[SOLVED] Blocking specific incoming IP addresses

[outrage_uk]

I have an Asus RT-AC68U, running latest firmware: 378.56_2

The issue is I have many connections from foreign IP addresses that I want to block. I have added these into the Network Services Filter Table (black list), but connections are still allowed to be made. There is no log of dropped packets and the active connection is shown in the "Connections" log.

Also, you are not able to add wildcard * to the source or destination IP fields (*.*.*.* returns an error even though this is displayed in the help description). I don't know if this is related to the problem.

 

[RMerlin]

To quote the webui:

The Network Services filter blocks the LAN to WAN packet exchanges and restricts devices from using specific network services.

It's not intended for blocking incoming connections, only outgoing.

 

[outrage_uk]

So if I swap around the Source and Destination, it will work I assume (stop the local LAN device replying to WAN).

Seems ridiculous how you can't specify specific an incoming WAN IP addresses to block on such a powerful router straight out of the box

Anyway thanks for clearing that up, and your excellent work.

 

[RMerlin]

So if I swap around the Source and Destination, it will work I assume (stop the local LAN device replying to WAN).

Seems ridiculous how you can't specify specific an incoming WAN IP addresses to block on such a powerful router straight out of the box

Anyway thanks for clearing that up, and your excellent work.

That's because it's of limited use. By default the firewall will black all inbound connections, unless you have a port forward in place.

If you have special needs, don't forget that you can also directly manipulate iptables through a firewall-start or a nat-start script.

 

[outrage_uk]

The problem with port forwarding is apparently your opening it to the whole WAN which is allowing it through the firewall. In my situation I need to be able to specify the 10 or so allowed clients and block everything else, or at least block specific IP's that are finding my open ports. Doesn't appear this can be done with Asus firmware which I thought was strange, I used to do this with an old Netgear - 5 years ago.

For now I have blocked LAN to WAN access (which still shows it accessible on WAN sadly), and added 128 bit authentication on the client which has done the trick from unwanted connections.

 

[ColinTaylor]

In my situation I need to be able to specify the 10 or so allowed clients and block everything else, or at least block specific IP's that are finding my open ports. Doesn't appear this can be done with Asus firmware which I thought was strange

It can't be done in the webui, but as RMerlin pointed out it can be done with a user script and iptables.

https://github.com/RMerl/asuswrt-merlin/wiki/Iptables-tips
https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

 

[outrage_uk]

I'm adding this to the firewall-start file (enabling scripts, saving it Unix, and making it executable) but its not working. What am I doing wrong? :

#!/bin/sh

logger "Applying firewall-start rules"
iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
iptables -A OUTPUT -d xxx.xxx.xxx.xxx -j DROP
iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
iptables -A OUTPUT -d xxx.xxx.xxx.xxx -j DROP

Nothing other than "custom script: Running /jffs/scripts/firewall-start (args: eth0)" is shown in the log.

 

[RMerlin]

Insert it (-I) instead of appending it (-A). That will ensure that no other rule will accept the packet before it reaches your rules.

 

[outrage_uk]

Still can't seem to get it to work, just to be sure im going down the right lines here... i want to block say 5 IP addresses that are connecting on port 8888, but it is still listed to forward on the virtual server/port forwarding page because i want to be able to connect using mobile internet - which changes IP address every 5 minutes. Is there a better way to do it? Load a black list of IP's file from the firewall-start script maybe?

 

[john9527]

@outrage_uk - Assuming you are trying to block access to a server behind the router, the rule should be a FORWARD rule, not INPUT or OUTPUT.

 

[outrage_uk]

Yes, sorry I meant to add:

#!/bin/sh
logger "Applying firewall-start rules"
touch /tmp/000firewall-start
iptables -I FORWARD -s xxx.xxx.xxx.xxx -j DROP
iptables -I FORWARD -d xxx.xxx.xxx.xxx -j DROP
iptables -I FORWARD -s xxx.xxx.xxx.xxx -j DROP
iptables -I FORWARD -d xxx.xxx.xxx.xxx -j DROP
touch /tmp/000firewall-stop

Is what I have. 000firewall-start or 000firewall-stop are not there, so I don't think the script is actually running?

 

[john9527]

Yes, sorry I meant to add:

#!/bin/sh
logger "Applying firewall-start rules"
touch /tmp/000firewall-start
iptables -I FORWARD -s xxx.xxx.xxx.xxx -j DROP
iptables -I FORWARD -d xxx.xxx.xxx.xxx -j DROP
iptables -I FORWARD -s xxx.xxx.xxx.xxx -j DROP
iptables -I FORWARD -d xxx.xxx.xxx.xxx -j DROP
touch /tmp/000firewall-stop

Is what I have. 000firewall-start or 000firewall-stop are not there, so I don't think the script is actually running?

Did you enable the running of scripts in the gui? I think it's now on the Administration > System page.

 

[outrage_uk]

"Enable JFFS custom scripts and configs" under "Persistent JFFS2 partition" is set to Yes.

The log shows: "Dec 13 07:40:57 custom script: Running /jffs/scripts/firewall-start (args: eth0)" so it should run, but as there is no mention of the log text output or the temp files, it doesn't appear to run? I have definitely set file permission as rwxr-xr-x (0755) and saved as Unix file.

 

[john9527]

Double check that it's really a Unix file by running dos2unix on the script.

Also, what happens if you run it from the command line?

 

[outrage_uk]

Also, what happens if you run it from the command line?

admin@RT-AC68U:/jffs/scripts# sh firewall-start
'ptables v1.4.14: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.14: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.14: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.4.14: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.

 

[john9527]

The missing chars in the errors are sometime a symptom of a DOS file format....did you run dos2unix?

dos2unix /jffs/scripts/firewall-start

 

[outrage_uk]

It looks that way

I have been using Notepad++ , i assumed that would be good enough.

How do I install dos2unix? Im running Windows, can it be installed on the router, if so how?

 

[john9527]

already on the router with .56_2...should just be able to run it from the router command line.

 

[outrage_uk]

I am getting this:

-sh: dos2unix: not found

When I run "vi firewall-start", there is ^M at the end of every line which is clearly the problem.

 

[john9527]

Are you trying to run it with sh at the start? It's a native command, so just

dos2unix filename