Message-ID:

The amount of weight an evangelist carries with the almighty is measured in billigrahams.

computers / alt.os.linux.suse / Re: How to configure Iptables in OpenSuse?

How to configure Iptables in OpenSuse?

<7bf59099-420d-4a7b-a37f-5cf13987aee4n@googlegroups.com>

https://www.novabbs.com/computers/article-flat.php?id=653&group=alt.os.linux.suse#653

copy link Newsgroups: alt.os.linux.suse

X-Received: by 2002:a37:bd1:0:b0:6bc:6de1:efa7 with SMTP id 200-20020a370bd1000000b006bc6de1efa7mr20293305qkl.651.1662042177326;
Thu, 01 Sep 2022 07:22:57 -0700 (PDT)
X-Received: by 2002:a05:6870:3398:b0:113:7f43:d0e9 with SMTP id
w24-20020a056870339800b001137f43d0e9mr3923268oae.33.1662042176902; Thu, 01
Sep 2022 07:22:56 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: alt.os.linux.suse
Date: Thu, 1 Sep 2022 07:22:56 -0700 (PDT)
Injection-Info: google-groups.googlegroups.com; posting-host=136.226.253.15; posting-account=cvU8QQgAAABdLuxwvd5UIJwFXEanUGJH
NNTP-Posting-Host: 136.226.253.15
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <7bf59099-420d-4a7b-a37f-5cf13987aee4n@googlegroups.com>
Subject: How to configure Iptables in OpenSuse?
From: mohans...@gmail.com (Mohan)
Injection-Date: Thu, 01 Sep 2022 14:22:57 +0000
Content-Type: text/plain; charset="UTF-8"
X-Received-Bytes: 3507

by: Mohan - Thu, 1 Sep 2022 14:22 UTC

Hello Experts,

I am using "openSUSE 12.3" and "iptables version : v1.4.16.3"

I am trying to enable the iptables rules to allow `22` port for all IPs and `80` & `443` for specific IP addresses with the below commands.

1) iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
2) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 80 -j ACCEPT
3) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 443 -j ACCEPT

Then i have restarted the iptables service with below command,

service SuSEfirewall2 restart

However from `10.11.12.50` address web server with `80` & `443` are not accessible.

I can't see the applied rules in the below list.

# iptables -S

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N forward_ext
-N input_ext
-N reject_func
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable

Kindly let me know what i'm missing with the iptables rule settings?

Also let me know even after server reboot the rules needs to be applied. It shouldn't be reset to default.

Re: How to configure Iptables in OpenSuse?

<slrnth1h54.28qhs.BitTwister@wb.home.test>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=654&group=alt.os.linux.suse#654

copy link Newsgroups: alt.os.linux.suse

Path: i2pn2.org!i2pn.org!usenet.goja.nl.eu.org!weretis.net!feeder8.news.weretis.net!eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail
From: BitTwis...@mouse-potato.com (Bit Twister)
Newsgroups: alt.os.linux.suse
Subject: Re: How to configure Iptables in OpenSuse?
Date: Thu, 1 Sep 2022 09:41:38 -0500
Organization: A noiseless patient Spider
Lines: 23
Message-ID: <slrnth1h54.28qhs.BitTwister@wb.home.test>
References: <7bf59099-420d-4a7b-a37f-5cf13987aee4n@googlegroups.com>
Injection-Info: reader01.eternal-september.org; posting-host="0c3959f62ff27873733403dc574d1f72";
logging-data="2329948"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+PNGMpQevce6q656KOwu8NB5z6Ylc+br0="
User-Agent: slrn/pre1.0.4-6 (Linux)
Cancel-Lock: sha1:Q7wmyMfYnANE0E7lzo/5ydWJH8k=

by: Bit Twister - Thu, 1 Sep 2022 14:41 UTC

On Thu, 1 Sep 2022 07:22:56 -0700 (PDT), Mohan wrote:
> Hello Experts,
>
> I am using "openSUSE 12.3" and "iptables version : v1.4.16.3"
>
> I am trying to enable the iptables rules to allow `22` port for all IPs and `80` & `443` for specific IP addresses with the below commands.
>
> 1) iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
> 2) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 80 -j ACCEPT
> 3) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 443 -j ACCEPT
>
> Then i have restarted the iptables service with below command,
>
> service SuSEfirewall2 restart
>
> However from `10.11.12.50` address web server with `80` & `443` are not accessible.

