AnswerBun.com

How to block all inbound traffic from a specific Internet address or subnet using TomatoUSB router software (LINUX based)

I’m not trained in Linux, but I think I found the solution to my problem documented, but it is not working as expected. I am NOT an iptables guru, I’m learning as I go.

A Russian IP is trying to hack my network, especially an email server I have running on my network. So I have a port forward of port 25 to the mail server machine. My router is running TomatoUSB – a Linux based router I have root ssh access to.

I’ve tried this command:

 iptables -I INPUT -s 45.142.195.5 -j DROP

And

 iptables -L -nv 

returns a lot of stuff, and now at the very beginning looks like this:

 Chain INPUT (policy DROP 9 packets, 504 bytes)
  pkts bytes target     prot opt in     out     source               destination
     0     0 DROP       all  --  *      *       45.142.195.5         0.0.0.0/0

This did not stop the traffic, though, as my email server is still reporting connection attempts from this IP address, so the rule is not dropping anything.

Perhaps the INPUT chain is not where I need to add this? I’m not yet educated on the different chains yet. INPUT intuitively seemed like the right place, but because this is a NAT router, should I really have some sort of rule in the FORWARD chain that can say not to forward to anyone if this is the source address?

Seems like what I want to do should not be difficult, but I’m struggling to figure this one out so far.

Information Security Asked by appDeveloper on December 28, 2020

1 Answers

One Answer

As I wrote "Perhaps the INPUT chain is not where I need to add this" I decided to look more closely at the output of the iptables -L -nv command. Sure enough, I found a chain called "wanin" that has all my port forwarding rules. Aha moment - I want to block some port forwarding!

So I changed my command to:

iptables -I wanin -s 45.142.195.5 -j DROP

and lo and behold - the constant logging in my email server logs of attempts to login from this address has stopped!

Now I have to figure out how to add this to a script run when the router reboots. This command is not "permanent" or remembered between boots.

I'll also probably change the source to 45.142.195.0/24 to block the whole subnet.

Answered by appDeveloper on December 28, 2020

Add your own answers!

Related Questions

Diffie Hellman c# implementation

2  Asked on January 2, 2022 by roger-far

     

How to know if an RFI/LFI attack was successful?

2  Asked on December 31, 2021 by user226295

   

Suricata and rules based on MAC address

1  Asked on December 28, 2021 by loi219

         

Signing CSR using an ECC keypair

2  Asked on December 28, 2021

         

How to identify IP from a UDP-based DoS

4  Asked on December 26, 2021 by nihas

       

PostgreSQL injection with basic sanitization

1  Asked on December 26, 2021 by asker-asky

     

Ask a Question

Get help from others!

© 2022 AnswerBun.com. All rights reserved.