Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to Dynamically Ban Malicious IP's using IPSet (Firewall Addition)

Discussion in 'Asuswrt-Merlin' started by Adamm, Apr 16, 2014.

  1. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    799
    Location:
    UK
    This hacked version works on my RT-AC68U.

    NOTE: Country Blocking is no longer included...you can use the latest country blocking script from the Wiki https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset#tor-and-countries-block

    Full credit to member @Adamm for the original script/idea.

    Code:
    #!/bin/sh
    #=========================================================================================================================
    # Dynamically block unsolicited access attempts using IPSETs. Useful if U have opened ports >1024 as hopefully hackers will
    #             start their attempts at the more common ports e.g. 22,23 etc. so will be blocked BEFORE they reach your port!
    #
    #     IPSET_Block   [help|-h] | [status [full]] [reset] [delete] [ban [ip_addr]] [unban [ip_addr]] [whitelist]
    #
    #     IPSET_Block   status
    #                   Displays the number of currently blocked I/Ps and the nmber blcoked since the last status request:
    #                   e.g.     Summary Blacklist: 12345 IPs currently banned. 99 New IP's Banned.
    #     IPSET_Block   status full
    #                   Display the contents of IPSETs Whitelist & Blacklist - beware there could be a lot!!!
    #     IPSET_Block   reset
    #                   Temporarily flush the IPSET Blacklist (It will be restored @BOOT or manually using the restore cmd)
    #     IPSET_Block   restore
    #                   Restore the IPSETs Whitelist & Blacklist from the current saved IPSETs.
    #                   (If 'delete' was used then U need to clone the 'backup' file before attempting the restore!)
    #     IPSET_Block   ban 12.34.56.7
    #                   Adds 12.34.56.7 to IPSET Blacklist
    #     IPSET_Block   unban 12.34.56.7
    #                   Removes 12.34.56.7 from IPSET Blacklist
    #     IPSET_Block   delete
    #                   Permanently flush the IPSET Blacklist (It cannot be restored @BOOT or using the restore cmd)
    #
    # /jffs/scripts/init-start
    #      /usr/sbin/cru a IPSET_SAVE   "0 * * * * /jffs/scripts/IPSET_Block.sh save"    #Every hour
    #      /usr/sbin/cru a IPSET_BACKUP "0 5 * * * /jffs/scripts/IPSET_Block.sh backup"  #05:00 every day
    #
    # /jffs/scripts/firewall-start
    #      /jffs/scripts/IPSET_Block.sh init
    #
    # NOTE: Whitelist wil be automatically populated with local LAN subnet, but VLANs will need to be added manually e.g. 10.0.0.0/8 etc.
    #
    # Credit @adamm https://www.snbforums.com/threads/how-to-dynamically-ban-malicious-ips-using-ipset-firewall-addition.16798/#post-115872
    
    # Print between line beginning with'#==' to first blank line inclusive
    ShowHelp() {
     awk '/^#==/{f=1} f{print; if (!NF) exit}' $0
    }
    
    MYROUTER=$(nvram get computer_name)
    
    if [ -d /tmp/mnt/$MYROUTER ]; then
       DIR="/tmp/mnt/"$MYROUTER
    else
       DIR="/tmp"
    fi
    
    bannedips=$DIR"/IPSET_IP_Count"    # Allows display of new blocked IPs after every implied/ explicit status request
    
    # 380.63+ for ARM routers, IPSET v6  is available...Load appropriate IPSET modules
    case $(ipset -v | grep -io "v[4,6]") in
      v6)
     MATCH_SET='--match-set'; CREATE='create'; ADD='add'; DELETE='del'; SWAP='swap'; SAVE='save'; FLUSH='flush'; RESTORE='restore'
     IPHASH='hash:ip'; NETHASH='hash:net family inet'; NETHASH6='hash:net family inet6'; SETNOTFOUND='name does not exist'
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
      do
       insmod $module > /dev/null 2>&1
      done
     ;;
      v4)
     MATCH_SET='--set'; CREATE='--create'; ADD='--add'; DELETE='--del'; SWAP='--swap'; SAVE='--save'; FLUSH='--flush'; RESTORE='--restore'
     IPHASH='iphash'; NETHASH='nethash'; SETNOTFOUND='Unknown set'
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
      do
       insmod $module
      done
     ;;
      *)
     logger -st "($(basename $0))" $$ "**ERROR** Unknown ipset version: $(ipset -v). Exiting."
     echo -e "\a"
     exit 99
     ;;
    esac
    
