What's new

Assistance to create a script that blocks inbound CIDRs via iptables

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

MKANET

Regular Contributor
I have very limited experience with Linux. I was hoping someone could assist me to create a script that will update iptables (to block a few incoming CIDRs).

I already have a script called, /jffs/scripts/services-start which is executed when my router boots up.

Could someone please assist with what lines I should append to this script file (in order to block CIDRs: 116.10.191.0/24 & 104.131.0.0/16) when the router boots up? I'm guessing it's something like?

iptables -A INPUT -s 116.10.191.0/24 -j DROP
iptables -A INPUT -s 104.131.0.0/16 -j DROP
 
Last edited:
You should put your commands in the firewall-start script. You should also use -I rather than -A otherwise those commands will have no effect.

The firewall drops all unsolicited traffic by default anyway (apart from VPN which is a special case).
 
Last edited:
You should put your commands in the firewall-start script. You should also use -I rather than -A otherwise those commands will have no effect.

The firewall drops all unsolicited traffic by default anyway.

Thanks. My intention is to block specific incoming unsolicited traffic from reaching my webserver via port forwarding.

EDIT: I'm curious why would -I work in this case, but not -A?
 
Last edited:
Thanks. My intention is to block specific incoming unsolicited traffic from reaching my webserver via port forwarding.

EDIT: I'm curious why would -I work in this case, but not -A?

Because you'll want your DROP rules to have priority over all the existing ACCEPT rules.
 
Thanks. My intention is to block specific incoming unsolicited traffic from reaching my webserver via port forwarding.
In which case you need to use the FORWARD chain rather than the INPUT chain. Or configure access restrictions on your web server if it's something like Apache.
 
In which case you need to use the FORWARD chain rather than the INPUT chain. Or configure access restrictions on your web server if it's something like Apache.

I forward port 80/443 to my web server PC running nginx. I prefer to stop the traffic at the firewall (before even reaching my web server). Previously, I was DENYing the CIDR via Nginx config.
 
Have you looked at https://www.snbforums.com/threads/yet-another-malware-block-script-using-ipset-v4-and-v6.38935/? It sounds like it would do what you want it to do.

* edit: fixed link *

Thanks @Huib , I was hoping adding the drop rules from the previous post to do what I want.. since it was relatively simple to do. However, it didn't seem to have any affect after restarting the firewall.

@ColinTaylor, my apologies if I misunderstood what you were saying previously. But, will the Drop rules do what I expect; or, do I have to use the other script that Huib posted to do what I want? I can't seem to get the drop rules to work. I'd prefer to use the existing firewall to do what I want, if feasible.
 
@ColinTaylor, my apologies if I misunderstood what you were saying previously. But, will the Drop rules do what I expect; or, do I have to use the other script that Huib posted to do what I want? I can't seem to get the drop rules to work. I'd prefer to use the existing firewall to do what I want, if feasible.
Your rules should work. There should be no need to use that other script or Syknet (unless you prefer to) as they all effectively do the same thing.

Your firewall-start script should look like this:
Code:
#!/bin/sh
iptables -I FORWARD -s 116.10.191.0/24 -j DROP
iptables -I FORWARD -s 104.131.0.0/16 -j DROP

The script should also be executable and be in Unix-format not DOS/Windows-format, so:
Code:
chmod 755 /jffs/scripts/firewall-start
dos2unix /jffs/scripts/firewall-start
service restart_firewall
And of course you should have enabled custom scripts in the GUI, which I assume you already did for your services-start script.
 
Last edited:
I think I found out why it wasn't working. You clearly told me earlier, "In which case you need to use the FORWARD chain rather than the INPUT chain". I didn't realize what you meant until I saw your example code. I had changed -A to -I only.

I should know if this was effective by tomorrow...

Your rules should work. There should be no need to use that other script or Syknet (unless you prefer to) as they all effectively do the same thing.

Your firewall-start script should look like this:
Code:
#!/bin/sh
iptables -I FORWARD -s 116.10.191.0/24 -j DROP
iptables -I FORWARD -s 104.131.0.0/16 -j DROP

The script should also be executable and be in Unix-format not DOS/Windows-format, so:
Code:
chmod 755 /jffs/scripts/firewall-start
dos2unix /jffs/scripts/firewall-start
service restart_firewall
And of course you should have enabled custom scripts in the GUI, which I assume you already did for your services-start script.
 
@ColinTaylor Your suggestion worked perfectly. It was exactly what I wanted. Thank you for the great support in this community. Heck, even RMerlin chimed in to help.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top