How do I block a range of it addresses

I've got an Asus RT-AC66U with a Synology DS413 NAS that I'm working on connecting and accessing from the Internet. What I've managed to do so far is setup port forwarding but now I'm getting log on attempts from the Pacific region and couple of places in the USA (about a dozen the last day). What I'd like to do is block ranges of ip addresses from connecting or attempting to connect (ie prevent 118.*.*.* from connecting). How do this? Do I use the Network Services Filter with the firewall?

Edit - If it helps any, I'm running Merlin build 3.0.0.4.374.34_2

 

The easiest and most efficient way to block a range of IP's is to use IPSet. I know for a fact that on my N56U I can block up to 1,000,000 IP's without any performance degradation on my 115/5 connection.

Here's the script I made for my setup which automatically blocks all IPs from the SPI firewall along with any countries or addresses I choose. It will need some modifying to work with AC6*U routers as there are some slight differences, but its a good start for anyone who knows their way around unix.


http://pastebin.com/ckx2bQyZ

 

Unfortunately, I don't know anything about unix. I do have a willingness to learn and tinker with new things that catch my interest.

 

Facing the same problem with the VPN Server that I enabled on my Asus RT-N66U.

This particular IP 183.60.48.26 from China keeps trying to login to my VPN server every morning (without fail) at around 7:30 am as well as this IP 93.120.84.31 from Romania who tried to hack into my VPN server on several occasions (to no avail ... so far).

Both have not been able to gain access (yet) but I really hope I can block them off permanently before something dreadful happens.

As far as I know, the Asus firmware (stock and Merlin's) is unable to do that. Tried messing with the 'Firewall - Network Filter' to no avail.

 

Can manually be done with my FW by adding a DROP rule to the INPUT chain. Use the firewall-start script for this.

 

I'm new at this Merlin, do you have any links showing me how this is best done or a download link for the script with an explanation? I'm still at The first stage of learning, where I need to figure out exactly what I want to access over the Internet. I've figured out the how and this ip bump in the road is just throwing a kink into things. Ultimately I hope I'm taking the correct approach to tackling this issue.

 

If you want ill edit my script posted above to do the work for you, please post the output of the following command in SSH as I don't have AC**U router yet to test on.

iptables -L -v -n

 

Thanks for the info, Merlin and Adamm.

Learning curve seems really steep on doing up scripts (for my case, don't even know how to begin ).

Hacking is pretty common nowadays. If external IP blocking can be incorporated into the GUI that would have been perfect

 

I will add compatibility for all the asus routers with my script so you can easily ban IP ranges and whatnot I just need the output of the following commands in ssh for anyone who has a N66U AC66U AC56U AC68U. Please also turn the routers SPI Firewall feature on in the admin GUI and "Logged Packets Type" to "Dropped"

iptables -L -v -n

cat /tmp/ipt_filter.rules

nvram get productid

 

Thank you. Give me some time to extract the info as I've got to figure out how to work with SSH using the PuTTY client

 

I've disabled SSH port forwarding for the time being until I get some time to run that script Adamm. Let's see if I'm smart enough to figure out how to run it

 

Ok, figured out how to do what you asked, used PuTTy to do it, then figured out I already had the ability to do it built in (ala Run Cmd tab), lol.

Code:

