[opensuse-packaging] How to convert these iptables rules to SuSEfirewall2?
Hi, I packaged ocserv in network:vpn and I wanted to submit it to Factory. Dominique suggests me to raise this topic. I wrote the instruction in README.SUSE before: #### Shutdown SUSEFirewall2 through YaST Because I don't know how to convert iptables rules to SUSEFirewall2 ones. If you can help me, please fork this package and submit back. #### Set iptables rules sudo /sbin/iptables -A INPUT -p tcp --dport 9000 -j ACCEPT sudo /sbin/iptables -A INPUT -p udp --dport 9001 -j ACCEPT sudo /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE sudo /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT The 9000/9001 ports, IP range 192.168.1.0/24 are default ones, you can change them in /etc/ocserv/ocserv.conf Warning: Your eth0 may not exist, you can ifconfig -a to find yours. #### Enable IP forward sudo echo 1 > /proc/sys/net/ipv4/ip_forward It doesn't live after reboot. ===================================================== How can I achieve the same result without shutting SuSEFirewall2 down? Any documentation I can learn from? Marguerite -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Sat, 16 Jan 2016 11:06, Marguerite Su wrote:
Hi,
I packaged ocserv in network:vpn and I wanted to submit it to Factory.
Dominique suggests me to raise this topic.
I wrote the instruction in README.SUSE before:
#### Shutdown SUSEFirewall2 through YaST
Because I don't know how to convert iptables rules to SUSEFirewall2 ones. If you can help me, please fork this package and submit back.
#### Set iptables rules
sudo /sbin/iptables -A INPUT -p tcp --dport 9000 -j ACCEPT sudo /sbin/iptables -A INPUT -p udp --dport 9001 -j ACCEPT sudo /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE sudo /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
The 9000/9001 ports, IP range 192.168.1.0/24 are default ones, you can change them in /etc/ocserv/ocserv.conf
Warning: Your eth0 may not exist, you can ifconfig -a to find yours.
#### Enable IP forward
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
It doesn't live after reboot.
=====================================================
How can I achieve the same result without shutting SuSEFirewall2 down?
Any documentation I can learn from?
Marguerite
First: you can add iptables rules without shutting down SuSEFirewall2. ( for the ports drop a file into /etc/sysconfig/SuSEfirewall2.d/services/ ) Second: enabling ip forwarding, use sysctl for that. ( drop a file into /etc/sysctl.d/ ) Third: other vpn software has to do something similar. Have you taken a look there? See: /etc/sysconfig/SuSEfirewall2.d/services/TEMPLATE /etc/sysconfig/scripts/SuSEfirewall2-custom /usr/share/doc/packages/SuSEfirewall2/EXAMPLES OR: Build a script to run in the ExecPre= section of the systemd ocserv.service file. That's IMHO, not a final word of the security review team, which ocserv will have to pass to be accepted into factory. Have a nice weekend. - Yamaban. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Sat, Jan 16, 2016 at 06:06:46PM +0800, Marguerite Su wrote:
Hi,
I packaged ocserv in network:vpn and I wanted to submit it to Factory.
Dominique suggests me to raise this topic.
I wrote the instruction in README.SUSE before:
#### Shutdown SUSEFirewall2 through YaST
Because I don't know how to convert iptables rules to SUSEFirewall2 ones. If you can help me, please fork this package and submit back.
#### Set iptables rules
sudo /sbin/iptables -A INPUT -p tcp --dport 9000 -j ACCEPT sudo /sbin/iptables -A INPUT -p udp --dport 9001 -j ACCEPT sudo /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE sudo /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
The 9000/9001 ports, IP range 192.168.1.0/24 are default ones, you can change them in /etc/ocserv/ocserv.conf
Warning: Your eth0 may not exist, you can ifconfig -a to find yours.
#### Enable IP forward
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
It doesn't live after reboot.
=====================================================
How can I achieve the same result without shutting SuSEFirewall2 down?
Any documentation I can learn from?
Opening ports ... easy FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" Or better, write a service file. /etc/sysconfig/SuSEfirewall2.d/services/ocserv TCP="9000" UDP="9001" and then you an enable the service with FW_CONFIGURATIONS_EXT="ocserv" j The masquerading ... is this really intended this way as I pretty much doubt that that everyone has this kind of network layout. FW_ROUTE="yes" FW_MASQUERADE="yes" will masquerade the internal network zone towards the external network zone. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Hi, Marcus
On Tue, Jan 19, 2016 at 2:48 AM, Marcus Meissner
sudo /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE sudo /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
and then you an enable the service with FW_CONFIGURATIONS_EXT="ocserv"
j The masquerading ... is this really intended this way as I pretty much doubt that that everyone has this kind of network layout.
FW_ROUTE="yes" FW_MASQUERADE="yes"
will masquerade the internal network zone towards the external network zone.
Is there any place I can write FW_ROUTE/FW_MASQUERADE? I would like to let user just: 1. install ocserv and start the systemd service 2. the firewall is all configured AND: sudo /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT how to convert this rule? Margueirte -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Thu, Jan 21, 2016 at 04:25:12PM +0800, Marguerite Su wrote:
Hi, Marcus
On Tue, Jan 19, 2016 at 2:48 AM, Marcus Meissner
wrote: sudo /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE sudo /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
and then you an enable the service with FW_CONFIGURATIONS_EXT="ocserv"
j The masquerading ... is this really intended this way as I pretty much doubt that that everyone has this kind of network layout.
FW_ROUTE="yes" FW_MASQUERADE="yes"
will masquerade the internal network zone towards the external network zone.
Is there any place I can write FW_ROUTE/FW_MASQUERADE?
I would like to let user just:
1. install ocserv and start the systemd service 2. the firewall is all configured
AND:
sudo /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
how to convert this rule?
Where is this 192.168.1.0/24 network supposed to be? The machines local network? (FW_MASQUERADE="yes" would basically masquerade the internal network to the outside.) But I think this does not make sense at all for a package installation, sorry. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Thu, Jan 21, 2016 at 4:30 PM, Marcus Meissner
Is there any place I can write FW_ROUTE/FW_MASQUERADE? AND: sudo /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT how to convert this rule?
Where is this 192.168.1.0/24 network supposed to be? The machines local network?
Haha, of course not. it doesn't make sense. it will be the virtual network configured in /etc/ocserv/ocserv.conf. (ocserv is a kind of open source vpn, the same technology is using by Cisco AnyConnect)
(FW_MASQUERADE="yes" would basically masquerade the internal network to the outside.)
so the forward rule is covered? Marguerite -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
participants (3)
-
Marcus Meissner
-
Marguerite Su
-
Yamaban