    
    # Need assistance!???
    if [ "$1" == "help" ] || [ "$1" == "-h" ]; then
     ShowHelp
     exit 0
    fi
    
    ACTION=$1
    # If the first arg is an I/P address or subnet then assume it is to be blocked.
    # TBA
    
    # status / ban / unban / reset / delete / save / ban / whitelist / backup
    case $ACTION in
     status)
      echo -en "\n"
      ipset -L Blacklist | grep -vE "^[0-9]"  # Sadly 'ipset -t Blacklist' to list only the IPSET header doesn't work on Asus
      if [ ! -z $2 ];then           # Verbose if 2nd arg
       ipset -L Blacklist        | \
        grep -E "^[0-9]"       | \
        sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | \
        awk ' {printf "%15s\t", $1;}'
       echo " ";echo " "
       ipset -L Whitelist
      fi
      #logger -s -t "($(basename $0))" $$  `ipset -L`
      ;;
     ban)
      if [ -z $2 ];then
       echo "Input IP Address"
       read bannedip
      else
       bannedip=$2
      fi
      logger -st "($(basename $0))" $$  "Adding" $bannedip "to Blacklist] ... ... ..."
      ipset -q -A Blacklist $bannedip
      echo "$bannedip Is Now Banned"
      ;;
     unban)
      if [ -z $2 ]; then
       echo "Input IP Address To Unban"
       read unbannedip
      else
       unbannedip=$2
      fi
      logger -st "($(basename $0))" $$  "Unbanning and removing" $unbannedip "from Blacklist ... ... ..."
      ipset $DELETE Blacklist $unbannedip
      echo "`sed /$unbannedip/d $DIR/IPSET_Rules.txt`" > $DIR/IPSET_Rules.txt
      echo $unbannedip "Is Now Unbanned"
       ;;
     reset)
      logger -st "($(basename $0))" $$  "Temporarily Allowing ALL ("`cat $bannedips`") I/P's in Blacklist IPSET"
      NOW=$(date +"%Y%m%d-%H%M%S")    # current date and time
      mv  $DIR/IPSET_Rules.txt $DIR/IPSET_Rules.txt-$NOW   # Create restore backup
      ipset $SAVE > $DIR/IPSET_Rules.txt        # Save the current IPSETs
      ipset $FLUSH Blacklist
      rm $bannedips      # Reset counter '0'
      ;;
     delete)
      logger -st "($(basename $0))" $$  "Permanently deleting ALL ("`cat $bannedips`") I/Ps from Blacklist."
      ipset $FLUSH Blacklist
      rm $bannedips      # Reset counter '0'
      ipset $SAVE > $DIR/IPSET_Rules.txt
      ;;
     save)
      #echo "Saving Blacklists ... ... ..."
      logger -st "($(basename $0))" $$  "Saving IPSet rules to  $DIR/IPSET_Rules.txt ... ... ..."
      # Only save the IPSETs associated with this script
      ipset $SAVE Blacklist >  $DIR/IPSET_Block.txt
      ipset $SAVE Whitelist >> $DIR/IPSET_Block.txt
      ############Why wipe Syslog??????##########
      #echo "`sed '/crond: USER admin/d' /tmp/syslog.log`" > /tmp/syslog.log
      ;;
     whitelist)
      echo "Input file location"      # see /jffs/configs/IPSET_Whitelist
      read WHITELISTFILE
      for IP in `cat $WHITELISTFILE`
       do
        ipset -q -A Whitelist $IP
        echo $IP
       done
      ipset $SAVE > $DIR/IPSET_Rules.txt
      ;;
     backup)
      #echo "Backing Up Current IPSet Rules"
      logger -st "($(basename $0))" $$  "Creating IPSET rule backup to "$DIR"/IPSET_Rules.bak ... ... ..."
      cp -f $DIR/IPSET_Rules.txt $DIR/IPSET_Rules.bak
      ;;
     init)
      # ....called from firewall-start?
     