ASUSWRT-Merlin RT-AC66U_3.0.0.4 Fri Nov  1 23:26:23 UTC 2013
[email protected]:/tmp/home/root# iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                       
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                 state INVALID
  898  104K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                 state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0                                 state NEW
  252 14908 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0                                 state NEW
   15  5313 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0                                 udp spt:67 dpt:68
    1   148 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                       
  220  8423 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                 state RELATED,ESTABLISHED
    0     0 DROP       all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0                         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                 state INVALID
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0                         
    0     0 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0                         
    0     0 DROP       tcp  --  br0    eth0    218.0.0.0/8          192.168.1.13                      1       tcp flags:0x3F/0x3F
    0     0 DROP       tcp  --  br0    eth0    117.0.0.0/8          192.168.1.13                      1       tcp flags:0x3F/0x3F
    0     0 DROP       tcp  --  br0    eth0    76.0.0.0/8           192.168.1.13                      1       tcp flags:0x3F/0x3F
    0     0 DROP       tcp  --  br0    eth0    27.0.0.0/8           192.168.1.13                      1       tcp flags:0x3F/0x3F
    0     0 DROP       tcp  --  br0    eth0    112.0.0.0/8          192.168.1.13                      1       tcp flags:0x3F/0x3F
    0     0 DROP       tcp  --  br0    eth0    118.0.0.0/8          192.168.1.13                      1       tcp flags:0x3F/0x3F
    0     0 DROP       tcp  --  br0    eth0    219.0.0.0/8          192.168.1.13                      1       tcp flags:0x3F/0x3F
    0     0 DROP       tcp  --  br0    eth0    220.0.0.0/8          192.168.1.13                      1       tcp flags:0x3F/0x3F
    0     0 DROP       tcp  --  br0    eth0    2.0.0.0/8            192.168.1.13                      1       tcp flags:0x3F/0x3F
    8   508 ACCEPT     all  --  br0    eth0    0.0.0.0/0            0.0.0.0/0                         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                 ctstate DNAT
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0                         

Chain OUTPUT (policy ACCEPT 887 packets, 284K bytes)
 pkts bytes target     prot opt in     out     source               destination                       

Chain FUPNP (0 references)
 pkts bytes target     prot opt in     out     source               destination                       

Chain PControls (0 references)
 pkts bytes target     prot opt in     out     source               destination                       
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                         

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination                       
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0                                 state NEW LOG flags 7 level 4 prefix `ACCEPT '
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                         

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination                       
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0                                 state NEW LOG flags 7 level 4 prefix `DROP'
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                         
[email protected]:/tmp/home/root# cat /tmp/ipt_filter.rules
cat: can't open '/tmp/ipt_filter.rules': No such file or directory
[email protected]:/tmp/home/root# nvram get productid
RT-AC66U
[email protected]:/tmp/home/root#

I take it that to run your script from earlier and to get cat /tmp/ipt_filter.rules I have to enable JFFS?
Mind you, I don't know Linux commands, yet, and my kids call me old at 39, so...

 

Please, enable JFFS form WEB UI, put the content from the link below to /jffs/scripts/firewall-start file.

After doing so type "chmod +x /jffs/scripts/firewall-start" in SSH.

The script is then easy to use, it will need to be run after every reboot though, I would help you with that but I'm not familiar with how to automaticly on this router but I'm sure someone else can help with that.

After boot run "sh /jffs/scripts/firewall-start" which sets it up. The same command along with the following words will do as listed.

http://pastebin.com/ZUXkvMrK

 

My apologies for not getting back sooner, I've been preoccupied with working mixed 8-12 hour days, 6 days a week for the last 3 weeks.

I've copied the coding and will put it to use, in the meantime I've got to teach myself something new, UNIX command line (aka #bash) and how to access the JFFS on my router. Seriously, thanks again I sincerely appreciate the help.

 

OK, I'm figuring this #BASH thing out some, and still working on figuring out how to create and save scripts.

I've done some looking around in the directories and found that I do have a /tmp/filter_rules. Is it safe to assume that this is what you wanted when you asked for cat /tmp/ipt_filter.rules earlier Adamm? If so, the results are below along with the same for IPV6.

