trying to block all ports for a specific ip (including tcp/udp/tcp syn,ack,fin,rst,urg,psh)

[Tlex]

Hi,
I was wondering if it possible to block all traffic for a specific source IP without creating multiple filter entries (like one for TCP, one for UDP, etc ) ?
For the moment, I've created one entry for tcp and another for udp for each ip I want to filter... is this enough or should I create extra ones for SYN,ACK, etc ?

Thanks for your help !

 

[swetoast]

check out iptables all you have to do is to add it to wan_start or something loads of solutions on this forum for just that purpose

iptables -A INPUT -s <ip> -j DROP
iptables -A OUTPUT -d <ip> -j DROP

 

[Tlex]

check out iptables all you have to do is to add it to wan_start or something loads of solutions on this forum for just that purpose

iptables -A INPUT -s <ip> -j DROP
iptables -A OUTPUT -d <ip> -j DROP

ok, so nothing possible from the Gui i guess ?

let say I would like to block all outgoing traffic from lan IPs (between ip 10.32.50.30 and 10.32.50.60) to wan interface but still want to be accessible from the lan side (ie access 10.32.50.31 from 10.32.50.12), would I have to do the following :
iptables -A OUTPUT -d 10.32.50.30 -j DROP
iptables -A OUTPUT -d 10.32.50.31 -j DROP
iptables -A OUTPUT -d 10.32.50.32 -j DROP
etc...
?

Or is there anyway to do it in one line by specifying the 30-60 scope ?

Also, do I need the "iptables -A INPUT -s <ip> -j DROP" ?

Thanks for your help.

I know that from the gui the interface doesn't force my to specify the ports (1:65535) (at least the line is accepted by the system but I dont know if it work . . .

 

[Martineau]

ok, so nothing possible from the Gui i guess ?

let say I would like to block all outgoing traffic from lan IPs (between ip 10.32.50.30 and 10.32.50.60) to wan interface but still want to be accessible from the lan side (ie access 10.32.50.31 from 10.32.50.12), would I have to do the following :
iptables -A OUTPUT -d 10.32.50.30 -j DROP
iptables -A OUTPUT -d 10.32.50.31 -j DROP
iptables -A OUTPUT -d 10.32.50.32 -j DROP
etc...
?

Or is there anyway to do it in one line by specifying the 30-60 scope ?

Your restricted range 10.32.50.30-10.32.50.60 in CIDR notation will require 5 rules (or one if these are defined in an IPSET) and need to be inserted in the -t filter FORWARD chain

iptables -I FORWARD -s 10.32.50.30/31 -o `nvram get wan0_ifname` -j DROP
iptables -I FORWARD -s 10.32.50.32/28 -o `nvram get wan0_ifname` -j DROP
iptables -I FORWARD -s 10.32.50.48/29 -o `nvram get wan0_ifname` -j DROP
iptables -I FORWARD -s 10.32.50.56/30 -o `nvram get wan0_ifname` -j DROP
iptables -I FORWARD -s 10.32.50.60/32 -o `nvram get wan0_ifname` -j DROP

and to check the rules to see if they fire...

iptables -nvL FORWARD --line  | grep 10.32.50

Edit: You may be able to simply specify the 5 CIDR source addresses via the GUI? see Firewall->Network Services Filter, and use the following to check the rules

iptables -nvL NSFW --line

or by default, since via the NSF GUI they use the 'logdrop' target, all hits should appear in Syslog!

 

[Tlex]

Thanks Martineau,

Just trying to catch up a little bit, I'm not sure I understand all the lines :

iptables -I FORWARD -s 10.32.50.30/31 -o `nvram get wan0_ifname` -j DROP
this one should cover ips 30-31 ?

iptables -I FORWARD -s 10.32.50.32/28 -o `nvram get wan0_ifname` -j DROP
this one should cover ips 32-47 ?

iptables -I FORWARD -s 10.32.50.48/29 -o `nvram get wan0_ifname` -j DROP
this one should cover ips 48-55 ?

iptables -I FORWARD -s 10.32.50.56/30 -o `nvram get wan0_ifname` -j DROP
this one should cover ips 56-59 ?

iptables -I FORWARD -s 10.32.50.60/32 -o `nvram get wan0_ifname` -j DROP
this one should cover ips 60 ?

I used an ip calc as I'm not familiar .... just want to be sure I understand well..

 

[Fitz Mutch]

I'm going to help you get your first piece. This sample code will correctly block and unblock multiple ranges of IP addresses and you don't need to understand complicated schemes.

