===== Playing with SuSE firewall =====
The organization have one requerimient, access to SSH must be allowed only from specific IP range.

The firewall must be up but only block SSH ports.

I know that you can down the SuSE Firewall and make a script with iptables... but I want make it in SuSE way. You need have basic knowledge about SuSE Firewall

Enable the firewall and configure a custom rule to allow all connections:

{{::shot-2016-06-08_11-29-07.jpg|}}

Now configure SuSE Firewall to accept custom rules. Please edit /etc/sysconfig/SuSEfirewall2 change the line:
<code>
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
</code>

Edit the file /etc/sysconfig/scripts/SuSEfirewall2-custom change the lines:
<code>
fw_custom_before_port_handling() {
    # these rules will be loaded after the anti-spoofing and icmp handling
    # and after the input has been redirected to the input_XXX and
    # forward_XXX chains and some basic chain-specific anti-circumvention
    # rules have been set,
    # but before any IP protocol or TCP/UDP port allow/protection rules
    # will be set.
    # You can use this hook to allow/deny certain IP protocols or TCP/UDP
    # ports before the SuSEfirewall2 generated rules are hit.

    iptables -A INPUT -p tcp --dport 22 -s 192.168.122.0/24 -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j DROP

    true
}
</code>

This block SSH to all IPs but 192.168.122.0/24 subnet.

Restart SuSE Firewall.

==== References ====
  * https://www.suse.com/documentation/sles11/book_security/data/sec_fire_suse.html
  * https://stackoverflow.com/questions/7423309/iptables-block-access-to-port-8000-except-from-ip-address