RE: [SLE] how to block http access from specific ip's
Hi just one question: did you enable your custom config file in the standard config file? Look out for FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" in /etc/sysconfig/SuSEfirewall2. It's the last line and by default commented out. Just remove the hash and restart your firewall services. regards, Stefan
From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com] * Christopher Mahmood
[03-19-03 15:26]: * Patrick Shanahan (WideGlide@MyRealBox.com) [030319 12:01]:
Thanks, but I guess I do not know how to write the script as this does not work: iptables -A INPUT -j DENY -d 24.208.133.143
iptables -A INPUT -s the_bad_ip -d 0/0 --proto all -j DROP
This is *not* working. 24.208.133.143 is still getting thru.
excerpt from /etc/sysconfig/scripts/SuSEfirewall2-custom:
fw_custom_before_port_handling() { # these rules will be loaded after the anti-spoofing and icmp handling # and after the input has been redirected to the input_XXX and # forward_XXX chains and some basic chain-specific anti-circumvention # rules have been set, # but before any IP protocol or TCP/UDP port allow/protection rules # will be set. # You can use this hook to allow/deny certain IP protocols or TCP/UDP # ports before the SuSEfirewall2 generated rules are hit.
iptables -A INPUT -s 24.198.198.42 -d 0/0 --proto all -j DROP iptables -A INPUT -s 24.208.133.143 -d 0/0 --proto all -j DROP iptables -A INPUT -s 24.208.150.4 -d 0/0 --proto all -j DROP
true }
iptables -L yealds:
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere LOG all -- loopback/8 anywhere LOG level warning tcp-options ip-options prefix uSE-FW-DROP-ANTI-SPOOFING ' LOG all -- anywhere loopback/8 LOG level warning tcp-options ip-options prefix uSE-FW-DROP-ANTI-SPOOFING ' DROP all -- loopback/8 anywhere DROP all -- anywhere loopback/8 LOG all -- 192.168.0.2 anywhere LOG level warning tcp-options ip-options prefix uSE-FW-DROP-ANTI-SPOOFING ' DROP all -- 192.168.0.2 anywhere input_ext all -- anywhere 192.168.0.2 DROP all -- anywhere 192.168.0.255 DROP all -- anywhere 255.255.255.255 LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix uSE-FW-ILLEGAL-TARGET ' DROP all -- anywhere anywhere DROP all -- ptd-24-198-198-42.maine.rr.com anywhere
DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- dhcp024-208-150-004.insight.rr.com anywhere ......
firewall log:
Mar 19 20:43:08 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=55047 DF PROTO=TCP SPT=4199 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
What to do next ?? -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
* Peer Stefan
Hi
just one question: did you enable your custom config file in the standard config file? Look out for FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" in /etc/sysconfig/SuSEfirewall2. It's the last line and by default commented out. Just remove the hash and restart your firewall services. ...snip....
Yes: # # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/SuSEfirewall2-custom # FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" #FW_CUSTOMRULES="" Notice that the original file location is incorrect, /etc/sysconfig/SuSEfirewall2-custom .. should be /etc/sysconfig/scripts/SuSEfirewall2-custom .. as I have it. My firewall logs and my httpd logs both show that 24.208.133.143 is being accepted and *must* be a virus action. I cannot believe that a person can be *so* unknowing about his computer security. I have notified security@rr.com twice in the last three days about him. I guess that I will have to start sending them a daily report of each RoadRunner account which attempts violation of my system. Only thing, the total daily reports will be volumous, reflecting negatively upon me who is on the wrong end and also a RoadRunner user. What to do, what to do ?? -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience
participants (2)
-
Patrick Shanahan
-
Peer Stefan