How To Add Additional Ip Rules To Suse Firewall

You know that error msg.
Warning: ip6tables does not support state matching. Extended IPv6 support disabled.

I was trying something in custom-config for Suse-Firewall and I need state matching. So my question is can I enable it without re-compiling the kernel or more to the point will compiling the kernel enable state matching?

Or am I missing something is it a modprobe I need or Yast config Googles not really helping me plenty asking about the msg and being told to ignore it but I don't want to.

What I was trying was based around an iprule like so
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j input_ext

Can I achieve this and how if so.

What I was trying to do was add these rules to SuseFirewall But it seems its not doing as expected.

Code:

iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

Ok I'm pretty sure my title doesn't reflect my problem the above rules work.

But the problem I've got is using the custom script is working upto a point.
I actually have one other rule that implements it, that I need to add

Now I've discovered with a lot of trial and error that for some reason I can't get the custom-script to insert the rule at row 5.

So does any one know how or do I have to use a rather unelegant way and use boot.local to add the one rule I need.

At the mo telling the firewall to use the custom script works though not really sure exactly where is best, seems to not mind really.

Code:

iptables -N SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 2 --name SSH -j DROP
iptables -A input_ext -p tcp --dport 22 -m state --state NEW -j SSH_CHECK

Which leaves me with the final rule for the INPUT chain which needs to be after all the accepts but before the drops. Using the script it refuses to insert presuming because the the 4th rule doesn't exist yet.

So off the command line after the firewall is initialised

Code:

iptables -I INPUT 5 -p tcp -m multiport --destination-ports 22 -j ACCEPT

Any ideas or is boot.local the only way?

If not so, then here is a few rules that will limit the attempts between the logins, though 4 doesn't quite reflect the attempts. 4 seems to equate 9 attempts 2 = 3 attempts seems to be working in multiples of 3 here. Don't try 1 it doesn't seem to work.

If your feeling brave I suspect you can push it further with the secs but you may end up waiting for a while for a clear period with no attempts from IP.

So if you followed along can't help me then you've got SuseFirewall2 edited and using scripts.

You've edited the custom to reflect the new rules. All you need to do now is add the final lone rule of the CLI and for each min only 3 attempts are allowed a min. It'll slow those brute force attacks down a fair bit.

Perhaps a mod could change the title to reflect the post, perhaps slowing down ssh brute force attacks. Though there is one little gripe left to finish, if not boot.local.

Step by Step How to Slow down SSH brute force attacks and more if you want perhaps how to use custom rules with SuseFirewall

1)edit /etc/sysconfig/SuSEfirewall2 line 823 so it looks like the example

Code:

FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

2)edit /etc/sysconfig/scripts/SuSEfirewall2-custom inbetween the { after fw_custom_before_port_handling() and true about line 60

Code:

iptables -N SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 2 --name SSH -j DROP
iptables -A input_ext -p tcp --dport 22 -m state --state NEW -j SSH_CHECK

3)edit /etc/sysconfig/scripts/SuSEfirewall2-custom add this to bottom where ever really.

Code:

fw_custom_after_fork_to_chains() {
iptables -A INPUT -p tcp -m multiport --destination-ports 22 -j ACCEPT
****true
}

4)Next edit /sbin/SuSEfirewall2 we need to add the Hook we created so first we define an empty function, use ctrl+f search for fw_custom_before_denyall() about line 813 under this block add.

Code:

fw_custom_after_fork_to_chains() { true; }

5)
Next to use the Hook go to the bottom of /sbin/SuSEfirewall2 you'll see fork_to_chains just after this add

Code:

#HOOK
fw_custom_after_fork_to_chains

Now as the rest as I chundered to myself solving this you'll have limited ssh logins to 3 ssh login attempts a min, then you'll need to wait for a clear minute before trying again, as said tweak the numbers 3 will give 6 attempts a min change the secs etc..

Hopefully you got it maybe it'll help some one else certainly helped me understand how to use custom rules with Susefirewall..