I do not know iptables enough to point out where you have the problem, but
I have seen that kind of message when a prior rule prevented the new rule
from being accessed.

Solution for that user was to move the new rule above the rule causing the conflict.

Re: How to configure Iptables in OpenSuse?

<mif7ui-kah.ln1@Telcontar.valinor>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=655&group=alt.os.linux.suse#655

copy link Newsgroups: alt.os.linux.suse

Path: i2pn2.org!i2pn.org!usenet.goja.nl.eu.org!weretis.net!feeder8.news.weretis.net!lilly.ping.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: robin_li...@es.invalid (Carlos E.R.)
Newsgroups: alt.os.linux.suse
Subject: Re: How to configure Iptables in OpenSuse?
Date: Thu, 1 Sep 2022 21:59:50 +0200
Lines: 25
Message-ID: <mif7ui-kah.ln1@Telcontar.valinor>
References: <7bf59099-420d-4a7b-a37f-5cf13987aee4n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: individual.net E3HF7LYw2tC+Abiz7jUVzglYqx1gkozWxfhV/FD1RPPeWLH9TX
X-Orig-Path: Telcontar.valinor!not-for-mail
Cancel-Lock: sha1:N81RhAN9DfNbHRY+5F8gHYG25aI=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.12.0
Content-Language: en-CA
In-Reply-To: <7bf59099-420d-4a7b-a37f-5cf13987aee4n@googlegroups.com>

by: Carlos E.R. - Thu, 1 Sep 2022 19:59 UTC

On 2022-09-01 16:22, Mohan wrote:
> Hello Experts,
>
> I am using "openSUSE 12.3" and "iptables version : v1.4.16.3"

That's obsolete and out of support.

>
> I am trying to enable the iptables rules to allow `22` port for all IPs and `80` & `443` for specific IP addresses with the below commands.
>
> 1) iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
> 2) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 80 -j ACCEPT
> 3) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 443 -j ACCEPT
>
> Then i have restarted the iptables service with below command,
>
> service SuSEfirewall2 restart

I don't think you can use iptables and SuSEfirewall2 simultaneously
unless you know better.

If you want to open those ports with SuSEfirewall2 alone, then I can help.

--
Cheers, Carlos.

Re: How to configure Iptables in OpenSuse?

<63111824$0$463$65785112@news.neostrada.pl>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=656&group=alt.os.linux.suse#656

copy link Newsgroups: alt.os.linux.suse

Path: i2pn2.org!i2pn.org!aioe.org!news.uzoreto.com!newsreader4.netcologne.de!news.netcologne.de!peer02.ams1!peer.ams1.xlned.com!news.xlned.com!peer02.ams4!peer.am4.highwinds-media.com!news.highwinds-media.com!newsfeed.neostrada.pl!unt-exc-02.news.neostrada.pl!unt-spo-a-02.news.neostrada.pl!news.neostrada.pl.POSTED!not-for-mail
Subject: Re: How to configure Iptables in OpenSuse?
Newsgroups: alt.os.linux.suse
References: <7bf59099-420d-4a7b-a37f-5cf13987aee4n@googlegroups.com>
From: marr...@address.invalid (marrgol)
Date: Thu, 1 Sep 2022 22:37:55 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <7bf59099-420d-4a7b-a37f-5cf13987aee4n@googlegroups.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Lines: 22
Message-ID: <63111824$0$463$65785112@news.neostrada.pl>
Organization: Telekomunikacja Polska
NNTP-Posting-Host: 176.111.237.144
X-Trace: 1662064676 unt-rea-a-02.news.neostrada.pl 463 176.111.237.144:46200
X-Complaints-To: abuse@news.neostrada.pl
X-Received-Bytes: 1862

