What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Network Services Filter Table whitelist CIDR format

ColinTaylor said:
That appears to be where the DROP messages are coming from.
Click to expand...
yes, but why I got DROP packet when I correctly forward Cloudflare, is there any way to whitelist those IPs without turning off the DDOS completely. the problem happens from time to time.

I have my research website and would like to share it my advisor, but with these 522 errors it is not stable to share

Thank you for your support, really appreciated
 
msallal said:
yes, but why I got DROP packet when I correctly forward Cloudflare,
Click to expand...
Just because you're forwarding ports doesn't mean you don't need DOS protection. Quite the opposite in fact. That's a huge range of addresses that you're allowing.

msallal said:
is there any way to whitelist those IPs without turning off the DDOS completely. the problem happens from time to time.
Click to expand...
It's messy. You'd have to create a firewall-start script like this:
Code: 
#!/bin/sh

iptables -I SECURITY -p tcp -s 103.21.244.0/22  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 103.22.200.0/22  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 103.31.4.0/22    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 104.16.0.0/13    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 104.24.0.0/14    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 108.162.192.0/18 -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 131.0.72.0/22    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 141.101.64.0/18  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 162.158.0.0/15   -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 172.64.0.0/13    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 173.245.48.0/20  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 188.114.96.0/20  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 190.93.240.0/20  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 197.234.240.0/22 -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 198.41.128.0/17  -d 10.0.0.4 -j RETURN
 
Last edited:
ColinTaylor said:
Just because you're forwarding ports doesn't mean you don't want DOS protection. Quite the opposite in fact. That's a huge range of addresses that you're allowing.


It's messy. You'd have to create a firewall-start script like this:
Code: 
#!/bin/sh

iptables -I SECURITY -p tcp -s 103.21.244.0/22  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 103.22.200.0/22  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 103.31.4.0/22    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 104.16.0.0/13    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 104.24.0.0/14    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 108.162.192.0/18 -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 131.0.72.0/22    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 141.101.64.0/18  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 162.158.0.0/15   -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 172.64.0.0/13    -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 173.245.48.0/20  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 188.114.96.0/20  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 190.93.240.0/20  -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 197.234.240.0/22 -d 10.0.0.4 -j RETURN
iptables -I SECURITY -p tcp -s 198.41.128.0/17  -d 10.0.0.4 -j RETURN
Click to expand...
I am not familiar with adding firewall-start script, just add those to the shell.

I appreciate if there is any steps to follow, in order if i want to delete or modify a rule later

Thanks
 
msallal said:
Thank you so much, i will look into and hope it will work :)
Click to expand...
It would probably be a lot easier if you ran your web server on a non-standard port rather than the normal HTTPS port, 443. Using port 443 is a giant magnet for every hacker and port scanner on the planet (or Cloudflare). If you were to run it on a port like 28652 it's likely you wouldn't have a problem with DoS protection kicking in.

P.S. Looking at your iptables output you appear to have enabled Web Access from WAN on the router. This is a huge security concern so I suggest you disable that unless you really need it. If you need remote access to your router or LAN you could use the VPN server (which you already have running).
 
Last edited:
ColinTaylor said:
It would probably be a lot easier if you ran your web server on a non-standard port rather than the normal HTTPS port, 443. Using port 443 is a giant magnet for every hacker and port scanner on the planet (or Cloudflare). If you were to run it on a port like 28652 it's likely you wouldn't have a problem with DoS protection kicking in.

P.S. Looking at your iptables output you appear to have enabled Web Access from WAN on the router. This is a huge security concern so I suggest you disable that unless you really need it. If you need remote access to your router or LAN you could use the VPN server (which you already have running).
Click to expand...
Thanks Colin, for your suggestion, Actually I using the port forwarding to forward the 443 to Kemp loadbalancer and reverse proxy, which then be handle the request to my webserver using different port than 443,
 
msallal said:
Thanks Colin, for your suggestion, Actually I using the port forwarding to forward the 443 to Kemp loadbalancer and reverse proxy, which then be handle the request to my webserver using different port than 443,
Click to expand...
Thanks for the update. I don't really understand your setup because I'm not familiar with the Kemp loadbalancer. But my concern was if your router was forwarding port 443 from the public internet rather than what was happening on the LAN. Ports 22, 23, 80 and 443 are probably the most common ports for scanner/hacker traffic.
 