How to block

/jffs/scripts/block-ip-ranges.sh "30-60 223-243"

How to unblock

/jffs/scripts/block-ip-ranges.sh "30-60 223-243" delete

/jffs/scripts/block-ip-ranges.sh

#!/bin/sh
block_ip_ranges() {
  local IP_RANGES="$1"
  local ACTION="$2"
  local RULE1="/usr/sbin/iptables %s FORWARD -i br0 -m iprange --src-range %s -j DROP"

  [ "$ACTION" == "" ] && ACTION="I"
  [ "$ACTION" != "I" ] && [ "$ACTION" != "A" ] && [ "$ACTION" != "D" ] && ACTION="D"

  IPADDR="$(/usr/sbin/nvram get lan_ipaddr)"
  NETWORK="${IPADDR%.*}"
  IP_RANGES=$(/bin/echo $IP_RANGES | /bin/sed "s/[^0-9 -]*\([0-9]*\)/$NETWORK.\1/g")
  for IP_RANGE in $IP_RANGES; do
    if [ "$ACTION" == "I" ] || [ "$ACTION" == "A" ]; then
      $(/usr/bin/printf "$RULE1\n" "-C" "$IP_RANGE") >/dev/null 2>&1
      if [ $? -ne 0 ]; then
        $(/usr/bin/printf "$RULE1\n" "-$ACTION" "$IP_RANGE") >/dev/null 2>&1
      fi
    else
      $(/usr/bin/printf "$RULE1\n" "-C" "$IP_RANGE") >/dev/null 2>&1
      if [ $? -eq 0 ]; then
        $(/usr/bin/printf "$RULE1\n" "-D" "$IP_RANGE") >/dev/null 2>&1
      else
        /bin/echo "NOTFOUND: "$(/usr/bin/printf "$RULE1\n" "-D" "$IP_RANGE")
      fi
    fi
  done
}

block_ip_ranges "$@"

 

[Tlex]

I'm going to help you get your first piece. This sample code will correctly block and unblock multiple ranges of IP addresses and you don't need to understand complicated schemes.

How to block

/jffs/scripts/block-ip-ranges.sh "30-60 223-243"

How to unblock

/jffs/scripts/block-ip-ranges.sh "30-60 223-243" delete

/jffs/scripts/block-ip-ranges.sh

#!/bin/sh
block_ip_ranges() {
  local IP_RANGES="$1"
  local ACTION="$2"
  local RULE1="/usr/sbin/iptables %s FORWARD -i br0 -m iprange --src-range %s -j DROP"

  [ "$ACTION" == "" ] && ACTION="I"
  [ "$ACTION" != "I" ] && [ "$ACTION" != "A" ] && [ "$ACTION" != "D" ] && ACTION="D"

  IPADDR="$(/usr/sbin/nvram get lan_ipaddr)"
  NETWORK="${IPADDR%.*}"
  IP_RANGES=$(/bin/echo $IP_RANGES | /bin/sed "s/[^0-9 -]*\([0-9]*\)/$NETWORK.\1/g")
  for IP_RANGE in $IP_RANGES; do
    if [ "$ACTION" == "I" ] || [ "$ACTION" == "A" ]; then
      $(/usr/bin/printf "$RULE1\n" "-C" "$IP_RANGE") >/dev/null 2>&1
      if [ $? -ne 0 ]; then
        $(/usr/bin/printf "$RULE1\n" "-$ACTION" "$IP_RANGE") >/dev/null 2>&1
      fi
    else
      $(/usr/bin/printf "$RULE1\n" "-C" "$IP_RANGE") >/dev/null 2>&1
      if [ $? -eq 0 ]; then
        $(/usr/bin/printf "$RULE1\n" "-D" "$IP_RANGE") >/dev/null 2>&1
      else
        /bin/echo "NOTFOUND: "$(/usr/bin/printf "$RULE1\n" "-D" "$IP_RANGE")
      fi
    fi
  done
}

block_ip_ranges "$@"

Thanks Fitz,

Shall that command resist a reboot or should I add it somewhere to run at boot ? (
/jffs/scripts/block-ip-ranges.sh)

Thanks

 

[Tlex]

did answer my own question
Thanks !
https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

 

[Fitz Mutch]

/jffs/scripts/firewall-start

#!/bin/sh
source /jffs/scripts/block-ip-ranges.sh "30-60"

 

[redhat27]

let say I would like to block all outgoing traffic from lan IPs (between ip 10.32.50.30 and 10.32.50.60) to wan interface but still want to be accessible from the lan side (ie access 10.32.50.31 from 10.32.50.12

If you entirely want to do it from the web ui, there is always parental controls. It blocks by MAC, so even if the IPs are reassigned by dhcp, their wan traffic will still be blocked. You can however access those devices from within the lan. Not sure if this approach is the one you are looking for.

 

[jack901]

if you just do not want them to connect to the internet use this network map clients and select the ones you do not want out and click on the block internet and they will not go out.

 

[Martineau]

...I used an ip calc as I'm not familiar .... just want to be sure I understand well..