by: marrgol - Thu, 1 Sep 2022 20:37 UTC

On 01/09/2022 at 16.22, Mohan wrote:
> I am using "openSUSE 12.3" and "iptables version : v1.4.16.3"
>
> I am trying to enable the iptables rules to allow `22` port for all IPs and `80` & `443` for specific IP addresses with the below commands.
>
> 1) iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
> 2) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 80 -j ACCEPT
> 3) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 443 -j ACCEPT
>
> Then i have restarted the iptables service with below command,
>
> service SuSEfirewall2 restart

SuSEfirewall2 keeps its own iptables configuration, so that restart
removed the rules you'd entered manually with iptables command.
Use yast to enter your custom rules into the SuSEfirewall2's
configuration permanently. Or edit /etc/sysconfig/SuSEfirewall2
file directly.

--
mrg

Re: How to configure Iptables in OpenSuse?

<fem7ui-o8b.ln1@Telcontar.valinor>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=657&group=alt.os.linux.suse#657

copy link Newsgroups: alt.os.linux.suse

Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news-peer.in.tum.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: robin_li...@es.invalid (Carlos E.R.)
Newsgroups: alt.os.linux.suse
Subject: Re: How to configure Iptables in OpenSuse?
Date: Thu, 1 Sep 2022 23:57:03 +0200
Lines: 27
Message-ID: <fem7ui-o8b.ln1@Telcontar.valinor>
References: <7bf59099-420d-4a7b-a37f-5cf13987aee4n@googlegroups.com>
<63111824$0$463$65785112@news.neostrada.pl>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Trace: individual.net TlHW/78HRitt2qXgZ6/7nwhQwSN1usrcnAjwbeveyybUIG7lQP
X-Orig-Path: Telcontar.valinor!not-for-mail
Cancel-Lock: sha1:I2nkAbBHENMEF2AiFFUvmXf3jw4=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.12.0
Content-Language: en-CA
In-Reply-To: <63111824$0$463$65785112@news.neostrada.pl>

by: Carlos E.R. - Thu, 1 Sep 2022 21:57 UTC

On 2022-09-01 22:37, marrgol wrote:
> On 01/09/2022 at 16.22, Mohan wrote:
>> I am using "openSUSE 12.3" and "iptables version : v1.4.16.3"
>>
>> I am trying to enable the iptables rules to allow `22` port for all
>> IPs and `80` & `443` for specific IP addresses with the below commands.
>>
>> 1) iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
>> 2) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 80 -j ACCEPT
>> 3) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 443 -j ACCEPT
>>
>> Then i have restarted the iptables service with below command,
>>
>> service SuSEfirewall2 restart
>
> SuSEfirewall2 keeps its own iptables configuration, so that restart
> removed the rules you'd entered manually with iptables command.
> Use yast to enter your custom rules into the SuSEfirewall2's
> configuration permanently. Or edit /etc/sysconfig/SuSEfirewall2
> file directly.

The later. The file contains configuration entries to do exactly what he
tried to do.

--
Cheers, Carlos.

Re: How to configure Iptables in OpenSuse?

