1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Proper/best way to block traffic from external range, including port forwards

Discussion in 'Asuswrt-Merlin' started by bengalih, Dec 3, 2019.

  1. bengalih

    bengalih Regular Contributor

    Joined:
    Dec 13, 2016
    Messages:
    83
    So I have several port forwards setup on my device (using the GUI).

    I know the default firewall blocks all incoming traffic, but obviously port forwards are still acessible.
    I want to be able to block all traffic from a particular IP or range of IPs. Preferably block just to a particular forwarded port, but if required all ports will work.

    I assume I will want to use some type of iptables drop rule?
    Can someone help me with the proper way to add this, and the best place/script to put it?

    thanks.
     
  2. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,458
    Location:
    /etc
    I recommend Skynet.
     
  3. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,455
    Location:
    UK
    For specific Ports you will probably need to write your own rules.

    Old-skool method is to add individual/multiple rules for the source IPs and the target local Ports.
    Code:
    iptables -I FORWARD -i $(wan0_ifname) -s xxx.xxx.xxx.xxx[,123.xxx.xxx.xxx...] [-d 192.168.1.xxx] -p tcp -m tcp -m multiport --dport nnn[,nnn...] -j DROP
    or
    iptables -I FORWARD -i $(wan0_ifname) -m iprange --src-range xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx [-d 192.168.1.xxx] -p tcp -m tcp -m multiport --dport nnn,nnn -j DROP
    e.g. The following rule syntax generates two rules, one for each CIDR range
    Code:
    iptables -I FORWARD -i $(nvram get wan0_ifname) -s 1.2.3.0/24,3.2.1.0/24  -p tcp -m tcp -m multiport --dports 22,3389 -j DROP
    whereas the following rule syntax creates just one
    Code:
    iptables -I FORWARD -i $(nvram get wan0_ifname) -m iprange --src-range 4.5.6.0-10.9.8.0  -p tcp -m tcp -m multiport --dports 22,3389 -j DROP
    i.e.
    Code:
    iptables --line -t filter -nvL FORWARD
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination      
    1        0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            source IP range 4.5.6.0-10.9.8.0 tcp multiport dports 22,3389
    2        0     0 DROP       tcp  --  eth0   *       3.2.1.0/24           0.0.0.0/0            tcp multiport dports 22,3389
    3        0     0 DROP       tcp  --  eth0   *       1.2.3.0/24           0.0.0.0/0            tcp multiport dports 22,3389
    However, depending on the number of IPs/CIDRs it is usually considered easier to use IPSETs, which means the number of rules can be greatly reduced - sometimes even down to a single rule.

    e.g. Create three IPSETs containing separate entities - and of course the Ports defined in the two Port IPSETs must be mutually exclusive!
    Code:
              BAD_Guys         PROTECTED_Ports     ALLOWED_Ports
         xxx.xxx.xxx.xxx            3389                 80
         123.xxx.xxx.0/24             22                443
             etc.                                      8080
                                                       4321
    So a single rule that would BLOCK hundreds of source IP-to-Port combinations
    Code:
    iptables -I FORWARD -i $(wan0_ifname) -m set --match-set BAD_GUYS src -p tcp -m tcp -m set --match-set PROTECTED_PORTS dst -m set ! --match-set ALLOWED_PORTS dst -j DROP
    but simply adding a second rule would allow the BAD_GUYS to access your public Ports
    Code:
    iptables -I FORWARD -i $(wan0_ifname) -m set --match-set BAD_GUYS src -p tcp -m tcp -m set --match-set ALLOWED_PORTS dst -j ACCEPT
    firewall-start would probably be the best place for your custom rules.
     
    Last edited: Dec 4, 2019 at 12:10 PM