I’ve been reading the docs for SuSEfirewall2 and looking in YaST and I see no place to block incoming packets by country. I wish to block China, Russia, North Korea, Romania, Estonia. . . all the main headaches that bother us all. Looking at iptables documentation shows me not much, but I googled a few ‘rules’ from internet that show me some iptables rules how to go about this. My worry is that if I experiment with this (iptables) manually I may produce problem similar to when edit apache configs manually, then YaST complains “. . .apache has been edited manually. . .” and refuses to merge the manual configuration. So, I’m willing to ‘get my feet wet’ with command line edit of iptables, but not if it will cause problems stated. Any advice greatly appreciated. Thank You!
—rob
Hi
Is this a hosted service, or a local machine? Is it a private instance you (or a few users) want access to over the internet?
To be honest I think you will be banging your head against a brickwall, the system will be so busy processing rules it won’t have time to serve up web pages, most of those countries users are probably on the tor network, what about ipv6 users?
If it’s a private instance, change the port your running on to a non-standard one.
Hello @malcolmlewis, thanks for quick reply! No services here, only one computer behind a router I cannot control (ISP blocks most admin on router). I am not doing apache, databases or anything available to outside. I simply wish to protect my system (I may add another soon – laptop) from outside bad guys. The countries I wish to block I will never miss; I don’t go to them and want to keep them all out. Thanks again. Take Care.
— rob
Hi
If there are no open ports to the outside world from your router directed at an internal computer running a service, then nothing to do… turn on your firewall at the router and your good to go.
Do a remote port scan of your ip address, eg grc.com.
Or in other words, you are trying to “solve” a problem that does ot even exist.
AK
If you have IPv6 enabled, then the above posts aren’t accurate.
Most gateway routers do not NAT IPv6 addresses, so your address would likely be exposed directly to the public Internet.
In general though,
Most people don’t believe that filtering countries accomplishes much (unless you believe your machine is specifically being targeted by foreign actors) because…The vast majority of attacks on machines located in the USA are executed by machines in the USA, either the criminal is an American citizen or a machine in the USA has been “owned” and is being used by the criminal.
So, for example, the following “Top 10 spammers” need to obtain massively large mail lists by any means possible…
https://www.spamhaus.org/statistics/spammers/
Now, if you were someone with data a foreign actor might be interested in… Then that might be another story because you would then be targeted specifically because of foreknowledge you have something they want.
But, if you are a “nobody” then you’re probably more likely subject to random attacks like spam bots, phishing attacks in general, network scanning, etc.
TSU
If -as stated by the OP- the machine does not offer any services to the outside world, in which sense does ipv6 or not make a difference?
The only real difference with ipv6 connectivity is the fact, that trying to block IP ranges by country makes even less sense.
AK
Wow! Had no idea I’d kick up this much, but very, very good input. Yes, in some sense I guess I’m “trying to solve a problem that doesn’t even exist…” On the other hand I originally thought of the situation as the problem exists, but has not yet reached my door. As for “…turn on firewall at the router…” again I have very limited admin control over my gateway/router (Cisco DPC3941T from Comcast). As for my data, well nowadays with the easy (for bad hackers, bots, etc.) and cheap means of scooping up random but personal bits of data, we must all be careful of even allowing these bits out of our control if we can. My personal data was scooped 2x-3x times over 2013 - 2014 when the VA (US Veterans Administration) lost millions of personnel & health files on lost laptops, lost/stolen hard drives. Then in 2015 the US Office of Personnel Management (OPM) was hacked for millions of persons files. In 2015 - 2016 my bank (Chase) was hacked! In the US banks and many other organizations have no requirement to even notify clients when these things happen. So. . . I got to thinking…since so much of these issues come from certain countriesd why not block the entire country? Now with this thread I see (thanks to my wonderful and smart friends at openSUSE (as always!!) that the ‘problem’ isn’t as simple as it seemed at first. Of course there is TOR, VPN services and all that, but again I wanted to take control myself if I could in a relatively simple manner. OBTW, I’m not certain about the EU and others, but in US many ISP/internet providers now take control of reserved IP addresses such as 10.0.0.0 and 192.168.0.0 and assign these to the gateway/router internally (facing the client – me) so to limit or make difficult my use of another router of my own on my home network. You all know this forces IP forward, NAT, reverse NAT and such. Strictly speaking, I don’t even want my ISP to know/follow where I go and what I do to study, shop, etc. I’m no attorney, but in my mind the real attorneys are missing a few points: 1. Following me is Stalking! 2. The ISP makes $$$ selling my info and does not share the profits with me (without my permission). I miss the days gone by when internet/web access was all about study, information sharing, and basic communication (email). Oh well! In any event, thanks guys for all the thinking points…I will turn it over and over and come with something workable. Take Care All. P.S. grc.com says my router ‘does not respond’ or some such, OK, but does not stop many malware bots, etc.