<63114fa7$0$559$65785112@news.neostrada.pl>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=658&group=alt.os.linux.suse#658

copy link Newsgroups: alt.os.linux.suse

Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!peer03.iad!feed-me.highwinds-media.com!peer02.ams4!peer.am4.highwinds-media.com!news.highwinds-media.com!newsfeed.neostrada.pl!unt-exc-02.news.neostrada.pl!unt-spo-a-02.news.neostrada.pl!news.neostrada.pl.POSTED!not-for-mail
Subject: Re: How to configure Iptables in OpenSuse?
Newsgroups: alt.os.linux.suse
References: <7bf59099-420d-4a7b-a37f-5cf13987aee4n@googlegroups.com>
<63111824$0$463$65785112@news.neostrada.pl>
<fem7ui-o8b.ln1@Telcontar.valinor>
From: marr...@address.invalid (marrgol)
Date: Fri, 2 Sep 2022 02:34:47 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <fem7ui-o8b.ln1@Telcontar.valinor>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 31
Message-ID: <63114fa7$0$559$65785112@news.neostrada.pl>
Organization: Telekomunikacja Polska
NNTP-Posting-Host: 176.111.237.144
X-Trace: 1662078887 unt-rea-b-01.news.neostrada.pl 559 176.111.237.144:46220
X-Complaints-To: abuse@news.neostrada.pl
X-Received-Bytes: 2334

by: marrgol - Fri, 2 Sep 2022 00:34 UTC

On 01/09/2022 at 23.57, Carlos E.R. wrote:
>>> I am using "openSUSE 12.3" and "iptables version : v1.4.16.3"
>>>
>>> I am trying to enable the iptables rules to allow `22` port for all
>>> IPs and `80` & `443` for specific IP addresses with the below commands.
>>>
>>> 1) iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
>>> 2) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 80 -j ACCEPT
>>> 3) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 443 -j ACCEPT
>>>
>>> Then i have restarted the iptables service with below command,
>>>
>>> service SuSEfirewall2 restart
>>
>> SuSEfirewall2 keeps its own iptables configuration, so that restart
>> removed the rules you'd entered manually with iptables command.
>> Use yast to enter your custom rules into the SuSEfirewall2's
>> configuration permanently. Or edit /etc/sysconfig/SuSEfirewall2
>> file directly.
>
> The later. The file contains configuration entries to do exactly what he
> tried to do.

For simple rules like those above it's certainly simpler and quicker
and less error prone to use yast to have them entered into that file
-- no need to manually search through the file for which entry to modify
and how. Unless someone really wants to… :-)

--
mrg

Re: How to configure Iptables in OpenSuse?

<b070f9cb-bf99-4f7c-9c71-444655da050dn@googlegroups.com>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=660&group=alt.os.linux.suse#660

copy link Newsgroups: alt.os.linux.suse

X-Received: by 2002:ad4:5d6f:0:b0:499:935:febe with SMTP id fn15-20020ad45d6f000000b004990935febemr18264288qvb.115.1662104105613;
Fri, 02 Sep 2022 00:35:05 -0700 (PDT)
X-Received: by 2002:a05:6808:124e:b0:345:b825:fe9f with SMTP id
o14-20020a056808124e00b00345b825fe9fmr1354460oiv.142.1662104105279; Fri, 02
Sep 2022 00:35:05 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: alt.os.linux.suse
Date: Fri, 2 Sep 2022 00:35:05 -0700 (PDT)
In-Reply-To: <63114fa7$0$559$65785112@news.neostrada.pl>
Injection-Info: google-groups.googlegroups.com; posting-host=136.226.253.15; posting-account=cvU8QQgAAABdLuxwvd5UIJwFXEanUGJH
NNTP-Posting-Host: 136.226.253.15
References: <7bf59099-420d-4a7b-a37f-5cf13987aee4n@googlegroups.com>
<63111824$0$463$65785112@news.neostrada.pl> <fem7ui-o8b.ln1@Telcontar.valinor>
<63114fa7$0$559$65785112@news.neostrada.pl>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <b070f9cb-bf99-4f7c-9c71-444655da050dn@googlegroups.com>
Subject: Re: How to configure Iptables in OpenSuse?
From: mohans...@gmail.com (MK)
Injection-Date: Fri, 02 Sep 2022 07:35:05 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 3378

