Problem with SuSEfirewall2

I would like to block entire traffic from SLES server to one host in my network. I’ve tried doing it it many ways but communication still works. For example I added two lines:

iptables -A INPUT -d 192.168.0.253 -p tcp -j REJECT
iptables -A OUTPUT -d 192.168.0.253 -p tcp -j REJECT

in /etc/sysconfig/scripts/SuSEfirewall2-custom
But it doesn’t work. How to solve this problem?

Please post a bit more about your system, including the version/SP applied
and any other relevant configuration information.

Presumably you have the firewall enabled (it’s the default, but I know
sometimes people disable it and then forget which prevents what you’re
doing from working so I only mention it in case that applies). If not,
enable it and see if that helps, though I do not really think it will. If
you did not restart your firewall after adding those lines to the script
then that may be more likely. This is all going toward the question, do
you know that your rules have been applied successfully to the firewall?

Could you post the full contents of your custom file, please? Please put
it (as well as any command output) within code tags (little # button at
the bottom of the post entry box) so that it is un-mangled by the forum.

I’m not sure how familiar you are with iptables, so if this is review then
please ignore what you already know. The -A option for the iptables
command instructs the system to append the rule to the list of
already-present rules. If you have three rules in place, anything you add
later on will be appended to be the fourth rule, and the next will be the
fifth rule, etc.

Another option for iptables is the ‘-I’ (insert) option. By default it
puts things at the top of the list of rules, but it can also take an
integer which is an index into the whole set of rules and it will then
insert the new rule at that index, pushing down following rules.

The reason I mention this is that NetFilter (the Linux firewall
functionality controlled by the iptables command) processes rules in order
and works on the first match found. By default, the SuSEfirewall2
configuration has something like this at the end (taken from the
iptables-save command):

Code:

-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags
FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT "
–log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix
"SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j
LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable

If I now go and run ‘iptables -A’ to add a new rule, it will end up after
all existing rules, including that little ‘-A input_ext -j DROP’ bit,
which drops everything coming into my system.

The output side of things is usually simpler since SuSEfirewall2 does not
block outbound stuff by default, so now let’s get to the technical
questions: What is your current firewall configuration, exactly? Post the
output from /usr/sbin/iptables-save (executed as ‘root’) so that we can
see the whole thing and try to figure out if anything is amiss.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

Hi scarab,

[QUOTE=scarab;21439]I would like to block entire traffic from SLES server to one host in my network. I’ve tried doing it it many ways but communication still works. For example I added two lines:

iptables -A INPUT -d 192.168.0.253 -p tcp -j REJECT
iptables -A OUTPUT -d 192.168.0.253 -p tcp -j REJECT

in /etc/sysconfig/scripts/SuSEfirewall2-custom
But it doesn’t work. How to solve this problem?[/QUOTE]

if that’s the actual code you put there, you should see a semantic error: You’ll have to use “-s” with INPUT rules, not “-d”.

Have you verified that these rules have made it to the actual tables (“iptables -L INPUT -vn; iptables -L OUTPUT -vn”)?

Regards,
Jens

[QUOTE=jmozdzen;21445]Hi scarab,

if that’s the actual code you put there, you should see a semantic error: You’ll have to use “-s” with INPUT rules, not “-d”.[/QUOTE]

That’s nonsense… forget about that part of my answer.

But of course it’d be helpful to see if these statements actually made it into the active rule set.

Regards,
Jens