Proper/best way to block traffic from external range, including port forwards

[bengalih]

So I have several port forwards setup on my device (using the GUI).

I know the default firewall blocks all incoming traffic, but obviously port forwards are still acessible.
I want to be able to block all traffic from a particular IP or range of IPs. Preferably block just to a particular forwarded port, but if required all ports will work.

I assume I will want to use some type of iptables drop rule?
Can someone help me with the proper way to add this, and the best place/script to put it?

thanks.

 

[skeal]

So I have several port forwards setup on my device (using the GUI).

I know the default firewall blocks all incoming traffic, but obviously port forwards are still acessible.
I want to be able to block all traffic from a particular IP or range of IPs. Preferably block just to a particular forwarded port, but if required all ports will work.

I assume I will want to use some type of iptables drop rule?
Can someone help me with the proper way to add this, and the best place/script to put it?

thanks.

I recommend Skynet.

 

[Martineau]

So I have several port forwards setup on my device (using the GUI).

I know the default firewall blocks all incoming traffic, but obviously port forwards are still acessible.
I want to be able to block all traffic from a particular IP or range of IPs. Preferably block just to a particular forwarded port, but if required all ports will work.

I assume I will want to use some type of iptables drop rule?
Can someone help me with the proper way to add this, and the best place/script to put it?

For specific Ports you will probably need to write your own rules.

Old-skool method is to add individual/multiple rules for the source IPs and the target local Ports.

iptables -I FORWARD -i $(nvram get wan0_ifname) -s xxx.xxx.xxx.xxx[,123.xxx.xxx.xxx...] [-d 192.168.1.xxx] -p tcp -m tcp -m multiport --dport nnn[,nnn...] -j DROP
or
iptables -I FORWARD -i $(nvram get wan0_ifname) -m iprange --src-range xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx [-d 192.168.1.xxx] -p tcp -m tcp -m multiport --dport nnn,nnn -j DROP

e.g. The following rule syntax generates two rules, one for each CIDR range

iptables -I FORWARD -i $(nvram get wan0_ifname) -s 1.2.3.0/24,3.2.1.0/24  -p tcp -m tcp -m multiport --dports 22,3389 -j DROP

whereas the following rule syntax creates just one

iptables -I FORWARD -i $(nvram get wan0_ifname) -m iprange --src-range 4.5.6.0-10.9.8.0  -p tcp -m tcp -m multiport --dports 22,3389 -j DROP

i.e.

iptables --line -t filter -nvL FORWARD

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination     
1        0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            source IP range 4.5.6.0-10.9.8.0 tcp multiport dports 22,3389
2        0     0 DROP       tcp  --  eth0   *       3.2.1.0/24           0.0.0.0/0            tcp multiport dports 22,3389
3        0     0 DROP       tcp  --  eth0   *       1.2.3.0/24           0.0.0.0/0            tcp multiport dports 22,3389

However, depending on the number of IPs/CIDRs it is usually considered easier to use IPSETs, which means the number of rules can be greatly reduced - sometimes even down to a single rule.

e.g. Create three IPSETs containing separate entities - and of course the Ports defined in the two Port IPSETs must be mutually exclusive!

          BAD_Guys         PROTECTED_Ports     ALLOWED_Ports
     xxx.xxx.xxx.xxx            3389                 80
     123.xxx.xxx.0/24             22                443
         etc.                                      8080
                                                   4321

So a single rule that would BLOCK hundreds of source IP-to-Port combinations

iptables -I FORWARD -i $(wan0_ifname) -m set --match-set BAD_GUYS src -p tcp -m tcp -m set --match-set PROTECTED_PORTS dst -m set ! --match-set ALLOWED_PORTS dst -j DROP

but simply adding a second rule would allow the BAD_GUYS to access your public Ports

iptables -I FORWARD -i $(wan0_ifname) -m set --match-set BAD_GUYS src -p tcp -m tcp -m set --match-set ALLOWED_PORTS dst -j ACCEPT

firewall-start would probably be the best place for your custom rules.