by: MK - Fri, 2 Sep 2022 07:35 UTC

On Friday, September 2, 2022 at 6:04:50 AM UTC+5:30, marrgol wrote:
> On 01/09/2022 at 23.57, Carlos E.R. wrote:
> >>> I am using "openSUSE 12.3" and "iptables version : v1.4.16.3"
> >>>
> >>> I am trying to enable the iptables rules to allow `22` port for all
> >>> IPs and `80` & `443` for specific IP addresses with the below commands.
> >>>
> >>> 1) iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
> >>> 2) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 80 -j ACCEPT
> >>> 3) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 443 -j ACCEPT
> >>>
> >>> Then i have restarted the iptables service with below command,
> >>>
> >>> service SuSEfirewall2 restart
> >>
> >> SuSEfirewall2 keeps its own iptables configuration, so that restart
> >> removed the rules you'd entered manually with iptables command.
> >> Use yast to enter your custom rules into the SuSEfirewall2's
> >> configuration permanently. Or edit /etc/sysconfig/SuSEfirewall2
> >> file directly.
> >
> > The later. The file contains configuration entries to do exactly what he
> > tried to do.
> For simple rules like those above it's certainly simpler and quicker
> and less error prone to use yast to have them entered into that file
> -- no need to manually search through the file for which entry to modify
> and how. Unless someone really wants to… :-)
>
>
> --
> mrg

Hello Carlos E.R,

That means the commands i have executed are applicable for IPTables and it doesn't have any connection with SuSEfirewall2. Thanks for clarifying me.

Now please let me know in Opensuse which one is better and let me know how do i block IPs and allow access only to specific IPs?

Example:
I have Jenkins web server (IP - 10.50.60.70) this server SSH port - 22, and 80, 443 should be allowed to specific addresses.
Lets say (1.10.11.12.50 2.10.11.12.51, 3) 10.11.12.53).

Only above three given IPs should allowed to access 22, 80 & 443 of Jenkins web server.

Re: How to configure Iptables in OpenSuse?

<mp69ui-r6i.ln1@Telcontar.valinor>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=661&group=alt.os.linux.suse#661

copy link Newsgroups: alt.os.linux.suse

Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!lilly.ping.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: robin_li...@es.invalid (Carlos E.R.)
Newsgroups: alt.os.linux.suse
Subject: Re: How to configure Iptables in OpenSuse?
Date: Fri, 2 Sep 2022 13:42:14 +0200
Lines: 58
Message-ID: <mp69ui-r6i.ln1@Telcontar.valinor>
References: <7bf59099-420d-4a7b-a37f-5cf13987aee4n@googlegroups.com>
<63111824$0$463$65785112@news.neostrada.pl>
<fem7ui-o8b.ln1@Telcontar.valinor>
<63114fa7$0$559$65785112@news.neostrada.pl>
<b070f9cb-bf99-4f7c-9c71-444655da050dn@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Trace: individual.net M86GG8ecN1+0H1eAgXojpQUX+WcerunC6R2aD9QVV0zc2Ssxna
X-Orig-Path: Telcontar.valinor!not-for-mail
Cancel-Lock: sha1:G8giLDffXi6m5YDDZLMV0zVDff8=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.12.0
Content-Language: en-CA
In-Reply-To: <b070f9cb-bf99-4f7c-9c71-444655da050dn@googlegroups.com>