      if [ X"`nvram get fw_log_x`" = X"drop" ]
      then
       logger -st "($(basename $0))" $$ "Correct 'logdrop' Setting Detected"
      else
       logger -st "($(basename $0))" $$  "Setting 'logdrop'....."
       nvram set fw_log_x=drop
       nvram commit
      fi
      if [ X"`nvram get fw_enable_x`" = X"1" ]
      then
       logger -st "($(basename $0))" $$ "Correct 'firewall' enabled Setting Detected."
      else
       logger -st "($(basename $0))" $$ "Setting 'enable' firewall....."
       nvram set fw_enable_x=1
       nvram commit
      fi
      logger -st "($(basename $0))" $$  "IPSET Dynamic blocking initialisation Starting....."
      iptables -D logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options 2> /dev/null > /dev/null
      iptables -D INPUT -m set $MATCH_SET Whitelist src -j ACCEPT 2> /dev/null > /dev/null
      iptables -D INPUT -m set $MATCH_SET Blacklist src -j DROP 2> /dev/null > /dev/null
      iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src 2> /dev/null > /dev/null
      # 'init' will restore IPSETs from file  but 'init full' will re-create empty IPSETs
      if [ -s "${DIR}/IPSET_Rules.txt" ] && [ -z "$2" ]; then
       logger -st "($(basename $0))" $$  "IPSET "$DIR"/IPSET_Rules.txt found... restore starting...."
         ipset $RESTORE  < $DIR/IPSET_Rules.txt
      else
         logger -st "($(basename $0))" $$  "IPSETs: Whitelist & Blacklist being created....."
     
         ipset -q -F Whitelist
         ipset -q -F Blacklist
         ipset -q -X Whitelist
         ipset -q -X Blacklist
     
         ipset -q -N Whitelist $NETHASH
         ipset -q -N Blacklist $IPHASH
      fi
      RULENO=`iptables -nvL INPUT --line | grep "lo " | awk '{print $1}'`
      RULENO=$(($RULENO+1))
      #logger -st "($(basename $0))" $$  "**DEBUG RULENO="$RULENO
      iptables -I INPUT $RULENO -m set $MATCH_SET Blacklist src -j DROP
      iptables -I INPUT $RULENO -m set $MATCH_SET Whitelist src -j ACCEPT
      if [ "$?" -gt 0 ];then
         RC=$?
         logger -st "($(basename $0))" $$  "**ERROR** Unable to add - INPUT $MATCH_SET Whitelist RC="$RC
         echo -e "\a`iptables -nvL INPUT --line >> /tmp/syslog.log`"
      fi
      logger -st "($(basename $0))" $$  "IPSETs: 'Whitelist & Blacklist Blocking enabled"
      iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src
      ipset -q -A Whitelist `nvram get lan_ipaddr`/24
      # Remember to manually include all VLANs e.g. 10.0.0.0/8 see /jffs/configs/IPSET_Whitelist
      #############Why destroy Syslog???#########
      #echo "`sed '/DROP IN=/d' /tmp/syslog.log`" > /tmp/syslog.log
      #echo "`sed '/DROP IN=/d' /tmp/syslog.log-1`" > /tmp/syslog.log-1
      #echo "`sed '/DROP IN=/d' $DIR/Syslog/syslog.log`" > $DIR/Syslog/syslog.log
    
    esac
    
    # Summary
    if [ ! -s "$bannedips" ]; then
       OLDAMOUNT=0
    else
       OLDAMOUNT=`cat "$bannedips"`
    fi
    if [ `ipset -L Blacklist | grep -vE "^[NTRHSM]" | wc -l` -gt 0 ]; then
       expr `ipset -L Blacklist | grep -vE "^[NTRHSM]" | wc -l` > $bannedips
       NEWAMOUNT=`cat $bannedips`
    else
       NEWAMOUNT=0
    fi
    logger -st "($(basename $0))" $$  "Summary Blacklist: $OLDAMOUNT IPs currently banned. `expr $NEWAMOUNT - $OLDAMOUNT` New IP's Banned. "
     