-
-
- rob
-
I’d disagree.
- It’s not always easy or certain that every port and service has been closed.
- Although rare, there are unpublished vulnerabilities. Just being network connected may be enough for a machine to be compromised. In particular, if you’re concerned about attacks sourced from our country’s adversaries, then those are who might more likely use such a special exploit.
- If you are also concerned about DDOS, then no vulnerability is needed to do damage to you.
So, it does matter exactly what you might be afraid of, and for starters I mention that country IP blocks ordinarily isn’t effective on several levels.
You have to <understand> and <define> what you want to protect against, and then come up with a strategy to address that concern… based on facts and not guess-work.
IMO,
TSU
Hi
But no bot or such like cannot get anywhere unless there is a service running (even on your router) since grc sheilds up identifies no open ports…
So the only way for a bot/malware to get on to a local system is via a PEBKAC/PEBMAC… 
So what can you do on your Comcast router? Check firewall, check port forwarding? Does the router offer remote logging or send an email on an event etc?
Most router maintenance is via an outbound connection to your ISP, so they don’t have to leave any ports open.
Ok, again thanks. Seems I’m better off than I thought! As for the router: Any firewall there is not visible to me. I know Comcast can do remote config/reboot, etc. and I can’t stop this. Assign/check port forward, ip range, on/off wifi (my wifi is always off!). For some year or so Comcast customers complained about forced wifi sharing and not able to turn off, but this much has changed in past 6 - 8 months. Remote logging or email on event is availablle to Comcast only as far as I can see.
" Most router maintenance is via an outbound connection to your ISP, so they don’t have to leave any ports open." I know, I know. It’s just I really don’t trust them but they are literally the only game in town. Well, almost. AT&T is here. . . but 1.5 - 3.0 MBps down is “High Speed Internet” ? No way! Point taken about specific threat to my system. Very reassuring when listen/read so much about bad 'net stuff. I count myself very fortunate to have found/use linux, and very, very fortunate to be at openSUSE forums in particular. In my experience only openSUSE keeps ‘flame’ and other negatives to such a low level. Thanks all! Take Care
-
-
- rob
-
On Tue, 16 May 2017 02:26:02 +0000, robhwill wrote:
> I know Comcast can do remote config/reboot, etc. and I can’t stop this.
Well, you can - just not with their router. What you do is buy your own
cable modem and your own router and use those.
I’m a Comcast customer myself - I have an Arris cable modem (bought new
on Amazon), and a WNDR3800 router that I’ve installed OpenWRT on.
The modem (in theory) could be compromised, but the router has specific
configuration settings to only open specific ports and forward them to
specific hosts that are sandboxed. So basically, nothing inbound is
going anywhere I don’t want it to - sometimes to my own chagrin when I’m
working remotely, because if a service is down, I don’t have a backdoor
in. 
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
I am not sure if you really disagree with me, so let’s take this apart piece by piece:
Correct, but not the point of the OP’s question. If you want to avoid incoming packets doing damage, filter all of them, not only certain countries.
But before that, try to get an idea which services are running (i.e. by using netstat) and start (in that order) by
a) turning unneeded services off
b) make sure that services only needed locally are also only listening on localhost address(es)
c) if there is some software still opening ports without any good reason, try to find an alternative which does not
and last but not least
d) if still needed, run a packet filter blocking all incoming requests
Still there is no point in filtering IPs by country, if a sophisticated adversary is taking the effort to really use some special exploit, then “shooting” off the malicious packages from more than one IP and from different countries all around the world is the easiest part. In some cases the malware does that by itself (see the “WannaCry” worm as the most recent example).
For vulnerabilities below the reach of your OS (see the Intel AMT “bugdoor”) any measure of filtering by the OS will fail no matter if you have a “IP by country blacklist” or not.
Yep, and if you would have a certain mechanism which uses extra resources to find out if an IP is from a “bad” country, DDoSing that machine will even get easier than without that mechanism.
Exactly my point, so again, I don’t think we really disagree.
AK