by: Carlos E.R. - Fri, 2 Sep 2022 11:42 UTC

On 2022-09-02 09:35, MK wrote:
> On Friday, September 2, 2022 at 6:04:50 AM UTC+5:30, marrgol wrote:
>> On 01/09/2022 at 23.57, Carlos E.R. wrote:
>>>>> I am using "openSUSE 12.3" and "iptables version : v1.4.16.3"
>>>>>
>>>>> I am trying to enable the iptables rules to allow `22` port for all
>>>>> IPs and `80` & `443` for specific IP addresses with the below commands.
>>>>>
>>>>> 1) iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
>>>>> 2) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 80 -j ACCEPT
>>>>> 3) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 443 -j ACCEPT
>>>>>
>>>>> Then i have restarted the iptables service with below command,
>>>>>
>>>>> service SuSEfirewall2 restart
>>>>
>>>> SuSEfirewall2 keeps its own iptables configuration, so that restart
>>>> removed the rules you'd entered manually with iptables command.
>>>> Use yast to enter your custom rules into the SuSEfirewall2's
>>>> configuration permanently. Or edit /etc/sysconfig/SuSEfirewall2
>>>> file directly.
>>>
>>> The later. The file contains configuration entries to do exactly what he
>>> tried to do.
>> For simple rules like those above it's certainly simpler and quicker
>> and less error prone to use yast to have them entered into that file
>> -- no need to manually search through the file for which entry to modify
>> and how. Unless someone really wants to… :-)
>>

>
> Hello Carlos E.R,
>
> That means the commands i have executed are applicable for IPTables and it doesn't have any connection with SuSEfirewall2. Thanks for clarifying me.
>
> Now please let me know in Opensuse which one is better and let me know how do i block IPs and allow access only to specific IPs?
>
> Example:
> I have Jenkins web server (IP - 10.50.60.70) this server SSH port - 22, and 80, 443 should be allowed to specific addresses.
> Lets say (1.10.11.12.50 2.10.11.12.51, 3) 10.11.12.53).
>
> Only above three given IPs should allowed to access 22, 80 & 443 of Jenkins web server.

As others said, you use YaST.

Or, edit /etc/sysconfig/SuSEfirewall2

FW_TRUSTED_NETS="1.10.11.12.50,tcp,ssh 2.10.11.12.51,tcp,ssh \
1.10.11.12.50,tcp,http 2.10.11.12.51,tcp,http \
1.10.11.12.50,tcp,https 2.10.11.12.51,tcp,https \
"

Then run "SuSEfirewall2" to activate the changes (assuming you have it
active by default already).

--
Cheers, Carlos.

Re: How to configure Iptables in OpenSuse?

<a96e44c2-2144-4c4a-9f1c-442c3788a6bfn@googlegroups.com>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=663&group=alt.os.linux.suse#663

copy link Newsgroups: alt.os.linux.suse

X-Received: by 2002:a05:622a:14cd:b0:344:6cfa:42f9 with SMTP id u13-20020a05622a14cd00b003446cfa42f9mr38782575qtx.147.1662372682358;
Mon, 05 Sep 2022 03:11:22 -0700 (PDT)
X-Received: by 2002:a05:6870:63a5:b0:127:82f6:4bb6 with SMTP id
t37-20020a05687063a500b0012782f64bb6mr939614oap.211.1662372681958; Mon, 05
Sep 2022 03:11:21 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!1.us.feeder.erje.net!feeder.erje.net!border-1.nntp.ord.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: alt.os.linux.suse
Date: Mon, 5 Sep 2022 03:11:21 -0700 (PDT)
In-Reply-To: <mp69ui-r6i.ln1@Telcontar.valinor>
Injection-Info: google-groups.googlegroups.com; posting-host=136.226.253.34; posting-account=cvU8QQgAAABdLuxwvd5UIJwFXEanUGJH
NNTP-Posting-Host: 136.226.253.34
References: <7bf59099-420d-4a7b-a37f-5cf13987aee4n@googlegroups.com>
<63111824$0$463$65785112@news.neostrada.pl> <fem7ui-o8b.ln1@Telcontar.valinor>
<63114fa7$0$559$65785112@news.neostrada.pl> <b070f9cb-bf99-4f7c-9c71-444655da050dn@googlegroups.com>
<mp69ui-r6i.ln1@Telcontar.valinor>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <a96e44c2-2144-4c4a-9f1c-442c3788a6bfn@googlegroups.com>
Subject: Re: How to configure Iptables in OpenSuse?
From: mohans...@gmail.com (MK)
Injection-Date: Mon, 05 Sep 2022 10:11:22 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 83

