iptables issue with SuSE and not others [almost solved?]

So I’m looking to ditch the SuSE firewall over iptables for just a couple of reasons:

  1. portability - I can take a set of iptables rules and go from SuSE to Fedora to Debian to Slackware

  2. learning - YaST is nice, but it can get in the way. I want to be able to get my hands dirty and configure servers\services myself.

Let me first start off with the usual, uname, and version:

uname -a

Linux router #1 SMP PREEMPT 2011-12-19 23:39:38 +0100 i686 i686 i386 GNU/Linux

cat /etc/SuSE-release

openSUSE 11.4 (i586)
VERSION = 11.4
CODENAME = Celadon

iptables -V

iptables v1.4.10

So I have this iptables script that works on Fedora 14 with iptables version 1.4.9 the way I want it. However, moving it over to openSuSE I get no where near the same results.



##This is the iptables rules for my network.
##                     -----------
##              eth1  |           |  eth0
##  internal <========|   router  |========> internet
##                    |           |
##                     -----------
##  current host list
##  ====================================
##      webserver
##     router


##Allow packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

##Delete all of the current rules
$BIN_DIR/iptables -F
$BIN_DIR/iptables -F -t nat

## Blocks all input and forwarding. Accepts all output.

## Accept connections on local interfaces and private networks (eth1)
$BIN_DIR/iptables -A INPUT -i lo -j ACCEPT
$BIN_DIR/iptables -A INPUT -i eth1 -j ACCEPT

## Allow established sessions from the internet.
$BIN_DIR/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

## Open up ports we need from the internet

$BIN_DIR/iptables -A INPUT -i eth0 -p tcp --dport 22   -j ACCEPT

##Forward all of the opened ports to their destination

$BIN_DIR/iptables -t nat -A PREROUTING -p tcp --dport 22   -j DNAT --to-destination

##Enables NAT and routing.
$BIN_DIR/iptables -A FORWARD -i lo -j ACCEPT
$BIN_DIR/iptables -A FORWARD -i eth1 -j ACCEPT
$BIN_DIR/iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$BIN_DIR/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

So this is supposed to be a simple port forwarding (22 ssh) to another machine; However, this is not the case. If I were to go outside my network and try to connect I get a connection time out. As a matter of fact, nmap doesn’t even show the port.

If I were to remove the “-t nat -A PREROUTING…” then I can access this machine from the internet.

Machines that are on the inside can access the internet just fine. So I think I’ve narrowed it do to something in this line being incorrect:

$BIN_DIR/iptables -t nat -A PREROUTING -p tcp --dport 22   -j DNAT --to-destination

Is there anything that seems off with that line or any of them?

I suggest you look at this Link on the subject: Iptables - openSUSE

The Firewall configuration file in openSUSE is at /etc/sysconfig/SuSEfirewall2 and if you manually change this file as root you must run the following command to make them take effect:

sudo /sbin/SuSEfirewall2

You can read up on this configuration file usage by reading the following readme file. From terminal, use the command:

cat /usr/share/doc/packages/SuSEfirewall2/README | less

I hope you find something useful here in your quest to use openSUSE and good luck.

Thank You,