opensuse 13.x: howto replace susefirewall2 with iptables ?

Hello guys,
i’m looking for advice from another Linux admin.

Here it is: i’m used to work with Debian or RHEL (and it’s clones like CentOS and Scientific Linux), i started back in 1997 with red hat 5, so i know some things. I’ve got a lot of iptables scripts written and to deploy them on above mentioned distros is quite fast and painless.
Now i got to administer just one SuSE box, so you can imagine i’m not quite keen to learn SuSE specific things, that i can not use on other distributions.

eg. RHEL how easy i can apply my script:
sh /path-to-script/script-name
service iptables save

That’ all. But OpenSuse apparently applied another layer above iptables, called SuSEfirewall2. While this can be a great tool for a Linux beginner, or for a seasoned SuSE admin, guy like me from other distro have to go and spend time studying it, which i wouldn’t like to do, if possible.
Btw. RHEL 7 is also trying to do something similar to susefirewall with its ‘firewalld’ - but thing is, it can be removed and you can keep standard iptables scripts.

so please:

• how to stop/disable susefirewall? chkconfig? systemctl?
• how to save iptables, that are loaded in memory and currently in use so it ‘survive’ reboot

i found some solutions in older threads but apparently opensuse 13x comes now with systemd, so things changed since systemV.

Can anybody help, how to through command line (no yast if possible), can this be achieved? I can write my init scripts for systemV of course - but this is systemD, which i’m not still familiar with and btw SuSE 13 seams to me a bit of mix of old sysV scripts with new systemD script, which is even more confusing for me, ehh.

thank you
br,
Karel

While I am not using any firewall at all, nor iptables, maybe I can throw in some remarks to give you some homework until others tune in here.

It might be that some files (and other names like SuSEfirewall2) still have the word SuSE in them, the product we discuss in these forums is called openSUSE. Better use that spellling if you want to mention the distibution, because confusion with SUSE (as short for SUSE LInux Enterprise Desktop/Server) is likely.

You can of course switch off SuSEfirewall2. Either right at the installation (in the summary offered before the installation starts), or through YaST > System > System services; select them one by one (there are two of them) and use the Stop and Disable buttons below. Or use systemctl on the services SuSEfirewall2_init and SuSEfirewall2. As it seems to be your intention to manage openSUSE systems, you better start studying systemd, e.g.

man systemd
man systemctl

You will e.g. find those services with

boven:/etc/sysconfig # systemctl list-unit-files | grep firewall
SuSEfirewall2.service                      disabled
SuSEfirewall2_init.service                 disabled
boven:/etc/sysconfig #

And you can of course create a systemd service yourself that creates iptables at boot.

The tool iptables does exist on openSUSE, and thus you can list your table with it’s listing functions. See:

man iptables

BTW, I may be dumb, but I do not understand why you start a script in this way

sh /path-to-script/script-name

instead of

/path-to-script/script-name

like all other programs, scripts or not.

If one simply calls “/path-to-script/script-name” (or “script-name” if the location is in PATH) then that script is either executed by the calling shell or the shell mentioned in the “shebang” (or “hashbang”) of the script’s first line:

#!/bin/bash

By calling the script with an explicit shell, in this case “sh”, one can override this behaviour (if needed).

> man sh
> which -a sh
/usr/bin/sh
/bin/sh
/usr/bin/X11/sh
> l /usr/bin/sh
lrwxrwxrwx 1 root root 9 26. Okt 2014  /usr/bin/sh -> /bin/bash*
> l /bin/sh
lrwxrwxrwx 1 root root 4 26. Okt 2014  /bin/sh -> bash*
> which -a bash
/bin/bash
> l /bin/bash
-rwxr-xr-x 1 root root 656584 15. Okt 2014  /bin/bash*
> file /bin/bash
/bin/bash: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.0.0, BuildID[sha1]=1a64d435a1a9f3bec45759abde214b1599cdbc76, stripped
>

With the caveat, that modern Linux systems redirect the “standard command language interpreter” (“sh”) to “bash” (the GNU Bourne-Again SHell).

