SLES15 Default Iptable rule causing issue

SUSE Product Topics SLES Networking
1

Below rule in iptables is causing the slptool to fail in detecting the services of other hosts.
REJECT all – anywhere anywhere reject-with icmp-host-prohibited
I deleted it by using below command
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
and slp started working with firewall enabled.
however when i reload the firewalld it again went back to original rule (REJECT)
how can i delete this rule permanently so that even after reoading firewall it does not go back to default.

2

@vishal look at using YaST firewall config to make changes, I don’t have a SLES 12 SP5 setup, but you need to save the runtime setting to permanent eg firewall-cmd --runtime-to-permanent.

3

@malcolmlewis : OS is SLES15
i tried running firewall-cmd --runtime-to-permanent but it again goes back to default when firewalld is reloaded.

4

@malcolmlewis : i even tried to update the firewall.service unit file by adding script like below but even with this after firewalld reload it goes back to default
sles15:~ # cat /usr/lib/systemd/system/firewalld.service
[Unit]
Description=firewalld - dynamic firewall daemon
Before=network-pre.target
Wants=network-pre.target
After=dbus.service
After=polkit.service
Conflicts=iptables.service ip6tables.service ebtables.service ipset.service
Documentation=man:firewalld(1)

[Service]
EnvironmentFile=-/etc/sysconfig/firewalld
ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS
ExecStartPost=/root/1.sh
ExecReload=/bin/kill -HUP $MAINPID

supress to log debug and error output also to /var/log/messages

StandardOutput=/var/log/firewall
StandardError=null
Type=dbus
BusName=org.fedoraproject.FirewallD1
KillMode=mixed

[Install]
WantedBy=multi-user.target
Alias=dbus-org.fedoraproject.FirewallD1.service
sles15:~ #

sles15:~ # cat /root/1.sh
#!/bin/bash

echo "date Remove rules" > /tmp/remove-icmp.log

iptables -w 5 -D INPUT -j REJECT --reject-with icmp-host-prohibited >> /tmp/remove-icmp.log 2>&1
[ $? -ne 0 ] && echo “Failed” >> /tmp/remove-icmp.log
iptables -w 5 -D FORWARD -j REJECT --reject-with icmp-host-prohibited >> /tmp/remove-icmp.log 2>&1
[ $? -ne 0 ] && echo “Failed” >> /tmp/remove-icmp.log

echo “date” >> /tmp/remove-icmp.log
exit 0

5

@vishal Hi, AFAIK, all you should have to do is run the firewall-cmd with your rule, once confirmed all ok, then make the switch from runtime to permanent… it should not be necessary for any scripts or file tweaks.

6

@malcolmlewis : at first i tried that only after making the rule change i ran firewall-cmd --runtime-to-permanenent
but then if i reload the firewall or reboot the machine it again switch back to default .

7

@vishal Hi, suggest a read at the following, perhaps the zone needs to be selected as well…
https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-security-firewall.html