SLES15 Default Iptable rule causing issue

vishalvishal New or Quiet Member

Below rule in iptables is causing the slptool to fail in detecting the services of other hosts.
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I deleted it by using below command
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
and slp started working with firewall enabled.
however when i reload the firewalld it again went back to original rule (REJECT)
how can i delete this rule permanently so that even after reoading firewall it does not go back to default.

Comments

  • malcolmlewismalcolmlewis Knowledge Partner

    @vishal look at using YaST firewall config to make changes, I don't have a SLES 12 SP5 setup, but you need to save the runtime setting to permanent eg firewall-cmd --runtime-to-permanent.

  • vishalvishal New or Quiet Member

    @malcolmlewis : OS is SLES15
    i tried running firewall-cmd --runtime-to-permanent but it again goes back to default when firewalld is reloaded.

  • vishalvishal New or Quiet Member

    @malcolmlewis : i even tried to update the firewall.service unit file by adding script like below but even with this after firewalld reload it goes back to default
    sles15:~ # cat /usr/lib/systemd/system/firewalld.service
    [Unit]
    Description=firewalld - dynamic firewall daemon
    Before=network-pre.target
    Wants=network-pre.target
    After=dbus.service
    After=polkit.service
    Conflicts=iptables.service ip6tables.service ebtables.service ipset.service
    Documentation=man:firewalld(1)

    [Service]
    EnvironmentFile=-/etc/sysconfig/firewalld
    ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS
    ExecStartPost=/root/1.sh
    ExecReload=/bin/kill -HUP $MAINPID

    supress to log debug and error output also to /var/log/messages

    StandardOutput=/var/log/firewall
    StandardError=null
    Type=dbus
    BusName=org.fedoraproject.FirewallD1
    KillMode=mixed

    [Install]
    WantedBy=multi-user.target
    Alias=dbus-org.fedoraproject.FirewallD1.service
    sles15:~ #


    sles15:~ # cat /root/1.sh

    !/bin/bash

    echo "date Remove rules" > /tmp/remove-icmp.log

    iptables -w 5 -D INPUT -j REJECT --reject-with icmp-host-prohibited >> /tmp/remove-icmp.log 2>&1
    [ $? -ne 0 ] && echo "Failed" >> /tmp/remove-icmp.log
    iptables -w 5 -D FORWARD -j REJECT --reject-with icmp-host-prohibited >> /tmp/remove-icmp.log 2>&1
    [ $? -ne 0 ] && echo "Failed" >> /tmp/remove-icmp.log

    echo "date" >> /tmp/remove-icmp.log
    exit 0

  • malcolmlewismalcolmlewis Knowledge Partner
    edited November 2020

    @vishal Hi, AFAIK, all you should have to do is run the firewall-cmd with your rule, once confirmed all ok, then make the switch from runtime to permanent.... it should not be necessary for any scripts or file tweaks.

  • vishalvishal New or Quiet Member

    @malcolmlewis : at first i tried that only after making the rule change i ran firewall-cmd --runtime-to-permanenent
    but then if i reload the firewall or reboot the machine it again switch back to default .

  • malcolmlewismalcolmlewis Knowledge Partner

    @vishal Hi, suggest a read at the following, perhaps the zone needs to be selected as well....
    https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-security-firewall.html

Sign In or Register to comment.