PDA

View Full Version : How to add an iptable policy manually?



vistac
22-Aug-2012, 09:04
Hi,
I enabled a PPTP VPN on my SLES 11.1, and I want to add a iptables policy like below:
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
I don't know how to add this kind of forward policy in yast2/yast firewall tool,
so I just add it in rc.local. now I found every few seconds later, this policy will gone,
I don't know what application remove it, so my solution is use screen to run this command
"watch -n 5 iptables -I FORWARD -s 172.17.1.0/24 -j ACCEPT".
seems this is a stupid solution, does any one know how to solve this issue? please help me.
thanks.

ab
22-Aug-2012, 14:20
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On a normal setup the firewall is definitely not changed every few
seconds, but if you are loading Yast and doing other things with the
firewall, or if you are restarting the firewall service, or anything
like that then those operations will refresh the firewall per Yast's
configuration.

Since you seem to know what you're doing, check out
/etc/sysconfig/SuSEfirewall2 and see if one of the directives in there
can accept, in some form, your rule. A lot of common options, which are
not available in the Yast UI afaik, are available in that file and, if
set, they will be executed whenever the system changes the Firewall on
its own which means your rule should stay persistent, even across reboots.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQNNyAAAoJEF+XTK08PnB55lEP/RDyznxx2Wg1Y4ud4Ewn8BBj
DfGvuJUykq/CvQSuEQ6ULb70XhUpxXq0Ns/yRxkzcRYq+vUHQCGPbh2Ch1D5skHo
em+p2XZKla2I7HnOYbCn/AeVPSXTDxW1fXTn05IvzJ5vaEMMXgqw/CGSkJIDxaul
u1MPHYlgtX6J4A3VnD1rU4SLQRbVXyFp6r89o1EDgxeBmyBPz3 dD0Zi2U0vS55Ap
PhEH1QmUlQCwiGxC7F+TFREKIPi/kji0w6aomFcMXOTh0clxvRaSj5qv/AUiP49k
Quqdf1DtnEkx0qe8dIC6Kx5yoTpG0sJIT/QEAG/ZrvVzMx6xE8hfx0jcm25VvG/T
7nmRxxNirl1G3oBv7uQhj1mO7ij+msWqz6FvVZDs6wqNwLfKJM vKdFV2BfiDD02I
crHB9FJuuiq02DWxAmygb+pTKT9LVNRxBeCQ1T/Ff6lUXKNt8n5BOO6hQzfOrlsU
MTUDTVRge9kAZE1bpExWdEYRZdhqyNcCDodjDOhg/9hLeg91nefPCZWNSpGWhzqd
im2OR52p7tfxewh1EjEbrhz27L9/RFs4bwrSNZgs5NaKT1BVW1BtXYGMUd0jXuY1
VY2OWd/+GQmDGhcKWBd7dfVohe6y5zxUUlGw6bA3OsvEhVRUpLjT4USTn j+nhvgT
xKPeudnQCbhU1OJL32Xw
=RCVa
-----END PGP SIGNATURE-----

Simeonof
17-Sep-2012, 10:57
You may also try to use FW Builder instead of SuSEfirewall. Works like a charm: http://www.fwbuilder.org/ .