1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

trying to block all ports for a specific ip (including tcp/udp/tcp syn,ack,fin,rst,urg,psh)

Discussion in 'Asuswrt-Merlin' started by Tlex, Mar 7, 2017.

  1. Tlex

    Tlex Occasional Visitor

    Joined:
    Mar 7, 2017
    Messages:
    17
    Hi,
    I was wondering if it possible to block all traffic for a specific source IP without creating multiple filter entries (like one for TCP, one for UDP, etc ) ?
    For the moment, I've created one entry for tcp and another for udp for each ip I want to filter... is this enough or should I create extra ones for SYN,ACK, etc ?

    Thanks for your help !
     

    Attached Files:

  2. swetoast

    swetoast Guest

    Joined:
    Apr 12, 2016
    Messages:
    804
    check out iptables all you have to do is to add it to wan_start or something loads of solutions on this forum for just that purpose

    Code:
    iptables -A INPUT -s <ip> -j DROP
    iptables -A OUTPUT -d <ip> -j DROP 
    
     
  3. Tlex

    Tlex Occasional Visitor

    Joined:
    Mar 7, 2017
    Messages:
    17

    ok, so nothing possible from the Gui i guess ?

    let say I would like to block all outgoing traffic from lan IPs (between ip 10.32.50.30 and 10.32.50.60) to wan interface but still want to be accessible from the lan side (ie access 10.32.50.31 from 10.32.50.12), would I have to do the following :
    iptables -A OUTPUT -d 10.32.50.30 -j DROP
    iptables -A OUTPUT -d 10.32.50.31 -j DROP
    iptables -A OUTPUT -d 10.32.50.32 -j DROP
    etc...
    ?

    Or is there anyway to do it in one line by specifying the 30-60 scope ?

    Also, do I need the "iptables -A INPUT -s <ip> -j DROP" ?

    Thanks for your help.

    I know that from the gui the interface doesn't force my to specify the ports (1:65535) (at least the line is accepted by the system but I dont know if it work . . .
     
  4. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,869
    Location:
    UK
    Your restricted range 10.32.50.30-10.32.50.60 in CIDR notation will require 5 rules (or one if these are defined in an IPSET) and need to be inserted in the -t filter FORWARD chain

    Code:
    iptables -I FORWARD -s 10.32.50.30/31 -o `nvram get wan0_ifname` -j DROP
    iptables -I FORWARD -s 10.32.50.32/28 -o `nvram get wan0_ifname` -j DROP
    iptables -I FORWARD -s 10.32.50.48/29 -o `nvram get wan0_ifname` -j DROP
    iptables -I FORWARD -s 10.32.50.56/30 -o `nvram get wan0_ifname` -j DROP
    iptables -I FORWARD -s 10.32.50.60/32 -o `nvram get wan0_ifname` -j DROP
    and to check the rules to see if they fire...
    Code:
    iptables -nvL FORWARD --line  | grep 10.32.50
    Edit: You may be able to simply specify the 5 CIDR source addresses via the GUI? see Firewall->Network Services Filter, and use the following to check the rules

    Code:
    iptables -nvL NSFW --line
    or by default, since via the NSF GUI they use the 'logdrop' target, all hits should appear in Syslog!
     
    Last edited: Mar 7, 2017
    Muggesand and Tlex like this.
  5. Tlex

    Tlex Occasional Visitor

    Joined:
    Mar 7, 2017
    Messages:
    17
    Thanks Martineau,

    Just trying to catch up a little bit, I'm not sure I understand all the lines :

    iptables -I FORWARD -s 10.32.50.30/31 -o `nvram get wan0_ifname` -j DROP
    this one should cover ips 30-31 ?

    iptables -I FORWARD -s 10.32.50.32/28 -o `nvram get wan0_ifname` -j DROP
    this one should cover ips 32-47 ?

    iptables -I FORWARD -s 10.32.50.48/29 -o `nvram get wan0_ifname` -j DROP
    this one should cover ips 48-55 ?

    iptables -I FORWARD -s 10.32.50.56/30 -o `nvram get wan0_ifname` -j DROP
    this one should cover ips 56-59 ?

    iptables -I FORWARD -s 10.32.50.60/32 -o `nvram get wan0_ifname` -j DROP
    this one should cover ips 60 ?

