What's new

Network Services Filter Table whitelist CIDR format

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

That appears to be where the DROP messages are coming from.
yes, but why I got DROP packet when I correctly forward Cloudflare, is there any way to whitelist those IPs without turning off the DDOS completely. the problem happens from time to time.

I have my research website and would like to share it my advisor, but with these 522 errors it is not stable to share

Thank you for your support, really appreciated
 
yes, but why I got DROP packet when I correctly forward Cloudflare,
Just because you're forwarding ports doesn't mean you don't need DOS protection. Quite the opposite in fact. That's a huge range of addresses that you're allowing.

is there any way to whitelist those IPs without turning off the DDOS completely. the problem happens from time to time.
It's messy. You'd have to create a firewall-start script like this:
Code:
#!/bin/sh

iptables -I SECURITY -p tcp -s 103.21.244.0/22  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 103.22.200.0/22  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 103.31.4.0/22    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 104.16.0.0/13    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 104.24.0.0/14    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 108.162.192.0/18 -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 131.0.72.0/22    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 141.101.64.0/18  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 162.158.0.0/15   -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 172.64.0.0/13    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 173.245.48.0/20  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 188.114.96.0/20  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 190.93.240.0/20  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 197.234.240.0/22 -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 198.41.128.0/17  -d 10.0.0.4 -j RETURN
 
Last edited:
Just because you're forwarding ports doesn't mean you don't want DOS protection. Quite the opposite in fact. That's a huge range of addresses that you're allowing.


It's messy. You'd have to create a firewall-start script like this:
Code:
#!/bin/sh

iptables -I SECURITY -p tcp -s 103.21.244.0/22  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 103.22.200.0/22  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 103.31.4.0/22    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 104.16.0.0/13    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 104.24.0.0/14    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 108.162.192.0/18 -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 131.0.72.0/22    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 141.101.64.0/18  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 162.158.0.0/15   -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 172.64.0.0/13    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 173.245.48.0/20  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 188.114.96.0/20  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 190.93.240.0/20  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 197.234.240.0/22 -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 198.41.128.0/17  -d 10.0.0.4 -j RETURN
I am not familiar with adding firewall-start script, just add those to the shell.

I appreciate if there is any steps to follow, in order if i want to delete or modify a rule later

Thanks
 
Thank you so much, i will look into and hope it will work :)
It would probably be a lot easier if you ran your web server on a non-standard port rather than the normal HTTPS port, 443. Using port 443 is a giant magnet for every hacker and port scanner on the planet (or Cloudflare). If you were to run it on a port like 28652 it's likely you wouldn't have a problem with DoS protection kicking in.

P.S. Looking at your iptables output you appear to have enabled Web Access from WAN on the router. This is a huge security concern so I suggest you disable that unless you really need it. If you need remote access to your router or LAN you could use the VPN server (which you already have running).
 
Last edited:
It would probably be a lot easier if you ran your web server on a non-standard port rather than the normal HTTPS port, 443. Using port 443 is a giant magnet for every hacker and port scanner on the planet (or Cloudflare). If you were to run it on a port like 28652 it's likely you wouldn't have a problem with DoS protection kicking in.

P.S. Looking at your iptables output you appear to have enabled Web Access from WAN on the router. This is a huge security concern so I suggest you disable that unless you really need it. If you need remote access to your router or LAN you could use the VPN server (which you already have running).
Thanks Colin, for your suggestion, Actually I using the port forwarding to forward the 443 to Kemp loadbalancer and reverse proxy, which then be handle the request to my webserver using different port than 443,
 
Thanks Colin, for your suggestion, Actually I using the port forwarding to forward the 443 to Kemp loadbalancer and reverse proxy, which then be handle the request to my webserver using different port than 443,
Thanks for the update. I don't really understand your setup because I'm not familiar with the Kemp loadbalancer. But my concern was if your router was forwarding port 443 from the public internet rather than what was happening on the LAN. Ports 22, 23, 80 and 443 are probably the most common ports for scanner/hacker traffic.
 
Last edited:
quick question,

should I save the file like this firewall-start.sh using Vscode with UNIX line endings
 
I created firewall-start file and applied the chmod a+rx /jffs/scripts/*

but it seems same result, still have the 522 error and drop packet in log

May 24 10:36:56 kernel: DROP IN=eth0 OUT=br0 MAC=fc:34:97:3a:8b:d0:e0:1f:2b:2c:8f:52:08:00 SRC=172.69.69.127 DST=10.0.0.4 LEN=52 TOS=0x0C PREC=0x60 TTL=55 ID=31971 DF PROTO=TCP SPT=15924 DPT=443 SEQ=1358575349 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010104020103030A) MARK=0x8000000


1653406412839.png


when i turn of the DOS it works fine without any issue, but I don't want to turn off the DOS for every IP,
any solution please

thank you so much
 
SSH into the router after you've tried to connect to 10.0.0.4 and enter this command to see if you're hitting the firewall rules as expected.
Code:
iptables-save -t filter -c
 
sorry for late
SSH into the router after you've tried to connect to 10.0.0.4 and enter this command to see if you're hitting the firewall rules as expected.
Code:
iptables-save -t filter -c
sorry for late

I really appreciate your help, thanks a lot
 

Attachments

  • iptables.txt
    6.5 KB · Views: 64
Your firewall-start script has not run successfully. None of the rules have been added to the SECURITY chain. Check that you have enabled "JFFS custom scripts and configs" in the GUI under Administration - System.

It would also be a good idea to make sure the script is in Unix format rather than Windows format. Issue the following commands from an SSH session:
Code:
dos2unix /jffs/scripts/firewall-start
service restart_firewall
 
Your firewall-start script has not run successfully. None of the rules have been added to the SECURITY chain. Check that you have enabled "JFFS custom scripts and configs" in the GUI under Administration - System.

It would also be a good idea to make sure the script is in Unix format rather than Windows format. Issue the following commands from an SSH session:
Code:
dos2unix /jffs/scripts/firewall-start
service restart_firewall
yes, correct you are right, the JFFS custom scripts and configs was not enabled, my bad

I will test if everything is going to work fine
Thank you so much, really appreciated
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top