Block Specific IP Addresses - SuSEfirewall2

I’ve been Googling this one, as well as searching the forum, and I’ve still got unwanted IP addresses making it through my firewall. This is a 64-bit Dell Poweredge running Opensuse 13.2 (soon to be upgraded to Leap).

This is a fairly straightforward firewall setup with masquerading: ENO1 is the external Internet interface with a public IP address; ENO2 routes and port-forwards to our internal 192.168.x.x network.

Example: I want to block a group of IP addresses from China: 123.123.123.0/22. I first tried inserting a rule via iptables in a terminal. A quick check with iptables --list shows that the rule is indeed inserted.


iptables -I INPUT -s 123.123.123.0/22 -j DROP
iptables --list --numeric
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  123.123.120.0/22     0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED
(snip ... no need to show the rest)

OK, the rule’s in there at the top of the list … but those IP addresses are still attacking my various servers. Looking carefully at the documentation for SuSEfirewall2 and some Googling (which brought me to this thread, Blocking A Single IP Address) leads me to believe that SuSEfirewall2 causes masquerading and port forwarding to occur FIRST.

Therefore, I tried inserting the rule in the forward_ext chain. Once again, iptables --list showed that the rule had been inserted at the very top … but these IP addresses are still trying to attack my servers. It seems as though iptables does the port forwarding FIRST, and the DROP rule is ignored.

There are some slots in /etc/sysconfig/SuSEfirewall2 where I can add these custom rules, but I’m not sure which one to use.

Has anyone ever come up with a definitive answer to this? I need to DROP certain IP address blocks as soon as they come in on ENO1, before any masquerading, mangling, forwarding, backwarding, or anything else. :slight_smile:

Thanks in advance.

OK, it appears that I need to add the rules to the file SuSEfirewall2-custom. I’m going to try that and once I figure it out, I’ll post back here.

I know that this isn’t something that most users will need, but it is surprising that the documentation on this is so sparse.

If you have an hour and an old SSD/HDD: Install opnSense on your Dell and enjoy a modern firewall etc based on BSD with a nice GUI where you can allow/block whatever hosts you want (with Aliases etc). And run an inline Intrusion Detection/Prevention System if you want. And and and… :wink:

I’ve used pfSense in the past; we currently use ClearOS for dedicated firewall machines.

For other reasons (that I won’t get into here), we chose OpenSuse for this machine. It’s not just a firewall.

(And the first person who lectures me about how firewalls shouldn’t be used for anything else … you don’t know my situation, I’ve been doing this for over 20 years and there you go.) (Heh.)

Besides, knowing how to do it means that you know how to do it. :slight_smile:

So there!!! Nyah, nyah, nyah.rotfl!

Aw, if someone wants to lecture me, let 'em. I’ll ignore it to the point of astonishment on their part, but they can feel free. :slight_smile:

Some people get so religious about this stuff … “you MUST use sudo with each command instead of su to root, you should NEVER do this, or NEVER do that …” I say, as long as you know what you’re doing and you’re willing to take the risk(s), it’s your choice.

But that’s just me. rotfl!

I agree with this. If you know what you are doing, why you are doing it, and what the consequences may be – and as long as it does not harm anyone else – you can make an informed choice to break the “rules”.

On 01/06/2017 07:46 PM, smpoole7 wrote:
>
> Fraser_Bell;2807341 Wrote:
>> So there!!! Nyah, nyah, nyah.rotfl!
>
> Aw, if someone wants to lecture me, let 'em. I’ll ignore it to the point
> of astonishment on their part, but they can feel free. :slight_smile:
>
> Some people get so religious about this stuff … “you MUST use sudo
> with each command instead of su to root, you should NEVER do this, or
> NEVER do that …” I say, as long as you know what you’re doing and
> you’re willing to take the risk(s), it’s your choice.
>

I fully agree with you. I often log in as root to get admin work done in
a more productive way. But like you, I have well over 20 years experience.


Ken
linux since 1994
S.u.S.E./openSUSE since 1996

Hi all, may I jump in here? Best subject line I found close to my needs/goal. I’ve been reading the docs for SuSEfirewall2 and looking in YaST and I see no place to block incoming packets by country. I wish to block China, Russia, North Korea, Estonia. . . all the main headaches that bother us all. Looking at iptables documentation shows me not much, but I googled a few ‘rules’ from internet that show me how to go about this. My worry is that if I experiment with this (iptables) manually I may produce problem similar to when edit apache configs manually, then YaST complains “. . .apache has been edited manually. . .” and refuses to merge the manual configuration. So, I’m willing to ‘get my feet wet’ with command line edit of iptables, but not if it will cause problems stated. Any advice greatly appreciated. Thank You!
—rob

Nevertheless it is not the most productive way of drawing attention to your question. It is an old thread and not very many people will still watch it for new posts to be added to it. A new thread will show as such to those people that browse trough the titles of new threads to see if there is anything of interest.

My advice: create a new thread with a title that has the keywords to your problem/question to give it the best chance to draw the attention of those you need (and that may be exact the same title as here when you think it covers your needs).

Remember that it is you that searches for help, thus try to advertise in the most efficient way.

Thanks for advice hcvv! Moved to: Network / Internet with appropriate subject line - - Block IP By Country…
— rob