Assuming that:

• the systemd SuSEfirewall2.service, SuSEfirewall2_init.service and SuSEfirewall2_setup.service have been disabled, and
• the SuSEfirewall2 (Stateful Packet Filter Using iptables and netfilter) package has been removed;

then, theoretically the iptables scripts should execute.
On this openSUSE 13.2 system the iptables (IP Packet Filter Administration utilities) package is installed (SuSEfirewall2 dependency).
There are additional packages such as python-iptables (Python bindings for iptables) which may also be needed depending on the existing scripts.
[HR][/HR]This openSUSE 13.2 system also has the following SuSEfirewall2 dependent packages installed:

• libnetfilter_conntrack3 - Userspace library for the in-kernel connection tracking state table
• libnfnetlink0 - Low-level library for Netfilter-related kernel/userspace communication

My assumption was that you had of course a shebang in the script (the first thing I type when I start a new script). To me it is ridiculous that “one” (even if that one is the creator of the script) has to memorize from all scripts in what scripting language (python, one of many shells, …) it is written. The shebang cares for this.

But it is your script and yoour way of living

# systemctl stop SuSEfirewall2.service SuSEfirewall2_init.service SuSEfirewall2_setup.service
# systemctl disable SuSEfirewall2.service SuSEfirewall2_init.service SuSEfirewall2_setup.service
# systemctl status SuSEfirewall2.service SuSEfirewall2_init.service SuSEfirewall2_setup.service
# systemctl list-unit-files
UNIT FILE                               STATE
SuSEfirewall2.service                   disabled
SuSEfirewall2_init.service              disabled
SuSEfirewall2_setup.service             disabled
#

> apropos iptables
ip6tables-save (8)   - dump iptables rules to stdout
iptables (8)         - administration tool for IPv4/IPv6 packet filtering and NAT
iptables-apply (8)   - a safer way to update iptables remotely
iptables-extensions (8) - list of extensions in the standard iptables distribution
iptables-restore (8) - Restore IP Tables
iptables-save (8)    - dump iptables rules to stdout
iptables-xml (1)     - Convert iptables-save format to XML
ip6tables (8)        - administration tool for IPv4/IPv6 packet filtering and NAT
>

Following example iptables output is that produced by an openSUSE 13.2 system with SuSEfirewall2 activated:

# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             ctstate RELATED
input_int  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET "
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING "

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain forward_ext (0 references)
target     prot opt source               destination

Chain forward_int (0 references)
target     prot opt source               destination

Chain input_ext (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        tcp  --  anywhere             anywhere             limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
DROP       all  --  anywhere             anywhere             PKTTYPE = multicast
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
LOG        tcp  --  anywhere             anywhere             limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
LOG        icmp --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
LOG        udp  --  anywhere             anywhere             limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
DROP       all  --  anywhere             anywhere

Chain input_int (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain reject_func (0 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable
#
# iptables --list-rules
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N forward_ext
-N forward_int
-N input_ext
-N input_int
-N reject_func
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -i enp2s0 -j input_int
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
#

Hi guys,
sorry if i used SUSE and this is OpenSUSE forum, i’m typing fast, as shortcut ‘OS’ might be misleading - which shortcut you use? I’m one of admins of Scientific Linux forum and we use “SL”.

Also, i want to stay on target, which is usage of iptables in SuSE (which i solved). So only very shortly for the shell usage:

We have different shell types, like ksh, cs, bash, sh etc and different Unixes uses diff. shells by default. I started on IBM AIX where default is ksh. So specifying the shell you want to run it in, you make sure which shell you use.
Also, if you want to do “./shell-script-name” you have to have a executable bit on, while “sh” will run it even without one. etc…

There is many ways how to do one thing in Linux, which is why we like it right?