 

[bengalih]

For specific Ports you will probably need to write your own rules.

Old-skool method is to add individual/multiple rules for the source IPs and the target local Ports.

2 questions here:
1) Old-skool as compared to what other method might I use?
2) If I just wanted to block entire IP/ranges instead of specific ports, would there be another method, or is manual IP tables still the way to go?

iptables -I FORWARD -i $(wan0_ifname) -s xxx.xxx.xxx.xxx[,123.xxx.xxx.xxx...] [-d 192.168.1.xxx] -p tcp -m tcp -m multiport --dport nnn[,nnn...] -j DROP
or
iptables -I FORWARD -i $(wan0_ifname) -m iprange --src-range xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx [-d 192.168.1.xxx] -p tcp -m tcp -m multiport --dport nnn,nnn -j DROP

e.g. The following rule syntax generates two rules, one for each CIDR range

iptables -I FORWARD -i $(nvram get wan0_ifname) -s 1.2.3.0/24,3.2.1.0/24  -p tcp -m tcp -m multiport --dports 22,3389 -j DROP

whereas the following rule syntax creates just one

iptables -I FORWARD -i $(nvram get wan0_ifname) -m iprange --src-range 4.5.6.0-10.9.8.0  -p tcp -m tcp -m multiport --dports 22,3389 -j DROP

Apart from creating one vs. two rules, what are the real differences/advantages/disadvantages to one over the other?

Also, I tested these out and they aren't working for me. I tried one entry of each to block my cell phone's public WAN IP from being able to access port 443 (which is nginx running on my box) and they didn't work. I thought perhaps there might be an issue since this is a local service (on-router), so I then setup a port forward for RDP to a particular box and then blocked it and that seemed to work.

How should/might I adjust these rules to block access to 443/nginx on the box itself?
Would that just be an INPUT rule instead of a FORWARD? That seems to work, but wanted to confirm.

thanks.

 

[Martineau]

2 questions here:
1) Old-skool as compared to what other method might I use?
2) If I just wanted to block entire IP/ranges instead of specific ports, would there be another method, or is manual IP tables still the way to go?

A1. You still need iptables rules, but maintaining an IPSET containing all the IP/ranges means you only ever need one iptables rule per IPSET rather than (possibly) one rule per IP.

How should/might I adjust these rules to block access to 443/nginx on the box itself?

Would that just be an INPUT rule instead of a FORWARD? That seems to work, but wanted to confirm

A2. Yes.

Services that are hosted on the Router use the '-t filter' INPUT/OUTPUT chains rather than the '-t filter' FORWARD chain which is used for services hosted on LAN devices.

 

[bengalih]

You still need iptables rules, but maintaining an IPSET containing all the IP/ranges means you only ever need one iptables rule per IPSET rather than one rule per IP.

Yes.

Services that are hosted on the Router use the '-t filter' INPUT/OUTPUT chains rather than the '-t filter' FORWARD chain which is used for services hosted on LAN devices.

Thanks, still curious as to the advantages/disadvantages of the two different types of syntax you showed.
If looks like the -m option is the one I need to use if I go with a set (-m set vs -m iprange)?
If that's the case than it is clear that the advantage to the -m one is that I can use sets.
Exclusive of sets however (if I'm just writing a one off rule), why choose one syntax over the other?

 

[Martineau]

Thanks, still curious as to the advantages/disadvantages of the two different types of syntax you showed.
If looks like the -m option is the one I need to use if I go with a set (-m set vs -m iprange)?
If that's the case than it is clear that the advantage to the -m one is that I can use sets.
Exclusive of sets however (if I'm just writing a one off rule), why choose one syntax over the other?

IPSETs are extremely efficient (even with thousands of member entries), furthermore they can contain of IPs/CIDR ranges etc.

Ultimately it is your choice to choose how you want to manage the iptables rules.

The difference in syntax means that you can save on typing and reduce the number of iptables rules, but depending on the method chosen, the downside is that you lose the ability to extract detailed statistics

i.e. if the single rule that matches the IPSET has fired 1000 times, if the IPSET contains 1000 entities (IPs/CIDR ranges) how do you know if one IP matched 1000 times or each entity matched only once?