    I used an ip calc as I'm not familiar .... just want to be sure I understand well..
     
  6. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    462
    Location:
    Portsmouth
    I'm going to help you get your first piece. This sample code will correctly block and unblock multiple ranges of IP addresses and you don't need to understand complicated schemes.

    How to block
    Code:
    /jffs/scripts/block-ip-ranges.sh "30-60 223-243"
    
    How to unblock
    Code:
    /jffs/scripts/block-ip-ranges.sh "30-60 223-243" delete
    
    /jffs/scripts/block-ip-ranges.sh
    Code:
    #!/bin/sh
    block_ip_ranges() {
      local IP_RANGES="$1"
      local ACTION="$2"
      local RULE1="/usr/sbin/iptables %s FORWARD -i br0 -m iprange --src-range %s -j DROP"
    
      [ "$ACTION" == "" ] && ACTION="I"
      [ "$ACTION" != "I" ] && [ "$ACTION" != "A" ] && [ "$ACTION" != "D" ] && ACTION="D"
    
      IPADDR="$(/usr/sbin/nvram get lan_ipaddr)"
      NETWORK="${IPADDR%.*}"
      IP_RANGES=$(/bin/echo $IP_RANGES | /bin/sed "s/[^0-9 -]*\([0-9]*\)/$NETWORK.\1/g")
      for IP_RANGE in $IP_RANGES; do
        if [ "$ACTION" == "I" ] || [ "$ACTION" == "A" ]; then
          $(/usr/bin/printf "$RULE1\n" "-C" "$IP_RANGE") >/dev/null 2>&1
          if [ $? -ne 0 ]; then
            $(/usr/bin/printf "$RULE1\n" "-$ACTION" "$IP_RANGE") >/dev/null 2>&1
          fi
        else
          $(/usr/bin/printf "$RULE1\n" "-C" "$IP_RANGE") >/dev/null 2>&1
          if [ $? -eq 0 ]; then
            $(/usr/bin/printf "$RULE1\n" "-D" "$IP_RANGE") >/dev/null 2>&1
          else
            /bin/echo "NOTFOUND: "$(/usr/bin/printf "$RULE1\n" "-D" "$IP_RANGE")
          fi
        fi
      done
    }
    
    block_ip_ranges "[email protected]"
    
    
     
    Seba and Tlex like this.
  7. Tlex

    Tlex Occasional Visitor

    Joined:
    Mar 7, 2017
    Messages:
    17
    Thanks Fitz,

    Shall that command resist a reboot or should I add it somewhere to run at boot ? (
    /jffs/scripts/block-ip-ranges.sh)

    Thanks :)
     
  8. Tlex

    Tlex Occasional Visitor

    Joined:
    Mar 7, 2017
    Messages:
    17
  9. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    462
    Location:
    Portsmouth
    /jffs/scripts/firewall-start
    Code:
    #!/bin/sh
    source /jffs/scripts/block-ip-ranges.sh "30-60"
    
     
    Tlex likes this.
  10. redhat27

    redhat27 Very Senior Member

    Joined:
    Jul 29, 2016
    Messages:
    508
    If you entirely want to do it from the web ui, there is always parental controls. It blocks by MAC, so even if the IPs are reassigned by dhcp, their wan traffic will still be blocked. You can however access those devices from within the lan. Not sure if this approach is the one you are looking for.
     
    Tlex likes this.
  11. jack901

    jack901 Regular Contributor

    Joined:
    Feb 17, 2013
    Messages:
    129
    if you just do not want them to connect to the internet use this network map clients and select the ones you do not want out and click on the block internet and they will not go out.
     
