Mailinglist Archive: opensuse-factory (765 mails)

< Previous Next >
[opensuse-factory] iptables active while SuSEfirewall2 is stopped/disabled?
I have two NAT networks (192.168.122.0 & 192.168.124.0) setup in KVM
with a VM on each network. I can communicate between the VM's only one
way and not the other, both ssh and ping. I found that after I reboot,
I have iptables rules active even though systemctl status SuSEfirewall2
shows off/disabled.

If I flush the rules (iptables -F) then the VM's can communicate both
ways like I expect. If I start & stop SuSEfirewall2 then the iptables
rules are gone, the same behavior as after I flush the rules.

However on reboot, the iptables rules are active again even though the
firewall is disabled. Output below shows the rules after a boot, and
the rules after turning the firewall on and off.

How can I disable the rules all together?



host:~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp
dpt:domain
ACCEPT tcp -- anywhere anywhere tcp
dpt:domain
ACCEPT udp -- anywhere anywhere udp
dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp
dpt:bootps
ACCEPT udp -- anywhere anywhere udp
dpt:domain
ACCEPT tcp -- anywhere anywhere tcp
dpt:domain
ACCEPT udp -- anywhere anywhere udp
dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp
dpt:bootps
ACCEPT udp -- anywhere anywhere udp
dpt:domain
ACCEPT tcp -- anywhere anywhere tcp
dpt:domain
ACCEPT udp -- anywhere anywhere udp
dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp
dpt:bootps

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.124.0/24 ctstate
RELATED,ESTABLISHED
ACCEPT all -- 192.168.124.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-
with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-
with icmp-port-unreachable
ACCEPT all -- anywhere 192.168.122.0/24 ctstate
RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-
with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-
with icmp-port-unreachable
ACCEPT all -- anywhere 192.168.126.0/24 ctstate
RELATED,ESTABLISHED
ACCEPT all -- 192.168.126.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-
with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-
with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp
dpt:bootpc
ACCEPT udp -- anywhere anywhere udp
dpt:bootpc
ACCEPT udp -- anywhere anywhere udp
dpt:bootpc

host:~ # systemctl status SuSEfirewall2
● SuSEfirewall2.service - SuSEfirewall2 phase 2
Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service;
disabled; vendor preset: disabled)
Active: inactive (dead)

host:~ # systemctl start SuSEfirewall2

host:~ # systemctl stop SuSEfirewall2

host:~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
yoda:~ #
< Previous Next >
Follow Ups