    Last edited: Mar 8, 2017
    HardCat and skeal like this.
  2. skeal

    skeal Regular Contributor

    Joined:
    Apr 30, 2016
    Messages:
    78
    Sorry I screwed up. Please advise where to put this code is it in init-start or firewall-start do i paste all of it in one chunk and to what locations. the original post on page 1 of this thread doesn't really help me.
     
  3. skeal

    skeal Regular Contributor

    Joined:
    Apr 30, 2016
    Messages:
    78
    Can you help me with what code goes where please?
     
  4. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    799
    Location:
    UK
    Follow the wiki on how to create scripts and make them executable.
    https://github.com/RMerl/asuswrt-merlin/wiki

    ..basically cut'n'paste either into WinSCP editor or nano editor from the command line.

    So I suggest you create it as /jffs/scripts/IPSET_Block.sh, and as per the help info documented in the script, you will need to update firewall-start and init-start accordingly.
     
  5. skeal

    skeal Regular Contributor

    Joined:
    Apr 30, 2016
    Messages:
    78
    Thank you @Martineau your help is greatly appreciated. I was able to put it together and get it working. Thanks again for your script writing skills!
     
  6. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    806
    @Martineau
    Thank you for this script. I have to ask, I don't understand how blocked ip get in to "Blacklist" chain?
     
  7. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    799
    Location:
    UK
    The script ensures the 'Logged packets type=Dropped' is enabled in the Firewall->General GUI

    A rule is added to the '-t filter logdrop' chain
    Code:
    iptables -nvL logdrop --line -t filter
    
    Chain logdrop (9 references)
    num   pkts bytes target     prot opt in     out     source               destination      
    1      248 11883 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW add-set Blacklist src
    2      248 11883 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "DROP "
    3      367 17965 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0  
     
    Last edited: Mar 11, 2017
  8. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    806
    Okey, thanks, I see it now. :D
    Code:
    iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src
     
  9. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    806
    I have run this script for a half day and have HUGE amont of "DROPIN=vlan11" in log.
    Hope it subsides when the Blacklist log becomes full of IP numbers.
    Code:
    Chain logdrop (8 references)
    num   pkts bytes target     prot opt in     out     source               destination        
    1      344 17509 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW add-set Blacklist src
    2      368 18669 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "DROP"
    3      368 18669 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0  
     
  10. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    799
    Location:
    UK
    Well that's an annoying nusiance isn't it! :D

    In the script there is a block of code commented out..any idea what it would do if enabled?;)
    Code:
    #############Why destroy Syslog???#########
    #echo "`sed '/DROP IN=/d' /tmp/syslog.log`" > /tmp/syslog.log
    #echo "`sed '/DROP IN=/d' /tmp/syslog.log-1`" > /tmp/syslog.log-1
    One of the reasons I personally don't want the Syslog to be sanitised is because I run a cron job every hour that creates a report from the "DROP IN" messages of all the blocked access attempts:

