0

I am using openSUSE 12.3 and iptables version : v1.4.16.3.

I am trying to enable the iptables rules to allow 22 port for all IPs and 80 & 443 for specific IP addresses with the below commands.

1. iptables -A INPUT -p tcp -s 0/0 --dport 22  -j ACCEPT
2. iptables -A INPUT -p tcp -s 10.11.12.50 --dport 80  -j ACCEPT
3. iptables -A INPUT -p tcp -s 10.11.12.50 --dport 443  -j ACCEPT

Then i have restarted the iptables service

service SuSEfirewall2 restart

However from 10.11.12.50 address web server with 80 & 443 are not accessible.

I can't see the applied rules in the below list.

# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N forward_ext
-N input_ext
-N reject_func
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable

Kindly let me know what i'm missing with the iptables rule settings?

Ekam
  • 11
  • 4
  • I would expect `service SuSEfirewall2 restart` to remove any manually specified rules. I'm not familiar with SUSE, but generally to make a persistent configuration change you need to modify some configuration files with your updated rules. – larsks Sep 01 '22 at 11:58
  • Please let me know, how do i configure persistent, I am new to opensuse & iptables – Ekam Sep 01 '22 at 11:59
  • Unfortunately, while I know how RHEL-based distributions handle this sort of thing, I'm not familiar with SuSE. I suspect the documentation probably has some information on this topic. – larsks Sep 01 '22 at 12:01

0 Answers0