Routing using SuSEfirewall2 has stopped working

smacdonald206 · April 26, 2009, 5:59pm

I am using openSUSE 11. After applying a recent update, for some reason SuSEfirewall2 has stopped routing traffic that was previously working perfectly. I route port 8080 to an internal address. Now when someone on the Internet hits my IP at port 8080, they see the default web page of the firewall and not the internal host. I’ve started seeing this in the log file:

"Warning: config ‘8080’ not available

The dates coincide with the application of the update.

Any idea what is going on and how I might go about fixing it?

Thank you.

framp · April 26, 2009, 6:18pm

We need more information. Please execute the following commands as root and post the results:

iptables -L -vn
cat /etc/sysconfig/SuSEfirewall2 | grep -v "^#" | grep -v "#$"
iptables -t nat -L
netstat -tulpen

smacdonald206 · April 26, 2009, 6:55pm

cat /etc/sysconfig/SuSEfirewall2 | grep -v “^#” | grep -v “#$”

FW_DEV_EXT=‘eth1’

FW_DEV_INT=‘eth0’

FW_DEV_DMZ=‘eth2’

FW_ROUTE=“yes”

FW_MASQUERADE=“yes”

FW_MASQ_DEV=“zone:ext”

FW_MASQ_NETS=“192.168.1.0/24”

FW_NOMASQ_NETS=""

FW_PROTECT_FROM_INT=“yes”

FW_SERVICES_EXT_TCP=“8080”

FW_SERVICES_EXT_UDP=""

FW_SERVICES_EXT_IP=""

FW_SERVICES_EXT_RPC=""

FW_CONFIGURATIONS_EXT=“8080 apache2 apache2-ssl”

FW_SERVICES_DMZ_TCP=""

FW_SERVICES_DMZ_UDP=""

FW_SERVICES_DMZ_IP=""

FW_SERVICES_DMZ_RPC=""

FW_CONFIGURATIONS_DMZ=""

FW_SERVICES_INT_TCP=“3690 8080 domain microsoft-ds mysql netbios-ssn”

FW_SERVICES_INT_UDP=“domain netbios-dgm netbios-ns”

FW_SERVICES_INT_IP=""

FW_SERVICES_INT_RPC=""

FW_CONFIGURATIONS_INT=“8080 apache2 apache2-ssl dhcp-server mysql sshd svnserve”

FW_SERVICES_DROP_EXT=""

FW_SERVICES_DROP_DMZ=""

FW_SERVICES_DROP_INT=""

FW_SERVICES_REJECT_EXT=""

FW_SERVICES_REJECT_DMZ=""

FW_SERVICES_REJECT_INT=""

FW_SERVICES_ACCEPT_EXT=""

FW_SERVICES_ACCEPT_DMZ=""

FW_SERVICES_ACCEPT_INT=""

FW_SERVICES_ACCEPT_RELATED_EXT=""

FW_SERVICES_ACCEPT_RELATED_DMZ=""

FW_SERVICES_ACCEPT_RELATED_INT=""

FW_TRUSTED_NETS=“192.168.1.0/24”

FW_ALLOW_INCOMING_HIGHPORTS_TCP=“yes”

FW_ALLOW_INCOMING_HIGHPORTS_UDP=""

FW_FORWARD=“0/0,192.168.1.242,tcp,8080”

FW_FORWARD_REJECT=""

FW_FORWARD_DROP=""

FW_FORWARD_MASQ=“0/0,192.168.1.242,tcp,8080”

FW_REDIRECT=""

FW_LOG_DROP_CRIT=“yes”

FW_LOG_DROP_ALL=“no”

FW_LOG_ACCEPT_CRIT=“yes”

FW_LOG_ACCEPT_ALL=“no”

FW_LOG_LIMIT=""

FW_LOG=""

FW_KERNEL_SECURITY=“yes”

FW_STOP_KEEP_ROUTING_STATE=“no”

FW_ALLOW_PING_FW=“yes”

FW_ALLOW_PING_DMZ=“no”

FW_ALLOW_PING_EXT=“no”

FW_ALLOW_FW_SOURCEQUENCH=""

FW_ALLOW_FW_BROADCAST_EXT=“no”

FW_ALLOW_FW_BROADCAST_INT=“netbios-ns netbios-dgm”

FW_ALLOW_FW_BROADCAST_DMZ=“no”

FW_IGNORE_FW_BROADCAST_EXT=“yes”

FW_IGNORE_FW_BROADCAST_INT=“no”

FW_IGNORE_FW_BROADCAST_DMZ=“no”

FW_ALLOW_CLASS_ROUTING=""

FW_CUSTOMRULES=""

FW_REJECT=""

FW_REJECT_INT=“yes”

FW_HTB_TUNE_DEV=""

FW_IPv6=""

FW_IPv6_REJECT_OUTGOING=""

FW_IPSEC_TRUST=“no”

FW_ZONES=""

FW_USE_IPTABLES_BATCH=""

FW_LOAD_MODULES=“nf_conntrack_netbios_ns”

