If you need to use iptables for multiple components (the host machine, Identity Server), centralize the commands into one manageable location. The following sections explain how to use the SuSEFirewall2 option in YaST to centralize the commands.
Identity Server requires pre-routing commands.
NOTE:Port forwarding must be enabled for this configuration to work. See Port Forwarding.
Click Devices > Identity Server > Edit, and configure Base URL with the HTTPS protocol and the TCP port 443.
Click OK.
Update Identity Server.
On Identity Server, edit the /etc/sysconfig/SuSEfirewall2 file.
Change the FW_CUSTOMRULES="" line to the following:
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
Save the changes and exit.
Open the /etc/sysconfig/scripts/SuSEfirewall2-custom file in an editor.
This is the custom rules file you specified in Step 4.
Add the following lines under the fw_custom_before_port_handling() section:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.10.0.1:8443 iptables -t nat -A OUTPUT -p tcp -o eth0 --dport 443 -j DNAT --to 10.10.0.1:8443 true
The first command rewrites all incoming requests with a destination TCP port of 443 to TCP port 8443 on the 10.10.0.1 IP address for eth0. Modify the IP address to match the IP address of your Identity Server.
The second command rewrites the health checks.
Save the file.
At the system console, restart the firewall by running the following command:
/etc/init.d/SuSEfirewall2_setup restart
Verify that port 443 is being routed to Identity Server by running the following command:
iptables -t nat -nvL
The following is a sample entry:
pkts bytes target prot opt in out source destination 17 748 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.10.0.1:8443
This entry states that eth0 is routing TCP port 443 to IP address 10.10.0.1:8443.
(Conditional) If your Identity Server cluster configuration contains more than one Identity Server, repeat these steps on each server in the cluster.