    Sat Mar 11 12:00:00 GMT 2017
    1 http://www.speedguide.net/port.php?port=21
    108 http://www.speedguide.net/port.php?port=22
    523 http://www.speedguide.net/port.php?port=23
    3 http://www.speedguide.net/port.php?port=53
    17 http://www.speedguide.net/port.php?port=80
    6 http://www.speedguide.net/port.php?port=81
    8 http://www.speedguide.net/port.php?port=88
    2 http://www.speedguide.net/port.php?port=110
    2 http://www.speedguide.net/port.php?port=111
    1 http://www.speedguide.net/port.php?port=115
    1 http://www.speedguide.net/port.php?port=119
    1 http://www.speedguide.net/port.php?port=123
    1 http://www.speedguide.net/port.php?port=137
    1 http://www.speedguide.net/port.php?port=138
    1 http://www.speedguide.net/port.php?port=139
    1 http://www.speedguide.net/port.php?port=194
    1 http://www.speedguide.net/port.php?port=264
    2 http://www.speedguide.net/port.php?port=389
    1 http://www.speedguide.net/port.php?port=443
    9 http://www.speedguide.net/port.php?port=445
    1 http://www.speedguide.net/port.php?port=502
    1 http://www.speedguide.net/port.php?port=513
    3 http://www.speedguide.net/port.php?port=514
    1 http://www.speedguide.net/port.php?port=631
    3 http://www.speedguide.net/port.php?port=636
    2 http://www.speedguide.net/port.php?port=808
    2 http://www.speedguide.net/port.php?port=990
    1 http://www.speedguide.net/port.php?port=992
    2 http://www.speedguide.net/port.php?port=993
    4 http://www.speedguide.net/port.php?port=995
    2 http://www.speedguide.net/port.php?port=1028
    1 http://www.speedguide.net/port.php?port=1080
    1 http://www.speedguide.net/port.php?port=1099
    8 http://www.speedguide.net/port.php?port=1433
    1 http://www.speedguide.net/port.php?port=1521
    1 http://www.speedguide.net/port.php?port=1883
    1 http://www.speedguide.net/port.php?port=1911
    1 http://www.speedguide.net/port.php?port=2077
    1 http://www.speedguide.net/port.php?port=2081
    1 http://www.speedguide.net/port.php?port=2086
    1 http://www.speedguide.net/port.php?port=2095
    1 http://www.speedguide.net/port.php?port=2096
    13 http://www.speedguide.net/port.php?port=2222
    49 http://www.speedguide.net/port.php?port=2323
    1 http://www.speedguide.net/port.php?port=2375
    1 http://www.speedguide.net/port.php?port=2376
    1 http://www.speedguide.net/port.php?port=2433
    1 http://www.speedguide.net/port.php?port=2638
    1 http://www.speedguide.net/port.php?port=3128
    1 http://www.speedguide.net/port.php?port=3299
    1 http://www.speedguide.net/port.php?port=3306
    12 http://www.speedguide.net/port.php?port=3389
    1 http://www.speedguide.net/port.php?port=3390
    1 http://www.speedguide.net/port.php?port=3391
    1 http://www.speedguide.net/port.php?port=3393
    1 http://www.speedguide.net/port.php?port=3541
    1 http://www.speedguide.net/port.php?port=4028
    1 http://www.speedguide.net/port.php?port=4899
    1 http://www.speedguide.net/port.php?port=5060
    2 http://www.speedguide.net/port.php?port=5093
    1 http://www.speedguide.net/port.php?port=5222
    3 http://www.speedguide.net/port.php?port=5351
    156 http://www.speedguide.net/port.php?port=5358
    3 http://www.speedguide.net/port.php?port=5432
    1 http://www.speedguide.net/port.php?port=5631
    1 http://www.speedguide.net/port.php?port=5900
    1 http://www.speedguide.net/port.php?port=5902
    2 http://www.speedguide.net/port.php?port=6379
    1 http://www.speedguide.net/port.php?port=6789
    1 http://www.speedguide.net/port.php?port=7001
    1 http://www.speedguide.net/port.php?port=7002
    2 http://www.speedguide.net/port.php?port=7071
    2 http://www.speedguide.net/port.php?port=7300
    4 http://www.speedguide.net/port.php?port=7547
    1 http://www.speedguide.net/port.php?port=8000
    1 http://www.speedguide.net/port.php?port=8022
    2 http://www.speedguide.net/port.php?port=8080
    2 http://www.speedguide.net/port.php?port=8081
    1 http://www.speedguide.net/port.php?port=8088
    1 http://www.speedguide.net/port.php?port=8118
    1 http://www.speedguide.net/port.php?port=8883
    1 http://www.speedguide.net/port.php?port=9000
    1 http://www.speedguide.net/port.php?port=9191
    1 http://www.speedguide.net/port.php?port=9200
    1 http://www.speedguide.net/port.php?port=9999
    1 http://www.speedguide.net/port.php?port=10000
    1 http://www.speedguide.net/port.php?port=11211
    1 http://www.speedguide.net/port.php?port=13868
    1 http://www.speedguide.net/port.php?port=17185
    1 http://www.speedguide.net/port.php?port=25565
    1 http://www.speedguide.net/port.php?port=27017
    1 http://www.speedguide.net/port.php?port=33389
    1 http://www.speedguide.net/port.php?port=33399
    1 http://www.speedguide.net/port.php?port=35860
    1 http://www.speedguide.net/port.php?port=49153
    1 http://www.speedguide.net/port.php?port=50100
    1 http://www.speedguide.net/port.php?port=50802

