Block IP Address

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3  Next
Author Message
RAMoMATIC
DD-WRT Novice


Joined: 04 Jan 2009
Posts: 44

PostPosted: Tue Jan 06, 2009 8:49    Post subject: Reply with quote
soulstace wrote:
RAMoMATIC wrote:
this blocks me from connecting to the ip ... correct?


Not necessarily. It blocks the IP from connecting to you.

If you want to block in the other direction, you also need something like:

iptables -I FORWARD -s 192.168.1.0/24 -d IP_TO_BLOCK -j DROP

It's fairly easy to understand. -s is the source address and -d is the destination. -I means Insert a rule into the FORWARD chain and -j DROP means DROP.

In other words, if packet is sourced from 192.168.1.0/24 destined to IP_TO_BLOCK, it is DROPped.
Ok, Well i just test DoS'ed myself and the ip was still able to hit my connection exept rather then the bandwidth monitoring showing its hitting the router it just shows as the WAN spikes to 2MB/s aka the DoS attack worked. how can i make it so it blocks the attack right when it entires WAN?
Sponsor
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Tue Jan 06, 2009 8:55    Post subject: Reply with quote
If you are saturating all of your bandwidth there is nothing you can do with iptables to stop it.
RAMoMATIC
DD-WRT Novice


Joined: 04 Jan 2009
Posts: 44

PostPosted: Tue Jan 06, 2009 8:58    Post subject: Reply with quote
soulstace wrote:
If you are saturating all of your bandwidth there is nothing you can do with iptables to stop it.
I guess this is as far as program firewalls can go Sad thanks for the help though.
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Tue Jan 06, 2009 9:07    Post subject: Reply with quote
if someone tries to flood you, just change your IP.

If you have a static IP, best not piss anyone off Wink
RAMoMATIC
DD-WRT Novice


Joined: 04 Jan 2009
Posts: 44

PostPosted: Tue Jan 06, 2009 9:10    Post subject: Reply with quote
soulstace wrote:
if someone tries to flood you, just change your IP.

If you have a static IP, best not piss anyone off Wink
I got cable and i already know how to change my ip but it would be nice to be fully DDoS protected so no one can have a laugh if they try to take me offline. Wink
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Tue Jan 06, 2009 9:12    Post subject: Reply with quote
really the only way to prevent DDoS is to have more bandwidth than the attacker.
RAMoMATIC
DD-WRT Novice


Joined: 04 Jan 2009
Posts: 44

PostPosted: Tue Jan 06, 2009 9:15    Post subject: Reply with quote
soulstace wrote:
really the only way to prevent DDoS is to have more bandwidth than the attacker.
Do you think if i bought a Cisco Firewall i could stop DoS attacks better then iptables?
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Tue Jan 06, 2009 9:18    Post subject: Reply with quote
What type of DoS you are referring to?
RAMoMATIC
DD-WRT Novice


Joined: 04 Jan 2009
Posts: 44

PostPosted: Tue Jan 06, 2009 9:20    Post subject: Reply with quote
soulstace wrote:
What type of DoS you are referring to?
UDP/TCP Attacks and random port attacks as well.
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Tue Jan 06, 2009 9:23    Post subject: Reply with quote
It might be possible that Cisco have better DoS pretection, but I don't really know. The thing about DoS is that there are so many different kinds. Many of them are in tcp/ip stack and are pretty difficult to detect by any firewall because they look like normal traffic.
RAMoMATIC
DD-WRT Novice


Joined: 04 Jan 2009
Posts: 44

PostPosted: Tue Jan 06, 2009 9:28    Post subject: Reply with quote
soulstace wrote:
It might be possible that Cisco have better DoS pretection, but I don't really know. The thing about DoS is that there are so many different kinds. Many of them are in tcp/ip stack and are pretty difficult to detect by any firewall because they look like normal traffic.
Hmm, Ok. Also its weard with how my router works... its because when i DoS 1 port like port 21 or 123 or just any random port and the flood script only focuses on the port you tell it to hit the router blocks it. i seen in WAN that it spikes to 500KB/s and it drops the DoS IP. but when i use 0 in the flood script it does a random port attack which just floods a port for -1 second then floods another port. i dont know why it does not block this attack. is there a way i can setup iptables so that maybe if theres more then 100 connections made to different ports with 1 IP address it drops the IP address automatically?
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Tue Jan 06, 2009 9:35    Post subject: Reply with quote
yes that is possible with iptables. but I'm not sure dd-wrt has this much function. iptables is highly modular, but as you know we don't have much space to deal with in these little devices. Especially the ones with only 2MB flash.
RAMoMATIC
DD-WRT Novice


Joined: 04 Jan 2009
Posts: 44

PostPosted: Tue Jan 06, 2009 9:39    Post subject: Reply with quote
soulstace wrote:
yes that is possible with iptables. but I'm not sure dd-wrt has this much function. iptables is highly modular, but as you know we don't have much space to deal with in these little devices. Especially the ones with only 2MB flash.
How about if i buy a ASUS WL-500W Router and get a 1GB thumb drive to make as the routers hard drive?
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Tue Jan 06, 2009 9:42    Post subject: Reply with quote
That will help.

Here's an example of how to limit connections in the standard versions.

http://www.dd-wrt.com/wiki/index.php/Preventing_Brute_Force_Attacks
RAMoMATIC
DD-WRT Novice


Joined: 04 Jan 2009
Posts: 44

PostPosted: Tue Jan 06, 2009 9:47    Post subject: Reply with quote
soulstace wrote:
That will help.

Here's an example of how to limit connections in the standard versions.

http://www.dd-wrt.com/wiki/index.php/Preventing_Brute_Force_Attacks
Alright, Well ill buy that ASUS WL-500W Router and get a 1GB thumb drive in a few days. thank you for the awesome help Very Happy
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum