Assistance to create a script that blocks inbound CIDRs via iptables

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

MKANET

Regular Contributor
I have very limited experience with Linux. I was hoping someone could assist me to create a script that will update iptables (to block a few incoming CIDRs).

I already have a script called, /jffs/scripts/services-start which is executed when my router boots up.

Could someone please assist with what lines I should append to this script file (in order to block CIDRs: 116.10.191.0/24 & 104.131.0.0/16) when the router boots up? I'm guessing it's something like?

iptables -A INPUT -s 116.10.191.0/24 -j DROP
iptables -A INPUT -s 104.131.0.0/16 -j DROP
 
Last edited:

ColinTaylor

Part of the Furniture
You should put your commands in the firewall-start script. You should also use -I rather than -A otherwise those commands will have no effect.

The firewall drops all unsolicited traffic by default anyway (apart from VPN which is a special case).
 
Last edited:

MKANET

Regular Contributor
You should put your commands in the firewall-start script. You should also use -I rather than -A otherwise those commands will have no effect.

The firewall drops all unsolicited traffic by default anyway.

Thanks. My intention is to block specific incoming unsolicited traffic from reaching my webserver via port forwarding.

EDIT: I'm curious why would -I work in this case, but not -A?
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Thanks. My intention is to block specific incoming unsolicited traffic from reaching my webserver via port forwarding.

EDIT: I'm curious why would -I work in this case, but not -A?

Because you'll want your DROP rules to have priority over all the existing ACCEPT rules.
 

ColinTaylor

Part of the Furniture
Thanks. My intention is to block specific incoming unsolicited traffic from reaching my webserver via port forwarding.
In which case you need to use the FORWARD chain rather than the INPUT chain. Or configure access restrictions on your web server if it's something like Apache.
 

MKANET

Regular Contributor
In which case you need to use the FORWARD chain rather than the INPUT chain. Or configure access restrictions on your web server if it's something like Apache.

I forward port 80/443 to my web server PC running nginx. I prefer to stop the traffic at the firewall (before even reaching my web server). Previously, I was DENYing the CIDR via Nginx config.
 

MKANET

Regular Contributor
Have you looked at https://www.snbforums.com/threads/yet-another-malware-block-script-using-ipset-v4-and-v6.38935/? It sounds like it would do what you want it to do.

* edit: fixed link *

Thanks @Huib , I was hoping adding the drop rules from the previous post to do what I want.. since it was relatively simple to do. However, it didn't seem to have any affect after restarting the firewall.

@ColinTaylor, my apologies if I misunderstood what you were saying previously. But, will the Drop rules do what I expect; or, do I have to use the other script that Huib posted to do what I want? I can't seem to get the drop rules to work. I'd prefer to use the existing firewall to do what I want, if feasible.
 

ColinTaylor

Part of the Furniture
@ColinTaylor, my apologies if I misunderstood what you were saying previously. But, will the Drop rules do what I expect; or, do I have to use the other script that Huib posted to do what I want? I can't seem to get the drop rules to work. I'd prefer to use the existing firewall to do what I want, if feasible.
Your rules should work. There should be no need to use that other script or Syknet (unless you prefer to) as they all effectively do the same thing.

Your firewall-start script should look like this:
Code:
#!/bin/sh
iptables -I FORWARD -s 116.10.191.0/24 -j DROP
iptables -I FORWARD -s 104.131.0.0/16 -j DROP

The script should also be executable and be in Unix-format not DOS/Windows-format, so:
Code:
chmod 755 /jffs/scripts/firewall-start
dos2unix /jffs/scripts/firewall-start
service restart_firewall
And of course you should have enabled custom scripts in the GUI, which I assume you already did for your services-start script.
 
Last edited:

MKANET

Regular Contributor
I think I found out why it wasn't working. You clearly told me earlier, "In which case you need to use the FORWARD chain rather than the INPUT chain". I didn't realize what you meant until I saw your example code. I had changed -A to -I only.

I should know if this was effective by tomorrow...

Your rules should work. There should be no need to use that other script or Syknet (unless you prefer to) as they all effectively do the same thing.

Your firewall-start script should look like this:
Code:
#!/bin/sh
iptables -I FORWARD -s 116.10.191.0/24 -j DROP
iptables -I FORWARD -s 104.131.0.0/16 -j DROP

The script should also be executable and be in Unix-format not DOS/Windows-format, so:
Code:
chmod 755 /jffs/scripts/firewall-start
dos2unix /jffs/scripts/firewall-start
service restart_firewall
And of course you should have enabled custom scripts in the GUI, which I assume you already did for your services-start script.
 

MKANET

Regular Contributor
@ColinTaylor Your suggestion worked perfectly. It was exactly what I wanted. Thank you for the great support in this community. Heck, even RMerlin chimed in to help.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top