    ..so out of curiosity I can identify which ports are currently popular targets.

    Clearly, well known ports 23 and 22 (523 and 108 attempts respectively) are not surprisingly popular targets, but why/who are 5358 and 2323 (156 and 49 attempts) ? - so the report makes it easy for me to simply click on a helpful 'live' URL description when I review the report.

    The IPSET can grow very large, and I did consider exploiting the IPSET v6.4 'timeout' option to have the IPSET automatically discard entries older than say 24hours etc., but chances are they would eventually (if not the next day :() reappear in the IPSET!
     
    Last edited: Mar 14, 2017
  11. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    806
    @Martineau
    "Code commented out..any idea what it would do if enabled?" Yes now when you mention that. :)
    Code:
    echo "`sed '/DROP IN=/d' /tmp/syslog.log`" > /tmp/syslog.log
    I want to use this to minimise annoying log flooding. I use synlink to /mnt there my log is saved. Will this "sed" command work?
    Code:
     ln -s /mnt/rt-ac68/logs/syslog.log /tmp/syslog.log
    I really appreciate your all kind of scripts, is using part of it or all. :)
     
  12. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    799
    Location:
    UK
    Yes...I too have Syslog writing to a flash drive mounted on /tmp/mnt/RT-AC68U

    You can prove the 'sed' command works by trying this on the command line before you edit the script!
    Code:
    grep "DROP IN" /tmp/syslog.log | wc -l
    sed '/DROP IN=/d' /tmp/syslog.log > /tmp/syslog.log
    grep "DROP IN" /tmp/syslog.log | wc -l
     
  13. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    806
    Seems to working, had to modified "DROPIN".
    Code:
    [email protected]:/tmp/home/root# grep "DROPIN" /tmp/syslog.log | wc -l
    1260
    After this log is deleted and started to log DROP again after first write to log from router program.
    Code:
    [email protected]:/tmp/home/root# sed '/DROPIN=/d' /tmp/syslog.log > /tmp/syslog.log
    Code:
    [email protected]:/tmp/home/root# grep "DROPIN" /tmp/syslog.log | wc -l
    0
    @Martineau
     
  14. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    799
    Location:
    UK
    Hmm, no idea why I have "DROP IN=", whereas you have "DROPIN=", also I don't have interface "vlan11" either.

    Anyway glad you can now have the port hackers silently blocked!
     
  15. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    806
    I don't know why we have different DROP but I use IPTV internet vlan11.
    Well it only working until new data writing to log.
    "After this log is deleted and started to log DROP again after first write to log from router program."
    @Martineau
     
    Last edited: Mar 14, 2017
  16. el pescador

    el pescador Regular Contributor

    Joined:
    Jan 15, 2016
    Messages:
    122
    Hope this is the right place.
    Any way of blocking a range of ips.
    For example 159.153.76.xxx
    Im using ddwrt but also have merlin on the Ac88U which i switch over every week or few days.
     

Share This Page