  12. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,869
    Location:
    UK
    Yes, several fields in the GUI accept the CIDR notation as a shortcut to cover (large/extended) contiguous I/P ranges.

    In your post #3 you posed the question
    So did you try entering the 5 CIDR ranges into the NSF GUI as follows:

    2017-03-08_07-10-11.png

    Which results in the creation of the following rules (that will automatically be re-applied if ever the router is rebooted.)
    Code:
    iptables -nvL NSFW --line
    
    Chain NSFW (1 references)
    num   pkts bytes target     prot opt in     out     source               destination 
    1        0     0 logdrop    tcp  --  br0    eth0    10.32.50.30/31       0.0.0.0/0   
    2        0     0 logdrop    tcp  --  br0    eth0    10.32.50.32/28       0.0.0.0/0   
    3        0     0 logdrop    tcp  --  br0    eth0    10.32.50.48/29       0.0.0.0/0   
    4        0     0 logdrop    tcp  --  br0    eth0    10.32.50.56/30       0.0.0.0/0   
    5        0     0 logdrop    tcp  --  br0    eth0    10.32.50.60          0.0.0.0/0
    Apologies for trying to help/educate.
     
    Last edited: Mar 8, 2017
    Seba likes this.
  13. Tlex

    Tlex Occasional Visitor

    Joined:
    Mar 7, 2017
    Messages:
    17
    Hi Fitz,

    I went with your script and it work perfectly well.
    The only thing I'm not able to figure yet is how to set iptable to accept traffic from the ovpn server (10.8.0.0) to talk to (10.32.50.30-60)... I thought using TAP but it's not supported by IOS :(

    Thanks for your help !

    Current iptable set :
    ASUSWRT-Merlin RT-AC87U 380.65-0 Fri Feb 3 05:19:42 UTC 2017

    [email protected]:/tmp/home/root# iptables -S
    -P INPUT ACCEPT
    -P FORWARD DROP
    -P OUTPUT ACCEPT
    -N FUPNP
    -N NSFW
    -N PControls
    -N SECURITY
    -N logaccept
    -N logdrop
    -A INPUT -i tun21 -j ACCEPT
    -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
    -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -i br0 -m state --state NEW -j ACCEPT
    -A INPUT -i lo -m state --state NEW -j ACCEPT
    -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
    -A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
    -A INPUT -j DROP
    -A FORWARD -i br0 -m iprange --src-range 10.32.50.30-10.32.50.60 -j DROP
    -A FORWARD -i br0 -m iprange --src-range 10.32.50.4-10.32.50.5 -j DROP
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i tun21 -j ACCEPT
    -A FORWARD ! -i br0 -o eth0 -j DROP
    -A FORWARD -i eth0 -m state --state INVALID -j DROP
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -i eth0 -j SECURITY
    -A FORWARD -j NSFW
    -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
    -A FORWARD -i br0 -j ACCEPT
    -A NSFW -i br0 -o eth0 -j RETURN
    -A PControls -j ACCEPT
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
    -A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
    -A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
    -A SECURITY -j RETURN
    -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logaccept -j ACCEPT
    -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logdrop -j DROP


    Sorry for the blurry pix... thats via teamviewer :)
    Screen Shot 2017-03-09 at 8.47.25 AM.png
    Screen Shot 2017-03-09 at 8.47.46 AM.png
     
  14. Tlex

    Tlex Occasional Visitor

    Joined:
    Mar 7, 2017
    Messages:
    17

    or if anyone else can help me :) ?
     
  15. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    462
    Location:
    Portsmouth
    When you connect to the VPN server from the outside, what are you doing on the local network? Accessing private E-mail server, file server, video cameras, etc?

