoiAMUAxNv8Cj/F5Kkgww7+rI6z2XR2pQcJ2K
+fCg/CwFaOyf5mG3dqgohyOm/w5LbqUCa0ubnAS2LFQKmDW9w+YD3JBzR23usZ2k
y57gKj94b5tlepjqiCZmJa6SijV6Gzw5JfbiGDyKRB9kMdAQ2MKcc/1sVukrt+6q
bKY3mMtvqMvTHj9HGFs4M1fnJeynxYV727t4/VaZhsRqIuk5SqVVOu1kpxwK17H4
klQTPOgtwBr+5b3nzN3o
=EK6w
-----END PGP SIGNATURE-----

We’ll probably go that route. It’s gong to be a completely unmanned and implement these redirects based on rules. We had thought about just using iptables-save/restore, but was hoping to use the builtin tools… no worries.

Thanks Aaron.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Great iptables articles from David Mair (Novell employee). He doesn’t
implement dynamic saving/restoring but adding that to what he has is trivial.

http://www.novell.com/coolsolutions/author/3811.html

Good luck.

On 09/16/2010 11:36 AM, mgargiullo wrote:
>
> We’ll probably go that route. It’s gong to be a completely unmanned and
> implement these redirects based on rules. We had thought about just
> using iptables-save/restore, but was hoping to use the builtin tools…
> no worries.
>
> Thanks Aaron.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMkl+xAAoJEF+XTK08PnB5XDwP/0fdgFKmEs6pzdAXk5H3ubWz
O6GPdSrBEf5NcPAx4IshZCHD0jU7ucpNL5oVEqrE97JTBwu9jPB271OF/w6sZjVQ
q5Etho1j/xJ6KYfVoo5exYFKNSJLx6umao9taQ871JwGQfO5SHmq+l8LnFNPaRJk
Wd5fOkU+t/yhtoHaEhRm7A/K3s4pXtswifESBaCZ05PXHu+xxxLwaOaDXsTka90y
rdGe54kJTC6B32tLPpcCGo/dK8llnXrysPsWLjZ/ygs++r3U63jMSM8BlxMZ/NTD
BD4nd6RVVgRXVn4yQUb0dHea7tNpd1iM+G3tKGEpDCAf9XMId5U88yLkuZiGG+pJ
4F2YqycRNNAMKvLq24RHWohNie1C34QqBZpBgv4MXNbivg7vcmRJS1Zxfby63O5P
IV8XtM5p3yL7GLWeKkSgcNawP/a9zt1XFsDa6uRqGZgQ1hL3UBRqMyvBug+CtHhr
2YxXOnaMt1VsAxVSuVsyIxoEYO6VopBXE+jINL3cdS1Nqn0xAt6iZimQRoFJpjcI
KN/o7XDPADVRPzm6VjMHGK0h8Bx6a7GnnruyXP0GQSQ3LWeEe+zG/s/ndDSdQx8X
WQEP9AGEshv3mvry2y2JmIrBh/I5SgjjstlsT8VVGr6YuSmktWWvLjoalFCPCqCI
oT00xRIVGBhmH3MudIse
=h0eG
-----END PGP SIGNATURE-----