Mailinglist Archive: opensuse-packaging (129 mails)

< Previous Next >
Re: [opensuse-packaging] How to convert these iptables rules to SuSEfirewall2?
On Sat, Jan 16, 2016 at 06:06:46PM +0800, Marguerite Su wrote:
Hi,

I packaged ocserv in network:vpn and I wanted to submit it to Factory.

Dominique suggests me to raise this topic.

I wrote the instruction in README.SUSE before:

#### Shutdown SUSEFirewall2 through YaST

Because I don't know how to convert iptables rules to SUSEFirewall2 ones.
If you can help me, please fork this package and submit back.

#### Set iptables rules

sudo /sbin/iptables -A INPUT -p tcp --dport 9000 -j ACCEPT
sudo /sbin/iptables -A INPUT -p udp --dport 9001 -j ACCEPT
sudo /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j
MASQUERADE
sudo /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT

The 9000/9001 ports, IP range 192.168.1.0/24 are default ones,
you can change them in /etc/ocserv/ocserv.conf

Warning: Your eth0 may not exist, you can ifconfig -a to find yours.

#### Enable IP forward

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

It doesn't live after reboot.

=====================================================

How can I achieve the same result without shutting SuSEFirewall2 down?

Any documentation I can learn from?

Opening ports ... easy

FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""

Or better, write a service file.

/etc/sysconfig/SuSEfirewall2.d/services/ocserv

TCP="9000"
UDP="9001"

and then you an enable the service with
FW_CONFIGURATIONS_EXT="ocserv"


j
The masquerading ... is this really intended this way as I pretty much doubt
that
that everyone has this kind of network layout.

FW_ROUTE="yes"
FW_MASQUERADE="yes"

will masquerade the internal network zone towards the external network zone.

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-packaging+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References