Yes, several fields in the GUI accept the CIDR notation as a shortcut to cover (large/extended) contiguous I/P ranges.

In your post #3 you posed the question

...so nothing possible from the Gui i guess ?...

So did you try entering the 5 CIDR ranges into the NSF GUI as follows:

Which results in the creation of the following rules (that will automatically be re-applied if ever the router is rebooted.)

iptables -nvL NSFW --line

Chain NSFW (1 references)
num   pkts bytes target     prot opt in     out     source               destination 
1        0     0 logdrop    tcp  --  br0    eth0    10.32.50.30/31       0.0.0.0/0   
2        0     0 logdrop    tcp  --  br0    eth0    10.32.50.32/28       0.0.0.0/0   
3        0     0 logdrop    tcp  --  br0    eth0    10.32.50.48/29       0.0.0.0/0   
4        0     0 logdrop    tcp  --  br0    eth0    10.32.50.56/30       0.0.0.0/0   
5        0     0 logdrop    tcp  --  br0    eth0    10.32.50.60          0.0.0.0/0

Apologies for trying to help/educate.

 

[Tlex]

Hi Fitz,

I went with your script and it work perfectly well.
The only thing I'm not able to figure yet is how to set iptable to accept traffic from the ovpn server (10.8.0.0) to talk to (10.32.50.30-60)... I thought using TAP but it's not supported by IOS

Thanks for your help !

Current iptable set :
ASUSWRT-Merlin RT-AC87U 380.65-0 Fri Feb 3 05:19:42 UTC 2017

xxxxxx@Routeur1:/tmp/home/root# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N FUPNP
-N NSFW
-N PControls
-N SECURITY
-N logaccept
-N logdrop
-A INPUT -i tun21 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -m iprange --src-range 10.32.50.30-10.32.50.60 -j DROP
-A FORWARD -i br0 -m iprange --src-range 10.32.50.4-10.32.50.5 -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun21 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i eth0 -j SECURITY
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A NSFW -i br0 -o eth0 -j RETURN
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP


Sorry for the blurry pix... thats via teamviewer

 

[Tlex]

Hi Fitz,

I went with your script and it work perfectly well.
The only thing I'm not able to figure yet is how to set iptable to accept traffic from the ovpn server (10.8.0.0) to talk to (10.32.50.30-60)... I thought using TAP but it's not supported by IOS

Thanks for your help !

Current iptable set :
ASUSWRT-Merlin RT-AC87U 380.65-0 Fri Feb 3 05:19:42 UTC 2017

xxxxxx@Routeur1:/tmp/home/root# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N FUPNP
-N NSFW
-N PControls
-N SECURITY
-N logaccept
-N logdrop
-A INPUT -i tun21 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -m iprange --src-range 10.32.50.30-10.32.50.60 -j DROP
-A FORWARD -i br0 -m iprange --src-range 10.32.50.4-10.32.50.5 -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun21 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i eth0 -j SECURITY
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A NSFW -i br0 -o eth0 -j RETURN
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP


Sorry for the blurry pix... thats via teamviewer
View attachment 8724
View attachment 8725

or if anyone else can help me ?

 

[Fitz Mutch]

When you connect to the VPN server from the outside, what are you doing on the local network? Accessing private E-mail server, file server, video cameras, etc?

/jffs/scripts/block-ip-ranges-with-vpn.sh

#!/bin/sh
insert_firewall_rule() {
  local RULE="$1"
  $(/usr/bin/printf "$RULE\n" "-C" "$IP_RANGE") >/dev/null 2>&1
  if [ $? -ne 0 ]; then
    $(/usr/bin/printf "$RULE\n" "-I" "$IP_RANGE") >/dev/null 2>&1
  fi
}

delete_firewall_rule() {
  local RULE="$1"
  $(/usr/bin/printf "$RULE\n" "-C" "$IP_RANGE") >/dev/null 2>&1
  if [ $? -eq 0 ]; then
    $(/usr/bin/printf "$RULE\n" "-D" "$IP_RANGE") >/dev/null 2>&1
  else
    /bin/echo "NOTFOUND: "$(/usr/bin/printf "$RULE\n" "-D" "$IP_RANGE")
  fi
}

block_ip_ranges() {
  local IP_RANGES="$1"
  local ACTION="$2"
  local IF_VPNSERVER1="tun21"
  local RULE1="/usr/sbin/iptables %s FORWARD -i br0 -m iprange --src-range %s -j DROP"
  local RULE2="/usr/sbin/iptables %s FORWARD -i br0 -o $IF_VPNSERVER1 -m iprange --src-range %s -m state --state RELATED,ESTABLISHED -j ACCEPT"

  [ "$ACTION" == "" ] && ACTION="I"
  [ "$ACTION" != "I" ] && [ "$ACTION" != "D" ] && ACTION="D"

