How to block some IPs with SuSEfirewall2 ?
Hi, I'd like to make a number of IPs unreachable from within our LAN. The PCs in the LAN have internet access via an SuSE 8.2 box that does NAT for them. Now I'm rather convinced that /etc/sysconfig/scripts/SuSEfirewall2-custom is the place to stop all packets to and from those IPs. I tried to set some rules but didn't get any result. How can I stop any talk between my host and certain IP adresses ? Thanx in advance Andreas
Hi, Have you set FW_CUSTOMRULES in /etc/sysconfig/SuSEfirewall2 ? Bye, Holger Am Dienstag, 27. April 2004 23:13 schrieb Andreas:
Hi,
I'd like to make a number of IPs unreachable from within our LAN. The PCs in the LAN have internet access via an SuSE 8.2 box that does NAT for them.
Now I'm rather convinced that /etc/sysconfig/scripts/SuSEfirewall2-custom is the place to stop all packets to and from those IPs.
I tried to set some rules but didn't get any result.
How can I stop any talk between my host and certain IP adresses ?
Thanx in advance Andreas
Holger Schletz schrieb:
Have you set FW_CUSTOMRULES in /etc/sysconfig/SuSEfirewall2 ?
No =8-O Well, now I did and an IPTABLES -A OUTPUT -j REJECT -d www.x.de in fw_custom_before_antispoofing() prevents at least lynx on the NAT box itselve to reach those sites. I did it remotely so I can't actually check if the LAN boxes can still get through. I've got to admit, that I don't have a clue about IPTABLES and let SuSEfirewall2 do it's magic. Thanks :) Andreas
Hello Andreas,
Well, now I did and an IPTABLES -A OUTPUT -j REJECT -d www.x.de in fw_custom_before_antispoofing()
you will need a rules like this: iptables -A FORWARD -s IP_OF_NAT_BOX_1 -d IP_OF_DESTINATION -j DROP/REJECT iptables -A FORWARD -s IP_OF_NAT_BOX_2 -d IP_OF_DESTINATION -j DROP/REJECT INPUT and OUTPUT are for the NAT box ( router / firewall ) itselve and FORWARD for the routed traffic through your NAT box (router/firewall).
prevents at least lynx on the NAT box itselve to reach those sites. I did it remotely so I can't actually check if the LAN boxes can still get through.
I've got to admit, that I don't have a clue about IPTABLES and let SuSEfirewall2 do it's magic.
Thanks :) Andreas
Regards, Chris.
On Wednesday 28 April 2004 06.52, Christian Lange wrote:
Hello Andreas,
Well, now I did and an IPTABLES -A OUTPUT -j REJECT -d www.x.de in fw_custom_before_antispoofing()
you will need a rules like this:
iptables -A FORWARD -s IP_OF_NAT_BOX_1 -d IP_OF_DESTINATION -j DROP/REJECT iptables -A FORWARD -s IP_OF_NAT_BOX_2 -d IP_OF_DESTINATION -j DROP/REJECT
Really? I didn't think NATed packets passed through the FORWARD table. I thought that was for unmodified packets only. iptables -t nat -I PREROUTING -d DEST_IP -j DROP would have been my guess
participants (4)
-
Anders Johansson -
Andreas -
Christian Lange -
Holger Schletz