Last edited:
I created firewall-start file and applied the chmod a+rx /jffs/scripts/*

but it seems same result, still have the 522 error and drop packet in log

May 24 10:36:56 kernel: DROP IN=eth0 OUT=br0 MAC=fc:34:97:3a:8b:d0:e0:1f:2b:2c:8f:52:08:00 SRC=172.69.69.127 DST=10.0.0.4 LEN=52 TOS=0x0C PREC=0x60 TTL=55 ID=31971 DF PROTO=TCP SPT=15924 DPT=443 SEQ=1358575349 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010104020103030A) MARK=0x8000000


1653406412839.png


when i turn of the DOS it works fine without any issue, but I don't want to turn off the DOS for every IP,
any solution please

thank you so much
 
SSH into the router after you've tried to connect to 10.0.0.4 and enter this command to see if you're hitting the firewall rules as expected.
Code: 
iptables-save -t filter -c
 
Your firewall-start script has not run successfully. None of the rules have been added to the SECURITY chain. Check that you have enabled "JFFS custom scripts and configs" in the GUI under Administration - System.

It would also be a good idea to make sure the script is in Unix format rather than Windows format. Issue the following commands from an SSH session:
Code: 
dos2unix /jffs/scripts/firewall-start
service restart_firewall
 
ColinTaylor said:
Your firewall-start script has not run successfully. None of the rules have been added to the SECURITY chain. Check that you have enabled "JFFS custom scripts and configs" in the GUI under Administration - System.

It would also be a good idea to make sure the script is in Unix format rather than Windows format. Issue the following commands from an SSH session:
Code: 
dos2unix /jffs/scripts/firewall-start
service restart_firewall
Click to expand...
yes, correct you are right, the JFFS custom scripts and configs was not enabled, my bad

I will test if everything is going to work fine
Thank you so much, really appreciated
 
You must log in or register to reply here.

Similar threads

adri
Firewall, Port Forwarding, and DoS Question
Replies
8
Views
660
ColinTaylor
C
T
Solved RT-BE92U connections in AIMesh nodes intermittently dropped (Caused by FW 3.0.0.6 not compatible with FW 3.0.0.4 routers))
Replies
9
Views
753
jksmurf
J
SkierInAvon
Very Strange WAN Login Entry…WAN Routing 192.168.1.20??? HUH?
Replies
6
Views
249
SkierInAvon
SkierInAvon
J
Skynet Skynet - Blocked outbounds coming from the router itself?
Replies
12
Views
1K
JuanGF
J
P
Skynet show inbound block on Digital TV Vlan300
Replies
4
Views
1K
poudenes
P
Similar threads
Thread starter Title Forum Replies Date
man_with_the_stick Wifi client of the guest network 1 doesn't get new IP address when changing the band Asuswrt-Merlin 5
B Tutorial Automatically Reboot Asus Router on Network Failures Asuswrt-Merlin 15
garycnew No Clients listed in the Network Map > Client List Asuswrt-Merlin 6
K Troubles config wireguard for network devices on rt-be88 using merlin 3006.102 Asuswrt-Merlin 18
W3Wilkes RT-AX86U IoT (guest network) Intranet Question Asuswrt-Merlin 15
matthew_eli RT-BE86U guest network not shared on AiMesh nodes - no free slot Asuswrt-Merlin 10
J Access webgui only from inside wireguard network ? [SOLVED] Asuswrt-Merlin 11
S Guest network 2 fails with bandwidth limiter Asuswrt-Merlin 23
Lee MacMillan Differences between 2.4Ghz network and 2.4Ghz guest network Asuswrt-Merlin 7
M How to NAT traffic inbound to a specific host or network ? Asuswrt-Merlin 6

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 766 (members: 8, guests: 758)
Back
Top