SLES15 Default Iptable rule causing issue

vishalvishal New or Quiet Member

Below rule in iptables is causing the slptool to fail in detecting the services of other hosts.
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I deleted it by using below command
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
and slp started working with firewall enabled.
however when i reload the firewalld it again went back to original rule (REJECT)
how can i delete this rule permanently so that even after reoading firewall it does not go back to default.


  • malcolmlewismalcolmlewis Knowledge Partner

    @vishal look at using YaST firewall config to make changes, I don't have a SLES 12 SP5 setup, but you need to save the runtime setting to permanent eg firewall-cmd --runtime-to-permanent.

  • vishalvishal New or Quiet Member

    @malcolmlewis : OS is SLES15
    i tried running firewall-cmd --runtime-to-permanent but it again goes back to default when firewalld is reloaded.

  • vishalvishal New or Quiet Member

    @malcolmlewis : i even tried to update the firewall.service unit file by adding script like below but even with this after firewalld reload it goes back to default
    sles15:~ # cat /usr/lib/systemd/system/firewalld.service
    Description=firewalld - dynamic firewall daemon
    Conflicts=iptables.service ip6tables.service ebtables.service ipset.service

    ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS
    ExecReload=/bin/kill -HUP $MAINPID

    supress to log debug and error output also to /var/log/messages


    sles15:~ #

    sles15:~ # cat /root/


    echo "date Remove rules" > /tmp/remove-icmp.log

    iptables -w 5 -D INPUT -j REJECT --reject-with icmp-host-prohibited >> /tmp/remove-icmp.log 2>&1
    [ $? -ne 0 ] && echo "Failed" >> /tmp/remove-icmp.log
    iptables -w 5 -D FORWARD -j REJECT --reject-with icmp-host-prohibited >> /tmp/remove-icmp.log 2>&1
    [ $? -ne 0 ] && echo "Failed" >> /tmp/remove-icmp.log

    echo "date" >> /tmp/remove-icmp.log
    exit 0

  • malcolmlewismalcolmlewis Knowledge Partner
    edited November 2020

    @vishal Hi, AFAIK, all you should have to do is run the firewall-cmd with your rule, once confirmed all ok, then make the switch from runtime to permanent.... it should not be necessary for any scripts or file tweaks.

  • vishalvishal New or Quiet Member

    @malcolmlewis : at first i tried that only after making the rule change i ran firewall-cmd --runtime-to-permanenent
    but then if i reload the firewall or reboot the machine it again switch back to default .

  • malcolmlewismalcolmlewis Knowledge Partner

    @vishal Hi, suggest a read at the following, perhaps the zone needs to be selected as well....

Sign In or Register to comment.