Now for the iptables custom script usage on OpenSuse and replacement of SuSEfirewall2 firewall. I had to do ‘man man’ and read some, which i didn’t want to, as i’m time-pressed att (all the time) so what i got to:

SuSEfirewall2 has 2 phases:

phase 1:
/usr/lib/systemd/system/SuSEfirewall2_init.service
phase 2:
/usr/lib/systemd/system/SuSEfirewall2.service

phase one need to have a full access to loopback interface etc etc - which lead me to creating 2 iptables shell scripts where 1st shell script allow everything everywhere (policy ACCEPT) and 2nd shell script is the one executing the rules i need

based on those 2 units (services - see above) i create my own iptables units by copy and the by editing them:
first make copy of those existing:

cp /usr/lib/systemd/system/SuSEfirewall2_init.service /usr/lib/systemd/system/iptables_init.service
cp /usr/lib/systemd/system/SuSEfirewall2.service /usr/lib/systemd/system/iptables.service

put your own created 2 iptables shell scripts to /opt (or anywhere where you feel it right):
i named my 2 shell scripts as follow:

bwafd:/opt # ls -al
-rwx------  1 lang users 2072 Jan 25 16:34 iptables_rules
-rwx------  1 root root   335 Jan 26 13:37 iptables_rules_init

where content of 1st script that is run “iptables_rules_init” is general and allow all - that is the 1st phase of firewall initialization - just like suse firewall does (feel free to experiment) and 2nd script is the iptables shell script that ‘does the job done’ - see below:

cd /opt
cat iptables_rules_init
#!/bin/sh

# Interfaces and IP config (2 nic, one outside world, second lan):


# delete all existing rules.
#
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# DEFAULT POLICY:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

2nd script:

cd /opt
cat iptables_rules
#!/bin/sh

# Interfaces and IP config (2 nic, one outside world, second lan):


# delete all existing rules.
#
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X


# DEFAULT POLICY:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


# GENERAL RULES

# allow loopback interface:
#iptables -t nat -A PREROUTING -i lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#iptables -t nat -A POSTROUTING -o lo -j ACCEPT

# allow DNS
iptables -t filter -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

# allow ICMP http://www.iana.org/assignments/icmp-parameters
iptables -t filter -A INPUT -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
iptables -t filter -A INPUT -p icmp -s 0/0 --icmp-type 11 -j ACCEPT

# allow response from outside to established connections that started inside:
iptables -t filter -A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -p ALL -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow all SSH connections to both interfaces:
iptables -t filter -A INPUT -p tcp -s 0/0 --dport 22 -m state --state NEW -j ACCEPT

# INPUT RULES
# allow Gordon rsync synchronization
iptables -t filter -A INPUT -p tcp -s 172.16.58.0/24 --dport 873 -m state --state NEW -j ACCEPT

# allow LAN
iptables -t filter -A INPUT -p ALL -s 192.168.111.0/24 -i eth0 -j ACCEPT
iptables -t filter -A INPUT -p ALL -s 192.168.122.0/24 -i eth1 -j ACCEPT


# FORWARD RULES
# z eth0 na eth1:
iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# z eth1 na eth0:
iptables -t filter -A FORWARD -i eth1 -o eth0 -j ACCEPT

#iptables -t filter -A FORWARD -i eth1 -d 192.168.1.0/24 -o virbr1 -j ACCEPT


# OUTPUT RULES

# internet interface:
iptables -t filter -A OUTPUT -p ALL -o eth0 -j ACCEPT

# lan interface:
iptables -t filter -A OUTPUT -p ALL -o eth1 -j ACCEPT


# POSTROUTING RULES:
#iptables -t nat -A POSTROUTING -o eth0 -s 192.168.111.0/24 -j SNAT --to 192.168.111.1

stop SuSEfirewall2 services:

list services:
systemctl list-units --type service

stop/disable:
systemctl stop SuSEfirewall2_init.service
systemctl disable SuSEfirewall2_init.service

systemctl stop SuSEfirewall2.service
systemctl disable SuSEfirewall2.service

by doing this, those services unit files are physically removed (deleted) from “/usr/lib/systemd/system” that is why we did copy of them first (in step 2)

edit your own iptables unit files (that you created in step 2 by copying the SuSEfirewall2 units):

cd /usr/lib/systemd/system

vi iptables.service
[Unit]
Description=iptables phase 2
After=network.target ypbind.service nfs.service nfsserver.service rpcbind.service SuSEfirewall2_init.service
Wants=iptables_init.service

[Service]
ExecStart=/opt/iptables_rules boot_setup
ExecStop=/opt/iptables_rules systemd_stop
RemainAfterExit=true
Type=oneshot