Code:

[email protected]:/tmp# cat /tmp/filter_rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FUPNP - [0:0]
:PControls - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o eth0 ! -i br0 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i eth0 -p icmp -j DROP
-A FORWARD  -i br0 -o eth0  -p tcp --tcp-flags ALL ALL -s 218.0.0.0/8 -d 192.168.1.131 -j DROP
-A FORWARD  -i br0 -o eth0  -p tcp --tcp-flags ALL ALL -s 117.0.0.0/8 -d 192.168.1.131 -j DROP
-A FORWARD  -i br0 -o eth0  -p tcp --tcp-flags ALL ALL -s 76.0.0.0/8 -d 192.168.1.131 -j DROP
-A FORWARD  -i br0 -o eth0  -p tcp --tcp-flags ALL ALL -s 27.0.0.0/8 -d 192.168.1.131 -j DROP
-A FORWARD  -i br0 -o eth0  -p tcp --tcp-flags ALL ALL -s 112.0.0.0/8 -d 192.168.1.131 -j DROP
-A FORWARD  -i br0 -o eth0  -p tcp --tcp-flags ALL ALL -s 118.0.0.0/8 -d 192.168.1.131 -j DROP
-A FORWARD  -i br0 -o eth0  -p tcp --tcp-flags ALL ALL -s 219.0.0.0/8 -d 192.168.1.131 -j DROP
-A FORWARD  -i br0 -o eth0  -p tcp --tcp-flags ALL ALL -s 220.0.0.0/8 -d 192.168.1.131 -j DROP
-A FORWARD  -i br0 -o eth0  -p tcp --tcp-flags ALL ALL -s 2.0.0.0/8 -d 192.168.1.131 -j DROP
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A PControls -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A FORWARD -i br0 -j ACCEPT
COMMIT

And for IPV6

Code:

[email protected]:/tmp# cat /tmp/filter_rules_ipv6
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:PControls - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -o eth0 -i br0 -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 128 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp --dport 546 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 128 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -m rt --rt-type 0 -j DROP
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A FORWARD -j DROP
COMMIT

 

Awesome, the script/instructions above should work by the looks of it, let me know if you run into any errors.

 

I get an error when i run this script. I have a RT-AC66U, enabled jffs, created /jffs/scripts/firewall-start file, chmod +x /jffs/scripts/firewall-start. All i am trying to do is to ban ips from cn pk ur af. I am running FW 3.0.0.4.374.35.4. Here is the output when running the script:

[IP Banning Started] ... ... ...
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set_nethash.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set_iphash.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ipt_set.ko': File exists
ipset v4.5: Unknown arg `-!'
Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `Blacklist':File not found

Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `BlockedCountries':File not found

Try `ipset -H' or 'ipset --help' for more information.
iptables: No chain/target/match by that name
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
/jffs/scripts/firewall-start: line 131: echo: Bad address
cat: can't open '/jffs/scripts/ipamount': No such file or directory
Started: Sat Dec 21 02:05:18 GMT 2013
Finished: Sat Dec 21 02:05:22 GMT 2013
Try `ipset -H' or 'ipset --help' for more information.
-14 IP's currently banned.
expr: syntax error

Any help would be great.

 

It seems the script is failing when it tries to load the ipset kernel modules. Please give me the output of the following commands in SSH

Code:

IPSET_PATH=/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter
insmod -f $IPSET_PATH/ip_set.ko
insmod -f $IPSET_PATH/ip_set_nethash.ko
insmod -f $IPSET_PATH/ip_set_iphash.ko
insmod -f $IPSET_PATH/ipt_set.ko

 

Where is VPN log?

I have the AC56U...on stock FW 3.0.0.4.374.501

I was wondering where VPN log is...so that I can check to see if anyone is trying to use it(openVPN)...

I see something buried in the general log, but is there any special page that specifically shows login attempts?

I had my FTP server brute forced a while back ago....and had to disable it...want to make sure I am not being attacked....

Can i just disable the Open VPN in the web ui....and then turn it on when i need it...without having to change the open vpn config o the clients all the time?

 

OpenVPN logging goes all to the System log.

If you use signed keys instead of password-based authentication, it will be nearly impossible for anyone to bruteforce their way through it, so there won't be any need to worry.