What's new

How do I block a range of it addresses

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

It seems the script is failing when it tries to load the ipset kernel modules. Please give me the output of the following commands in SSH

Code:
IPSET_PATH=/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter
insmod -f $IPSET_PATH/ip_set.ko
insmod -f $IPSET_PATH/ip_set_nethash.ko
insmod -f $IPSET_PATH/ip_set_iphash.ko
insmod -f $IPSET_PATH/ipt_set.ko

Thanks for looking into this. The first command no output/error. after each insmod command I get: insmod: '-f.ko': module not found
 
OpenVPN logging goes all to the System log.

If you use signed keys instead of password-based authentication, it will be nearly impossible for anyone to bruteforce their way through it, so there won't be any need to worry.

I am note sure what I am using...its the default settings....and I have to export the config file.....I have to enter in the routers username and password to get Open VPN client to connect. I don't see an option to change authentication.
 
I am note sure what I am using...its the default settings....and I have to export the config file.....I have to enter in the routers username and password to get Open VPN client to connect. I don't see an option to change authentication.

If you are using the stock firmware, then you are using username/password based authentication with a router-generated key/cert pair. This should be secure enough for you not to worry about it.
 
Thanks for looking into this. The first command no output/error. after each insmod command I get: insmod: '-f.ko': module not found

Because I don't have the router to test on myself, possibly Merlin could chip in on how to load the appropriate IPSet modules :rolleyes:
 
Because I don't have the router to test on myself, possibly Merlin could chip in on how to load the appropriate IPSet modules :rolleyes:

I get the same issue when running similar scripts to yours and i checked to see if the files are located in lib/modules/2.6.22.19/kernel/net/ipv4/netfilter and they are
 
I get the same issue when running similar scripts to yours and i checked to see if the files are located in lib/modules/2.6.22.19/kernel/net/ipv4/netfilter and they are

The "File exist" error means the module is already loaded. Check with "lsmod".

Your error seem more to be a syntax error in your rules than a problem with the modules themselves.
 
some mid-range cost WiFi routers enable one to enter banned IP addresses/ranges via simple web page inputs. E.g., Cradlepoint
 
I get an error when i run this script. I have a RT-AC66U, enabled jffs, created /jffs/scripts/firewall-start file, chmod +x /jffs/scripts/firewall-start. All i am trying to do is to ban ips from cn pk ur af. I am running FW 3.0.0.4.374.35.4. Here is the output when running the script:

[IP Banning Started] ... ... ...
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set_nethash.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set_iphash.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ipt_set.ko': File exists
ipset v4.5: Unknown arg `-!'
Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `Blacklist':File not found

Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `BlockedCountries':File not found

Try `ipset -H' or 'ipset --help' for more information.
iptables: No chain/target/match by that name
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
/jffs/scripts/firewall-start: line 131: echo: Bad address
cat: can't open '/jffs/scripts/ipamount': No such file or directory
Started: Sat Dec 21 02:05:18 GMT 2013
Finished: Sat Dec 21 02:05:22 GMT 2013
Try `ipset -H' or 'ipset --help' for more information.
-14 IP's currently banned.
expr: syntax error

Any help would be great.

After looking at the error more closely I think I see the problem, I believe IPTables/IPSet has different syntax on the N56U compared to newer routers. Please reboot your router replace the firewall script with the one linked below and post the output of the following commands (and any related errors in the syslog)

http://pastebin.com/FasEQ2NE


Commands;

sh /jffs/scripts/firewall-start (If this isn't being executed on boot already)
lsmod
iptables -L -v -n
iptables --help
ipset --help



It also looks like the "--add-set" feature from iptables is missing, any insight to the equivalent syntax on this router would be appreciated.

--add-set setname flag[,flag...]
add the address(es)/port(s) of the packet to the set

Use of -j SET requires that ipset kernel support is provided, which, for standard kernels, is the case since Linux 2.6.39.

http://ipset.netfilter.org/iptables-extensions.man.html
 
Last edited:
After looking at the error more closely I think I see the problem, I believe IPTables/IPSet has different syntax on the N56U compared to newer routers.

The ipset syntax was changed between version 4 and version 5, as it was completely rewritten then. Asuswrt-Merlin uses ipset 4.5.
 
The ipset syntax was changed between version 4 and version 5, as it was completely rewritten then. Asuswrt-Merlin uses ipset 4.5.

That explains it, I forgot your firmware is based on 2.x kernel and the 3.x kernel runs IPSet 6.2

That being said is there an equivalent argument to the one pasted above as I am unable to test this myself.
 
That explains it, I forgot your firmware is based on 2.x kernel and the 3.x kernel runs IPSet 6.2

That being said is there an equivalent argument to the one pasted above as I am unable to test this myself.