Similarly for the following one-rule multi-IP syntax

-m iprange --src-range xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx

 

[bengalih]

IPSETs are extremely efficient (even with thousands of member entries), furthermore they can contain of IPs/CIDR ranges etc.

Ultimately it is your choice to choose how you want to manage the iptables rules.

Ok, I get that - but maybe I wasn't specific enough. I'm asking more simply if I presented each of these rules to you as an option:

iptables -I FORWARD -i $(wan0_ifname) -s 20.149.12.12/32 -d 10.10.10.102 -p tcp -m tcp -m multiport --dport 443 -j DROP
or
iptables -I FORWARD -i $(wan0_ifname) -m iprange --src-range 20.149.12.12 -d 10.10.10.102 -p tcp -m tcp -m multiport --dport 443 -j DROP

What is the difference between the two? Is there any advantage to one of the other for a simple rule like above (no IPSETs involved).

 

[ColinTaylor]

What is the difference between the two? Is there any advantage to one of the other for a simple rule like above (no IPSETs involved).

No significant difference... other than you have a syntax error in the second command. --src-range should be a range, e.g. 20.149.12.12-20.149.12.250. Therefore it is more flexible than using -s where you are restricted to using specific IP's or IP's that are CIDR ranges.

 

[Martineau]

... you have a syntax error in the second command. --src-range should be a range, e.g. 20.149.12.12-20.149.12.250.

Wrong.

 

[Martineau]

Ok, I get that - but maybe I wasn't specific enough. I'm asking more simply if I presented each of these rules to you as an option:

iptables -I FORWARD -i $(nvram get wan0_ifname) -s 20.149.12.12/32 -d 10.10.10.102 -p tcp -m tcp -m multiport --dport 443 -j DROP
or
iptables -I FORWARD -i $(nvram get wan0_ifname) -m iprange --src-range 20.149.12.12 -d 10.10.10.102 -p tcp -m tcp -m multiport --dport 443 -j DROP

What is the difference between the two? Is there any advantage to one of the other for a simple rule like above (no IPSETs involved).

For a single source IP address, technically no difference, but they are visually different which, in a large table, one version might be more human-friendly over the other?
e.g.

iptables  --line -t filter -nvL FORWARD
 
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination      
1        0     0 DROP       tcp  --  eth0   *       20.149.12.12         10.10.10.102         tcp multiport dports 443
2        0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            10.10.10.102         source IP range 20.149.12.12-20.149.12.12 tcp multiport dports 443

 

[bengalih]

Wrong.

Heh...looks like I started a debate.

So it is ok to use a single IP address in the --src-range? I realize it may be not ideal, but which is valid

--src-range 20.149.12.12
or
--src-range 20.149.12.12-20.149.12.12

or either?

Also, you seem to be an expert on IPtables. Is there a particular book/guide/tutorial you would recommend.
I do have some experience with it, but never used it on a regular basis. I would say I have a pretty good grasp on firewall fundamentals, but not necessarily how the stack is implemented in linux. I don't want to jump in with just the man pages, so if you have recommended anything in the past I'll bookmark it for some downtime.

thanks

 

[ColinTaylor]

Wrong.

Heh...looks like I started a debate.

Not really. Martineau replied faster than I could correct my own mistake.

 

[Martineau]

So it is ok to use a single IP address in the --src-range? I realize it may be not ideal....

Yes.

iptables is smart enough to complete the range...

e.g. the following created the rule shown in post #11

iptables -I FORWARD -i $(nvram get wan0_ifname) -m iprange --src-range 20.149.12.12 -d 10.10.10.102  -p tcp -m tcp -m multiport --dports 443 -j DROP

 

[Martineau]

Also, you seem to be an expert on IPtables. Is there a particular book/guide/tutorial you would recommend.

I studied/referenced this diagram Generic Iptables Packet flow back when I started and the bigger picture together with one of my later recommended bookmarks Iptables and Netfilter