  IPADDR="$(/usr/sbin/nvram get lan_ipaddr)"
  NETWORK="${IPADDR%.*}"
  IP_RANGES=$(/bin/echo $IP_RANGES | /bin/sed "s/[^0-9 -]*\([0-9]*\)/$NETWORK.\1/g")
  for IP_RANGE in $IP_RANGES; do
    if [ "$ACTION" == "I" ]; then
      insert_firewall_rule "$RULE1"
      insert_firewall_rule "$RULE2"
    else
      delete_firewall_rule "$RULE1"
      delete_firewall_rule "$RULE2"
    fi
  done
}

block_ip_ranges "$@"

 

[Tlex]

When you connect to the VPN server from the outside, what are you doing on the local network? Accessing private E-mail server, file server, video cameras, etc?

/jffs/scripts/block-ip-ranges-with-vpn.sh

#!/bin/sh
insert_firewall_rule() {
  local RULE="$1"
  $(/usr/bin/printf "$RULE\n" "-C" "$IP_RANGE") >/dev/null 2>&1
  if [ $? -ne 0 ]; then
    $(/usr/bin/printf "$RULE\n" "-I" "$IP_RANGE") >/dev/null 2>&1
  fi
}

delete_firewall_rule() {
  local RULE="$1"
  $(/usr/bin/printf "$RULE\n" "-C" "$IP_RANGE") >/dev/null 2>&1
  if [ $? -eq 0 ]; then
    $(/usr/bin/printf "$RULE\n" "-D" "$IP_RANGE") >/dev/null 2>&1
  else
    /bin/echo "NOTFOUND: "$(/usr/bin/printf "$RULE\n" "-D" "$IP_RANGE")
  fi
}

block_ip_ranges() {
  local IP_RANGES="$1"
  local ACTION="$2"
  local RULE1="/usr/sbin/iptables %s FORWARD -i br0 -m iprange --src-range %s -j DROP"
  local RULE2="/usr/sbin/iptables %s FORWARD -i br0 -m iprange --src-range %s -m state --state RELATED,ESTABLISHED -j ACCEPT"

  [ "$ACTION" == "" ] && ACTION="I"
  [ "$ACTION" != "I" ] && [ "$ACTION" != "D" ] && ACTION="D"

  IPADDR="$(/usr/sbin/nvram get lan_ipaddr)"
  NETWORK="${IPADDR%.*}"
  IP_RANGES=$(/bin/echo $IP_RANGES | /bin/sed "s/[^0-9 -]*\([0-9]*\)/$NETWORK.\1/g")
  for IP_RANGE in $IP_RANGES; do
    if [ "$ACTION" == "I" ]; then
      insert_firewall_rule "$RULE1"
      insert_firewall_rule "$RULE2"
    else
      delete_firewall_rule "$RULE1"
      delete_firewall_rule "$RULE2"
    fi
  done
}

block_ip_ranges "$@"

Yes, all of this. (email, file server, etc) and it works since theses one are located in 10.32.50.10-29... accessing ressources located in the 10.32.50.30-60 is not working anymore since that iptable rule from the script from the openvpn server - and that make sense I guess... so that's why I was wondering how to allow 10.8.0.0 to access it... (10.8.0.0 is the default subnet openvpn server purpose on asus/merlin tun mode)... 30-60 is were I store ipcams and chineses devices that I dont have any control on....

 

[Fitz Mutch]

... accessing ressources located in the 10.32.50.30-60 is not working anymore since ...

Did you try the new script?

Now it will allow those restricted devices. If it works for you, I think you could add "-o tun21" to the 2nd rule, to make it more secure.

 

[Tlex]

Did you try the new script?

Now it will allow those restricted devices. If it works for you, I think you could add "-o tun21" to the 2nd rule, to make it more secure.

Working Thanks a lot !

 

[Tlex]

Hi
Sorry to bother again with that post (really not an iptables expert here !)

So basically all my setup is fine, I have the script running at startup that block the "10.32.50.30-10.32.50.60" ips.

Now the thing is... I would like a specific machine in that range (10.32.50.40) te be allowed to send smtp message to the outside world... I tried by adding the following rule without success :
iptables -A OUTPUT -p tcp --dport 25 -s 10.32.50.40 -j ACCEPT

And I invoke the external mail server by ip address so it's not that the dns request is rejected . . .

Any advice ?

Thanks for your help

 

[Adamm]

tried by adding the following rule without success :

Use iptables -I

IPTables works on a "first match basis", using -I inserts the rule to the top of the chain (giving it priority) where as -A adds the rule to the end of the chain (giving it lowest priority)

iptables -I FORWARD -p tcp --dport 25 -s 10.32.50.40 -j ACCEPT