Don't know, I don't use ipset. You will have to dig up the 4.5 documentation.
 
hello, i would like to block this IP range:
Code:
31.223.208.0/20
how to add this in jffs/scripts/firewall-start rule? I am usin ac68u router with merlin firmware.....

i tested with this iptables but this IP range still can connect to me?someone can help me about that?
Code:
#!/bin/sh

iptables -A eth0 -A INPUT -s 31.223.208.0/20 -j DROP
iptables -A INPUT -p tcp --dport 16740 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 16740 -j ACCEPT
iptables -I INPUT -p tcp --dport 16740 -j ACCEPT
 
Last edited:
Try this in jffs/scripts/firewall-start and chmod a+rx /jffs/scripts/firewall-start

And like any Linux script, they need to start with a shebang:

#!/bin/sh

iptables -I FORWARD -s 31.223.208.0/20 -j DROP
 
Try this in jffs/scripts/firewall-start and chmod a+rx /jffs/scripts/firewall-start

And like any Linux script, they need to start with a shebang:

#!/bin/sh

iptables -I FORWARD -s 31.223.208.0/20 -j DROP

i tested with this script but not working? Peer from this IP range still can connect to me.....why no option to block IP inside router settings?
Code:
#!/bin/sh

iptables -I FORWARD -s 31.223.208.0/20 -j DROP
iptables -A INPUT -p tcp --dport 16740 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 16740 -j ACCEPT
iptables -I INPUT -p tcp --dport 16740 -j ACCEPT
 
Last edited:
If you try to block eg sever then you should use INPUT chain:
iptables -I INPUT -s 31.223.208.0/20 -j DROP
iptables -I INPUT -s 31.223.208.0/20 -p tcp --dport 16740 -j DROP

octopus@OCTOPUS:/tmp/home/root# iptables -vL -t filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any 0-208-223-31.stat.customer.blic.net/20 anywhere
octopus@OCTOPUS:/tmp/home/root# iptables -vL -t filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any 0-208-223-31.stat.customer.blic.net/20 anywhere tcp dpt:16740
 
so, if i correct understand you may i make this file to put in firewall-start? i test this but still no luck....
Code:
#!/bin/sh

iptables -I INPUT -s 188.197.33.0/24 -j DROP
iptables -I INPUT -s 188.197.33.0/24 -p tcp --dport 16740 -j DROP
iptables -A INPUT -p tcp --dport 16740 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 16740 -j ACCEPT
iptables -I INPUT -p tcp --dport 16740 -j ACCEPT

Code:
ASUSWRT-Merlin RT-AC68U_3.0.0.4 Fri Jul 17 03:17:04 UTC 2015
admin@RT-AC68U-6D38:/tmp/home/root# iptables -vL -t filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
   33  4840 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:16740
    0     0 DROP       tcp  --  any    any     internet-188-197-33-0.narocnik.mobitel.si/24  anywhere             tcp dpt:16740
    0     0 DROP       all  --  any    any     internet-188-197-33-0.narocnik.mobitel.si/24  anywhere
    0     0 DROP       icmp --  ppp0   any     anywhere             anywhere             icmp echo-request
   12   624 DROP       all  --  ppp0   any     anywhere             anywhere             state INVALID
   75 16252 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    6   591 ACCEPT     all  --  lo     any     anywhere             anywhere             state NEW
  256 28968 ACCEPT     all  --  br0    any     anywhere             anywhere             state NEW
    7   224 ACCEPT     igmp --  any    any     anywhere             base-address.mcast.net/4
    0     0 ACCEPT     udp  --  any    any     anywhere             base-address.mcast.net/4  udp dpt:!upnp
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:bootps dpt:bootpc
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp !echo-request
  161 13952 DROP       all  --  any    any     anywhere             anywhere  
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:16740

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
  422  116K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 DROP       all  --  !br0   ppp0    anywhere             anywhere  
    0     0 DROP       all  --  !br0   eth0    anywhere             anywhere  
    0     0 DROP       all  --  eth0   any     anywhere             anywhere             state INVALID
    0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere  
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT
   33  1626 ACCEPT     all  --  br0    any     anywhere             anywhere  

Chain OUTPUT (policy ACCEPT 202 packets, 34339 bytes)
pkts bytes target     prot opt in     out     source               destination
   33  8137 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp spt:16740

Chain FUPNP (0 references)
pkts bytes target     prot opt in     out     source               destination

Chain PControls (0 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere  

Chain logaccept (0 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  any    any     anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere  

Chain logdrop (0 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  any    any     anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
    0     0 DROP       all  --  any    any     anywhere             anywhere  
admin@RT-AC68U-6D38:/tmp/home/root#
 
Last edited:
hello, i would like to block this IP range:
Code:
31.223.208.0/20

I don't understand what you want to accomplish here.
As you show in first post you want to block the ip segment.
Then you only need one line off rules as i showed.
 
I don't understand what you want to accomplish here.
As you show in first post you want to block the ip segment.
Then you only need one line off rules as i showed.

i would like to block inncoming connection for example IP range 31.223.208.0/20 to port 16740.....all others IP in the world must have access to my port 16740....
 
This in jffs/scripts/firewall-start and chmod a+rx /jffs/scripts/firewall-start
And like any Linux script, they need to start with a shebang: #!/bin/sh

Then you need this rule:
INPUT rule is to router itself. You maby need to use FORWARD rule.

Use that rule suite your setup.
iptables -I FORWARD -s 31.223.208.0/20 -p tcp --dport 16740 -j DROP

iptables -I INPUT -s 31.223.208.0/20 -p tcp --dport 16740 -j DROP

31.223.208.0/20 fits ALL this ip-numbers.
Start IP: 31.223.208.0
End IP: 31.223.223.255
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top