FW_FORWARD_ALWAYS_INOUT_DEV=""

FW_FORWARD_ALLOW_BRIDGING=""

smacdonald206 · April 26, 2009, 6:56pm

iptables -t nat -L

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp – anywhere anywhere tcp dpt:http-alt to:192.168.1.242:8080

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all – 192.168.1.0/24 anywhere
MASQUERADE tcp – anywhere 192.168.1.242 tcp dpt:http-alt

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

smacdonald206 · April 26, 2009, 6:58pm

netstat -tulpen

Active Internet connections Proto Recv-Q Send-Q Local Address tcp 0 0 0.0.0.0:3306 tcp 0 0 0.0.0.0:3690 tcp 0 0 0.0.0.0:139 tcp 0 0 0.0.0.0:111 tcp 0 0 0.0.0.0:80 tcp 0 0 0.0.0.0:22 tcp 0 0 127.0.0.1:631 tcp 0 0 127.0.0.1:25 tcp 0 0 0.0.0.0:445 udp 0 0 0.0.0.0:49538 udp 0 0 192.168.1.1:137 udp 0 0 192.168.2.1:137 udp 0 0 udp 0 0 0.0.0.0:137 udp 0 0 192.168.1.1:138 udp 0 0 192.168.2.1:138 udp 0 0 udp 0 0 0.0.0.0:138 udp 0 0 0.0.0.0:67 udp 0 0 0.0.0.0:5353 udp 0 0 0.0.0.0:111 udp 0 0 0.0.0.0:631 (only servers)
Foreign Address State User Inode PID/Program name
0.0.0.0:* LISTEN 60 12700 4815/mysqld
0.0.0.0:* LISTEN 0 9342 3624/xinetd
0.0.0.0:* LISTEN 0 9738 3766/smbd
0.0.0.0:* LISTEN 0 7477 3201/portmap
0.0.0.0:* LISTEN 0 16469 2896/httpd2-prefork
0.0.0.0:* LISTEN 0 9405 3754/sshd
0.0.0.0:* LISTEN 0 9462 3671/cupsd
0.0.0.0:* LISTEN 0 9614 3805/master
0.0.0.0:* LISTEN 0 9736 3766/smbd
0.0.0.0:* 102 8630 3518/avahi-daemon:
0.0.0.0:* 0 72294 11122/nmbd
0.0.0.0:* 0 72292 11122/nmbd
...:137 0.0.0.0:* 0 72290 11122/nmbd
0.0.0.0:* 0 72287 11122/nmbd
0.0.0.0:* 0 72295 11122/nmbd
0.0.0.0:* 0 72293 11122/nmbd
...:138 0.0.0.0:* 0 72291 11122/nmbd
0.0.0.0:* 0 72288 11122/nmbd
0.0.0.0:* 0 9456 3772/dhcpd
0.0.0.0:* 102 8629 3518/avahi-daemon:
0.0.0.0:* 0 7470 3201/portmap
0.0.0.0:* 0 9480 3671/cupsd

... = external IP

smacdonald206 · April 26, 2009, 6:59pm

Results of iptables -L -vn are too large to post. Is there a specific section you’re wanting?

Thanks!

Akoellh · April 26, 2009, 7:13pm

Ever heard of the possibility to attach files to a posting or use a so called “nopaste” service?

framp · April 26, 2009, 7:26pm

There are ways to strip down the output of iptables -L -vn with greps but unfortunately an iptable rule depends on is predecessors …

An error message is usually prefixed by some info about the orgininator of the message. Which file contains the message? Could you please post the complete error message?

smacdonald206 · April 26, 2009, 7:51pm

The error messages comes from /var/log/messages:

Apr 23 20:30:16 inverness SuSEfirewall2: Firewall rules successfully set
Apr 25 20:30:16 inverness SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 …
Apr 25 20:30:16 inverness SuSEfirewall2: Warning: no default firewall zone defined, assuming ‘ext’
Apr 25 20:30:16 inverness SuSEfirewall2: Warning: config ‘8080’ not available
Apr 25 20:30:16 inverness SuSEfirewall2: Warning: config ‘8080’ not available
Apr 25 20:30:16 inverness SuSEfirewall2: Warning: FW_ALLOW_INCOMING_HIGHPORTS_TCP is deprecated and will likely be removed in the future.
Apr 25 20:30:16 inverness SuSEfirewall2: Warning: If you think it should be kept please report your use case at
Apr 25 20:30:16 inverness SuSEfirewall2: Warning: SuSEfirewall2 - susefirewall2
Apr 25 20:30:16 inverness SuSEfirewall2: batch committing…
Apr 25 20:30:16 inverness SuSEfirewall2: Firewall rules successfully set

smacdonald206 · April 26, 2009, 7:53pm

Nope. Never heard of it.

framp · April 26, 2009, 8:07pm

Sounds like they changed something because I’ve never seen this kind of error messages.
Do you use 11.0 or 11.1?

smacdonald206 · April 27, 2009, 4:26am

I’m using 11.0.