Firewall and IP Tables

[gzdenek]

Hello - I have two SUSE servers and they work great. One is a webserver on the internet and another internal server for data storage, printing etc. The hardware firewall is configured to forward some ports (21, 22, 50000-51000, 80, 8080) to the webserver.

While I keep them both patched and use fail2ban on the webserver (to stop the 10,000 failed ssh attempts), I would like to add a bit more security and set the internal server to block all traffic from the webserver (just in case it does become compromised).

I think there is a way to block IP addresses using iptables commands, but I am not sure how to make them permanent. I'm also wondering if there is also a way to use the Yast firewall tool to do the same thing?

If anyone has any advice of other programs I should be running on the webserver besides the firewall and fail2ban I would appreciate their advice.

Thanks!

[hcvv]

I think this link will give some of the answers you are looking for:
Cool Solutions: Simple Firewall Configuration Using NetFilter/iptables

[gzdenek]

That is a great article. So is the best way to implement custom firewall rules a bash shell script?

Does this take the place of the /etc/sysconfig/SuSEfirewall2?

I'm also not sure how to get this bash shell to start at the right time during booting.

Thanks!

[ab@novell.com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, the best way is via a custom script since it is infinitely
customizable. Also you can disable the old firewall via Yast: Security
and Users: Firewall. The article tells you how to enable the finished script:

<quote>
So, here's a init ready script for SuSE Linux versions to configure a
firewall as described above. Create /etc/init.d/firewall and paste the
following text into it then save it. Change the file's mode to executable
and use chkconfig firewall on to enable the script at init time
(/etc/init.d/firewall start to start the script now). Be sure to disable
any other firewall script if you use this one:
</quote>

Good luck.





gzdenek wrote:
> That is a great article. So is the best way to implement custom firewall
> rules a bash shell script?
>
> Does this take the place of the /etc/sysconfig/SuSEfirewall2?
>
> I'm also not sure how to get this bash shell to start at the right time
> during booting.
>
> Thanks!
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJJ882tAAoJEF+XTK08PnB5aUIP/j0GS6IvpyZSx6bKH7cZbqhc
PYMc0VzEuRuvUmpgZBthvo3U1d6zQRKSxTcT+3gW8mTcf5rLwc sCthUyARhLn+XH
ZJGHNbYEqVHfOR2OXTPPzeACb9gYPcKMKEV7q6hKseRSfsleEo t/bTIF79dt7rgu
yEBzRREe3WNGMAM2BtYUm4FVxZZ5q3hO+B3hn6El+kKNDZw9Yy +wIrkRxHnaeysH
c/snzw5XVock4zIIINFJkbnZi3oTWAm/98hde9+CZmFDjCCSGRi/vTYobuL+V5yF
En+5gouqhu5ptBOSKIM9lkyD6xJztsjpEbOrxJz8HtengvlgVU g0moT8azos6a18
GRmiWtmJf0AZWULQwRSYfhpqQLKTidhJPfMJ0ihz9PsNy1C4tZ/IpGWsNViOmxYf
iic5B/7NRYNKLq7cjYqK/BZh5SM0wMSwQFylW2F5iS0OL+8gw5rqSA5OasilO5DT
pltnho2oLGEU9/1Uiv7y/fjma3G0G6j3/rBGuhW4VzdscEyC8HZEzLgo31ffazKM
dFa8NCoHyeO9ayzt0MSG8o8ZDJBjQybhkRTBianWIuV67O+MOu cgDN75meTkdakb
g5zG6nnW6TEra1l+3ARpnu7yhc8tZOfyKMTJYGmrRRJiKvgn4w 4CyHXTuMyHKVx7
/HBmBhr1YmMRhne05B7P
=M1np
-----END PGP SIGNATURE-----

[framp]

I suggest to stick with SuSEFirewall2 and use /etc/sysconfig/scripts/SuSEfirewall2-custom. That way you use the power of SuSEfirewall2 and can enhance it with all the additional functionality which iptables offers and don't have to setup all the basic firewall rules from scratch.

On Sun, 26 Apr 2009 16:26:01 +0000, framp wrote:

> I suggest to stick with SuSEFirewall2 and use
> /etc/sysconfig/scripts/SuSEfirewall2-custom.

Despite the comments in that script that there is no doc, no support, and
nobody will help you with it... Is there any doc on how this is supposed
to be used?


--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.

[framp]

Quote:

Originally Posted by David Gersic

On Sun, 26 Apr 2009 16:26:01 +0000, framp wrote:

> I suggest to stick with SuSEFirewall2 and use
> /etc/sysconfig/scripts/SuSEfirewall2-custom.

Despite the comments in that script that there is no doc, no support, and
nobody will help you with it... Is there any doc on how this is supposed
to be used?

That's what I found. The doc in /etc/sysconfig/SuSEfirewall2 could be more detailed. But if you are familiar with iptables and firewall concepts it's detailed enough. A lot of hocks allow sophisticated FW rules - but most of all only 20% of the hocks are used by 80% of the users.

If you need help - just post your questions/problems. A lot of people have experiences with SuSEfirewall2 and might be able to help you.

EDIT: Just realized you may have meant /etc/sysconfig/script/SuSEfirewall2-custom. - I added all my additional iptables rules in fw_custom_before_denyall. You usually don't need all the other SuSEfirewall2 hocks.

[framp]

Quote:

A lot of hocks allow sophisticated FW rules - but most of all only 20% of the hocks are used by 80% of the users.

I'm no longer allowed to edit my previous posting .

Just move this sentence at the end of the EDIT section

[LittleRedRooster]

David Gersic wrote:
> On Sun, 26 Apr 2009 16:26:01 +0000, framp wrote:
>
>> I suggest to stick with SuSEFirewall2 and use
>> /etc/sysconfig/scripts/SuSEfirewall2-custom.
>
> Despite the comments in that script that there is no doc, no support, and
> nobody will help you with it... Is there any doc on how this is supposed
> to be used?

A word of advice:
Ditch SuSEfw2 and put Shorewall in its place. You'll love the simplicity
and logic.
E.g. in order to ban a host all you need is 'shorewall (log)reject <host>'
To make the ban permanent you put the host in /etc/shorewall/blacklist ,with
port and proto if appropriate.
No more fiddling with lowlevel iptables options, decent man-pages for all
config files and great support from the developer and numerous users on the
shorewall mailinglist.

Theo

On Thu, 07 May 2009 19:56:01 +0000, framp wrote:

> If you need help - just post your questions/problems. A lot of people
> have experiences with SuSEfirewall2 and might be able to help you.

Starting a new thread with "SuSEfirewall2 and FW_CUSTOMRULES" as the
subject...


--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.