[Install]
WantedBy=multi-user.target
Alias=iptables_setup.service
Also=iptables_init.service


vi iptables_init.service
[Unit]
Description=iptables phase 1
Before=network.service
Before=basic.service

[Service]
ExecStart=/opt/iptables_rules_init boot_init
RemainAfterExit=true
Type=oneshot

[Install]
WantedBy=multi-user.target
Also=iptables.service

enable the services you created, so the operating system is aware of it:

systemctl enable iptables.service
ln -s '/usr/lib/systemd/system/iptables.service' '/etc/systemd/system/iptables_setup.service'
ln -s '/usr/lib/systemd/system/iptables.service' '/etc/systemd/system/multi-user.target.wants/iptables.service'
ln -s '/usr/lib/systemd/system/iptables_init.service' '/etc/systemd/system/multi-user.target.wants/iptables_init.service'


bwafd:/usr/lib/systemd/system # systemctl enable iptables_init.service

as you can see OS created the necessary links in order to start it properly

notes

All done - if you need to do any changes in your firewall, you just edit the iptables shell script in “/opt” meaning, no yast or GUI needed, just pure command line … the linux way!

Also, i dont say it is the best way, feel free to criticize and improve (i would appreciate it) i did it fast, so i hope i won’t offend any OpenSuse purist

Thanks for all suggestions and help
cheers

Karel

I amy be wrong here, but IMHO, when you have disabled the services, they will not run. Whatever is installed is not very important.

What do you mean with

theoretically the iptables scripts should execute.

If a script executes depends on other things. I do not know what “iptable scripts” you mean, nor what they are, but when you mean that they contain calls to the iptables tool (/usr/sbin/iptables), then you might mean that using iptables will “work”. But they do “work” also when SuSEfirewall2 is active (the results may be a bit deficult to predict though). Thus, yes /usr/sbin/iptables willl “work”, and yes it will also work from a script, and yes when that script is executable (meaning a proper script with a shebang and execute permission set for the user that wants to execute it).

Hope this helps, but there may be some confusion here when you assume that I have any idea about what you did in Ubuntu/RHEL or whatever other distribution. I only try help you with your whish not to use SuSEfirewall2 and create a script that is run at boot (and that, seeing your subject, may contain iptables calls). Your talking about other distributions is for me only background information to explain why you want this (and I appreciate it), but for me it contains no tehnical information.

===================

Sorry, I mixed up the OP and dcurtisfra answers.

In any case, I assume both can find what they like in the above

Hi Henk,
especially sysadmins tend to call shell scripts explicitly by means of the script interpretor mostly because:

• that’s what they were taught during the sysadmin schooling/certification;
• the script calls are often made from a wrapper script which survives system upgrades and changes.

Given the new generation of lamda users (don’t really know what a lamda user is, but someone told me that in the Soapbox forum, so I’m guessing) I suspect that the knowledge we have with respect to CLI usage will slowly but surely disappear . . . – unless of course that WE continue to explain things to the young folks . . .
Best regards
DCu

No harm done Thanks for helping out.

Just for clarification - SuSEfirewall2 is a layer above iptables, so by disabling it, or even removing, the iptables binary is still present in “/usr/sbin/iptables” so you can freely use iptables command, create shell iptables scripts, or use different/other firewall layer above iptables.

My point is, that different Linux distributions might use differently written firewalls and it is always pain switching between them. But! once you learn iptables command, then you have no problem on any Linux distribution and also as bonus is that you can immediately manage any routers based on linux kernels etc etc. So it is great advantage, great tool.

Anyway, problem is solved, susefirewall2 is disabled and custom shell iptables script is executed (verified by reboot), so thread can be marked as “SOLVED”.

Thank you again!

@Karel
openSUSE doesn’t seem to have a systemd iptables service – but Arch Linux seems to have one.
When you have time, it may pay to double check the systemd service you created against the one provided by Arch Linux (or whatever other Distro).

Hmm, good idea. RHEL 7 has iptables systemd based iptables service. Not by default, as RHEL 7 has “firewallD” by default - which is something similar to SuSEfirewall2. But can be removed and replaced by iptables service.

good point!

Fine. Enjoy openSUSE.