Posted: Sat Feb 17, 2024 4:48 Post subject: iptables syntax to drop inbound packets from an IP range
After reading some of the postings and the iptables command syntax page, I've come up with this command. I intend to add it to Administration/Commands so it will run after every power cycle. I wasn't able to find an exact match for the syntax, and would rather drop my pride than spend time running down an entirely wrong rabbit hole.
The goal is to drop all packets from a range of IP addresses. I get frequent port scans in my log and want to block all the traffic from these IPs so that it's safer when I need to occasionally open a port.
Joined: 18 Mar 2014 Posts: 12921 Location: Netherlands
Posted: Sat Feb 17, 2024 7:03 Post subject:
Welcome to the forum.
I have moved this thread to the appropriate forum.
See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Start with telling us your router model and buildnumber.
You do not need to block incoming connections as those are already blocked by default.
I want to have a port available for remote access, though. And once I do, I want to filter out certain IP ranges that might attempt to use that port.
The original problem is that I've been getting things like this in my logs (not a ddwrt router) whenever I redir a port:
Code:
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [162.254.193.74]
[LAN access from remote] from 162.254.193.74:<random_port> to <local_ip_of_pc_for_redir_port>:<redir_port#>
I was hoping this command would allow me to block the ip ranges of those attacks, without giving the attacker a response, while leaving the port otherwise available when I travel (and won't know my ip beforehand).
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Wed Feb 21, 2024 8:09 Post subject:
iptables -I INPUT -s 54.54.0.0/16 -j DROP
as we dont know what you have enabled...its a good practice for remote administration to use either SSh or Wireguard...well...OpenVPN server too but its too difficult to set up...do not use remote GUI https...especially witout complex password...in fact even SSH needs to be used only with key file authentification and password disabled for SSh... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
as we dont know what you have enabled...its a good practice for remote administration to use either SSh or Wireguard...well...OpenVPN server too but its too difficult to set up...do not use remote GUI https...especially witout complex password...in fact even SSH needs to be used only with key file authentification and password disabled for SSh...
Still learning here. Newish to ddwrt and it's been a decade since I last managed routers in any significant way.
By remote access I was referring to vnc/rdp. I'll be clearer in the future.
I'll replace PREROUTING with INPUT. Got it. This won't send any response to the packet sender?
Was thinking of adding this to admin/commands. Saw in a thread that this will keep the command from being lost if I need to reboot the router.
The rest of the settings will be default - except password and disabling wireless.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Thu Feb 22, 2024 12:15 Post subject:
yes, you save the iptables rules in GUI > commands > save to firewall
if rules ends with DROP it will not send any response just packets discarded...where if you use REJECT it will send a response...
Im not sure that PREROUTING chain has a REJECT...so, DROP is the only way....
depends from the router class and if available you can use an IPset rules too..
as using IPTABLES for lots of range blocking, may take some toll on performance side...
By default firewall drops everything and works as SPI firewall..but its good to block some stuff anyway _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913