by: MK - Mon, 5 Sep 2022 10:11 UTC

On Friday, September 2, 2022 at 5:14:10 PM UTC+5:30, Carlos E.R. wrote:
> On 2022-09-02 09:35, MK wrote:
> > On Friday, September 2, 2022 at 6:04:50 AM UTC+5:30, marrgol wrote:
> >> On 01/09/2022 at 23.57, Carlos E.R. wrote:
> >>>>> I am using "openSUSE 12.3" and "iptables version : v1.4.16.3"
> >>>>>
> >>>>> I am trying to enable the iptables rules to allow `22` port for all
> >>>>> IPs and `80` & `443` for specific IP addresses with the below commands.
> >>>>>
> >>>>> 1) iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
> >>>>> 2) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 80 -j ACCEPT
> >>>>> 3) iptables -A INPUT -p tcp -s 10.11.12.50 --dport 443 -j ACCEPT
> >>>>>
> >>>>> Then i have restarted the iptables service with below command,
> >>>>>
> >>>>> service SuSEfirewall2 restart
> >>>>
> >>>> SuSEfirewall2 keeps its own iptables configuration, so that restart
> >>>> removed the rules you'd entered manually with iptables command.
> >>>> Use yast to enter your custom rules into the SuSEfirewall2's
> >>>> configuration permanently. Or edit /etc/sysconfig/SuSEfirewall2
> >>>> file directly.
> >>>
> >>> The later. The file contains configuration entries to do exactly what he
> >>> tried to do.
> >> For simple rules like those above it's certainly simpler and quicker
> >> and less error prone to use yast to have them entered into that file
> >> -- no need to manually search through the file for which entry to modify
> >> and how. Unless someone really wants to… :-)
> >>
>
> >
> > Hello Carlos E.R,
> >
> > That means the commands i have executed are applicable for IPTables and it doesn't have any connection with SuSEfirewall2. Thanks for clarifying me.
> >
> > Now please let me know in Opensuse which one is better and let me know how do i block IPs and allow access only to specific IPs?
> >
> > Example:
> > I have Jenkins web server (IP - 10.50.60.70) this server SSH port - 22, and 80, 443 should be allowed to specific addresses.
> > Lets say (1.10.11.12.50 2.10.11.12.51, 3) 10.11.12.53).
> >
> > Only above three given IPs should allowed to access 22, 80 & 443 of Jenkins web server.
> As others said, you use YaST.
>
>
> Or, edit /etc/sysconfig/SuSEfirewall2
>
> FW_TRUSTED_NETS="1.10.11.12.50,tcp,ssh 2.10.11.12.51,tcp,ssh \
> 1.10.11.12.50,tcp,http 2.10.11.12.51,tcp,http \
> 1.10.11.12.50,tcp,https 2.10.11.12.51,tcp,https \
> "
>
> Then run "SuSEfirewall2" to activate the changes (assuming you have it
> active by default already).
>
> --
> Cheers, Carlos.

Hello Carlos,
I have edited the /etc/sysconfig/SuSEfirewall2 file then added the below content

FW_TRUSTED_NETS="10.11.12.50,tcp,ssh 10.11.12.51,tcp,ssh \
10.11.12.50,tcp,http 10.11.12.51,tcp,http \
10.11.12.50,tcp,https 10.11.12.51,tcp,https \
"
To activate executed “SuSEfirewall2” on terminal, Now (http & https) working as excepted. But (ssh port -22) access works even other than above enabled IPs.

Still am i missing something?

Re: How to configure Iptables in OpenSuse?

