On Thu, Nov 29, 2012 at 03:08:44PM +0100, Paul Reeves wrote:

Hi all,

I need to add some iptables PREROUTING rules and I'm looking for the most elegant solution. Worst case scenario would be to hack them together into a separate script and make sure it is run whenever it is appropriate. However it would be much better if I could add the rules to SuSEfirewall2-custom. The problem is, it is not obvious where.

I have not fully looked up the details. /etc/sysconfig/scripts/SuSEfirewall2-custom fw_custom_after_chain_creation() { fw_custom_before_port_handling() { fw_custom_before_masq() { # could also be named "after_port_handling()" fw_custom_before_denyall() { # could also be named "after_forwardmasq()" fw_custom_after_finished() { So I suspect before and up to fw_custom_before_masq(), depending what you want to achieve in PREROUTING.

A secondary question, which might answer the first is - How are iptables rules built up? Do later rules 'sort of' overlay or mask earlier rules? That would seem to be the most logical implementation but if the man page says something specific on this I must have missed it.

I think the logical approach is used, without knowing much of the details currently. But the script speaks for itself ... let me quote from the end ;) message "Setting up rules from $FWCONFIG ..." # loading stuff parse_zones parse_interfaces check_interfaces_unique autodetect_interfaces write_status process_masq_dev load_customrules check_interfaces verify_parameters #verify_masq_nets parse_ipsec remove_unused_zones [ "$FW_ROUTE" = 'yes' ] && forward_zones="$all_zones" input_zones="$all_zones" saved_input_zones="$input_zones" # need that for fork_to_chains parse_configurations # here we go with the real stuff: # Set default rules + flush set_basic_rules switch_on_ip_forwarding set_proc_stuff create_chains # HOOK fw_custom_after_chain_creation # HOOK, deprecated fw_custom_before_antispoofing # HOOK, deprecated fw_custom_after_antispoofing protect_from_internal check_convert_old_broadcast drop_broadcast allow_ipsec allow_icmp allow_forward_icmp_echo # HOOK fw_custom_before_port_handling process_trusted_nets if [ "$FW_LEGACY_ACCEPT_FIRST" != 'yes' ]; then reject_or_drop_services DROP reject_or_drop_services REJECT fi allow_related allow_ip_services allow_tcp_services allow_udp_services allow_rpc_services accept_services if [ "$FW_LEGACY_ACCEPT_FIRST" = 'yes' ]; then reject_or_drop_services DROP reject_or_drop_services REJECT fi warn_highports # HOOK fw_custom_before_masq redirect_rules if [ "$FW_ROUTE" = yes ]; then allow_related_forward_icmp allow_class_routing forwarding_rules DROP forwarding_rules REJECT forwarding_rules ACCEPT if [ "$FW_MASQUERADE" = yes ]; then masquerading_rules forward_masquerading_rules fi fi # HOOK fw_custom_before_denyall drop_all fork_to_chains finish_chains # HTB settings if [ -n "$FW_HTB_TUNE_DEV" ]; then need qdisc do_qdisc_settings fi [ -n "$USE_IPTABLES_BATCH" ] && commit_iptables_batch handle_initscripts # HOOK fw_custom_after_finished # END # CIao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org