RE: [SLE] how to block http access from specific ip's

20 Mar 2003

      Hi

just one question: did you enable your custom config file in the standard config file? 
Look out for 
 FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
in /etc/sysconfig/SuSEfirewall2. It's the last line and by default commented out. Just remove the hash and restart your firewall services.

regards,
Stefan
...
From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com]
* Christopher Mahmood  [03-19-03 15:26]:
...
* Patrick Shanahan (WideGlide@MyRealBox.com) [030319 12:01]:
...
Thanks, but I guess I do not know how to write the script 
as this does
not work:
  iptables -A INPUT -j DENY -d 24.208.133.143
iptables -A INPUT -s the_bad_ip -d 0/0 --proto all -j DROP
This is *not* working.  24.208.133.143 is still getting thru.
excerpt from /etc/sysconfig/scripts/SuSEfirewall2-custom:
fw_custom_before_port_handling() { 
    # these rules will be loaded after the anti-spoofing and 
icmp handling
    # and after the input has been redirected to the input_XXX and 
    # forward_XXX chains and some basic chain-specific 
anti-circumvention
    # rules have been set,
    # but before any IP protocol or TCP/UDP port 
allow/protection rules
    # will be set.
    # You can use this hook to allow/deny certain IP 
protocols or TCP/UDP
    # ports before the SuSEfirewall2 generated rules are hit.
iptables -A INPUT -s 24.198.198.42  -d 0/0 --proto all -j DROP
    iptables -A INPUT -s 24.208.133.143 -d 0/0 --proto all -j DROP
    iptables -A INPUT -s 24.208.150.4   -d 0/0 --proto all -j DROP
true
}
iptables -L yealds:
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
LOG        all  --  loopback/8           anywhere           
LOG level warning tcp-options ip-options prefix 
uSE-FW-DROP-ANTI-SPOOFING ' 
LOG        all  --  anywhere             loopback/8         
LOG level warning tcp-options ip-options prefix 
uSE-FW-DROP-ANTI-SPOOFING ' 
DROP       all  --  loopback/8           anywhere           
DROP       all  --  anywhere             loopback/8         
LOG        all  --  192.168.0.2          anywhere           
LOG level warning tcp-options ip-options prefix 
uSE-FW-DROP-ANTI-SPOOFING ' 
DROP       all  --  192.168.0.2          anywhere           
input_ext  all  --  anywhere             192.168.0.2        
DROP       all  --  anywhere             192.168.0.255      
DROP       all  --  anywhere             255.255.255.255    
LOG        all  --  anywhere             anywhere           
LOG level warning tcp-options ip-options prefix 
uSE-FW-ILLEGAL-TARGET ' 
DROP       all  --  anywhere             anywhere           
DROP       all  --  ptd-24-198-198-42.maine.rr.com  anywhere
DROP       all  --  dhcp024-208-133-143.insight.rr.com  
anywhere           
DROP       all  --  dhcp024-208-150-004.insight.rr.com  
anywhere           
......
firewall log:
Mar 19 20:43:08 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= 
MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx 
SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 
TTL=121 ID=55047 DF PROTO=TCP SPT=4199 DPT=80 WINDOW=16384 
RES=0x00 SYN URGP=0 OPT (020405B401010402)
What to do next ??
-- 
Patrick Shanahan                  Please avoid TOFU and trim >quotes<
http://wahoo.no-ip.org                  Registered Linux User #207535
icq#173753138                                 @ http://counter.li.org
-- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com

RE: [SLE] how to block http access from specific ip's

Peer Stefan