<gu8hui-beu.ln1@Telcontar.valinor>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=664&group=alt.os.linux.suse#664

copy link Newsgroups: alt.os.linux.suse

Path: i2pn2.org!i2pn.org!usenet.goja.nl.eu.org!3.eu.feeder.erje.net!feeder.erje.net!news2.arglkargh.de!news.karotte.org!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: robin_li...@es.invalid (Carlos E.R.)
Newsgroups: alt.os.linux.suse
Subject: Re: How to configure Iptables in OpenSuse?
Date: Mon, 5 Sep 2022 15:07:59 +0200
Lines: 42
Message-ID: <gu8hui-beu.ln1@Telcontar.valinor>
References: <7bf59099-420d-4a7b-a37f-5cf13987aee4n@googlegroups.com>
<63111824$0$463$65785112@news.neostrada.pl>
<fem7ui-o8b.ln1@Telcontar.valinor>
<63114fa7$0$559$65785112@news.neostrada.pl>
<b070f9cb-bf99-4f7c-9c71-444655da050dn@googlegroups.com>
<mp69ui-r6i.ln1@Telcontar.valinor>
<a96e44c2-2144-4c4a-9f1c-442c3788a6bfn@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Trace: individual.net vu8mSKGmgSDJty/xl9Q1vQtPcw22b1zT8YIHO1s6+QFcY5htrA
X-Orig-Path: Telcontar.valinor!not-for-mail
Cancel-Lock: sha1:Ko/i5B4T0k6VZIJ5YtTq14qaf6s=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.12.0
Content-Language: en-CA
In-Reply-To: <a96e44c2-2144-4c4a-9f1c-442c3788a6bfn@googlegroups.com>

by: Carlos E.R. - Mon, 5 Sep 2022 13:07 UTC

On 2022-09-05 12:11, MK wrote:
> On Friday, September 2, 2022 at 5:14:10 PM UTC+5:30, Carlos E.R. wrote:
>> On 2022-09-02 09:35, MK wrote:
>>> On Friday, September 2, 2022 at 6:04:50 AM UTC+5:30, marrgol wrote:
>>>> On 01/09/2022 at 23.57, Carlos E.R. wrote:

>> Or, edit /etc/sysconfig/SuSEfirewall2
>>
>> FW_TRUSTED_NETS="1.10.11.12.50,tcp,ssh 2.10.11.12.51,tcp,ssh \
>> 1.10.11.12.50,tcp,http 2.10.11.12.51,tcp,http \
>> 1.10.11.12.50,tcp,https 2.10.11.12.51,tcp,https \
>> "
>>
>> Then run "SuSEfirewall2" to activate the changes (assuming you have it
>> active by default already).
>>
>> --
>> Cheers, Carlos.
>
> Hello Carlos,
> I have edited the /etc/sysconfig/SuSEfirewall2 file then added the below content
>
> FW_TRUSTED_NETS="10.11.12.50,tcp,ssh 10.11.12.51,tcp,ssh \
> 10.11.12.50,tcp,http 10.11.12.51,tcp,http \
> 10.11.12.50,tcp,https 10.11.12.51,tcp,https \
> "
> To activate executed “SuSEfirewall2” on terminal, Now (http & https) working as excepted. But (ssh port -22) access works even other than above enabled IPs.
>
> Still am i missing something?

Check the entire file, it will also be opened on another entry somewhere.

cat /etc/sysconfig/SuSEfirewall2 | \
egrep -v "^[[:space:]]*$|^#" | less -S

And search for ssh.

--
Cheers, Carlos.

Subject	Author
How to configure Iptables in OpenSuse?	Mohan
Re: How to configure Iptables in OpenSuse?	Bit Twister
Re: How to configure Iptables in OpenSuse?	Carlos E.R.
Re: How to configure Iptables in OpenSuse?	marrgol
Re: How to configure Iptables in OpenSuse?	Carlos E.R.
Re: How to configure Iptables in OpenSuse?	marrgol
Re: How to configure Iptables in OpenSuse?	MK
Re: How to configure Iptables in OpenSuse?	Carlos E.R.
Re: How to configure Iptables in OpenSuse?	MK
Re: How to configure Iptables in OpenSuse?	Carlos E.R.