    /jffs/scripts/block-ip-ranges-with-vpn.sh
    Code:
    #!/bin/sh
    insert_firewall_rule() {
      local RULE="$1"
      $(/usr/bin/printf "$RULE\n" "-C" "$IP_RANGE") >/dev/null 2>&1
      if [ $? -ne 0 ]; then
        $(/usr/bin/printf "$RULE\n" "-I" "$IP_RANGE") >/dev/null 2>&1
      fi
    }
    
    delete_firewall_rule() {
      local RULE="$1"
      $(/usr/bin/printf "$RULE\n" "-C" "$IP_RANGE") >/dev/null 2>&1
      if [ $? -eq 0 ]; then
        $(/usr/bin/printf "$RULE\n" "-D" "$IP_RANGE") >/dev/null 2>&1
      else
        /bin/echo "NOTFOUND: "$(/usr/bin/printf "$RULE\n" "-D" "$IP_RANGE")
      fi
    }
    
    block_ip_ranges() {
      local IP_RANGES="$1"
      local ACTION="$2"
      local IF_VPNSERVER1="tun21"
      local RULE1="/usr/sbin/iptables %s FORWARD -i br0 -m iprange --src-range %s -j DROP"
      local RULE2="/usr/sbin/iptables %s FORWARD -i br0 -o $IF_VPNSERVER1 -m iprange --src-range %s -m state --state RELATED,ESTABLISHED -j ACCEPT"
    
      [ "$ACTION" == "" ] && ACTION="I"
      [ "$ACTION" != "I" ] && [ "$ACTION" != "D" ] && ACTION="D"
    
      IPADDR="$(/usr/sbin/nvram get lan_ipaddr)"
      NETWORK="${IPADDR%.*}"
      IP_RANGES=$(/bin/echo $IP_RANGES | /bin/sed "s/[^0-9 -]*\([0-9]*\)/$NETWORK.\1/g")
      for IP_RANGE in $IP_RANGES; do
        if [ "$ACTION" == "I" ]; then
          insert_firewall_rule "$RULE1"
          insert_firewall_rule "$RULE2"
        else
          delete_firewall_rule "$RULE1"
          delete_firewall_rule "$RULE2"
        fi
      done
    }
    
    block_ip_ranges "[email protected]"
    
     
    Last edited: Mar 10, 2017
    Tlex likes this.
  16. Tlex

    Tlex Occasional Visitor

    Joined:
    Mar 7, 2017
    Messages:
    17
    Yes, all of this. (email, file server, etc) and it works since theses one are located in 10.32.50.10-29... accessing ressources located in the 10.32.50.30-60 is not working anymore since that iptable rule from the script from the openvpn server - and that make sense I guess... so that's why I was wondering how to allow 10.8.0.0 to access it... (10.8.0.0 is the default subnet openvpn server purpose on asus/merlin tun mode)... 30-60 is were I store ipcams and chineses devices that I dont have any control on....
     
  17. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    462
    Location:
    Portsmouth
    Did you try the new script?

    Now it will allow those restricted devices. If it works for you, I think you could add "-o tun21" to the 2nd rule, to make it more secure.
     
    Tlex likes this.
  18. Tlex

    Tlex Occasional Visitor

    Joined:
    Mar 7, 2017
    Messages:
    17
    Working :) Thanks a lot !
     
  19. Tlex

    Tlex Occasional Visitor

    Joined:
    Mar 7, 2017
    Messages:
    17
    Hi :)
    Sorry to bother again with that post :) (really not an iptables expert here !)

    So basically all my setup is fine, I have the script running at startup that block the "10.32.50.30-10.32.50.60" ips.

    Now the thing is... I would like a specific machine in that range (10.32.50.40) te be allowed to send smtp message to the outside world... I tried by adding the following rule without success :
    iptables -A OUTPUT -p tcp --dport 25 -s 10.32.50.40 -j ACCEPT

    And I invoke the external mail server by ip address so it's not that the dns request is rejected . . .

    Any advice ?

    Thanks for your help :)
     
  20. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    1,699
    Use iptables -I

    IPTables works on a "first match basis", using -I inserts the rule to the top of the chain (giving it priority) where as -A adds the rule to the end of the chain (giving it lowest priority)

    iptables -I FORWARD -p tcp --dport 25 -s 10.32.50.40 -j ACCEPT
     
    Tlex likes this.