TransWikia.com

How to block all inbound traffic from a specific Internet address or subnet using TomatoUSB router software (LINUX based)

Information Security Asked by appDeveloper on December 28, 2020

I’m not trained in Linux, but I think I found the solution to my problem documented, but it is not working as expected. I am NOT an iptables guru, I’m learning as I go.

A Russian IP is trying to hack my network, especially an email server I have running on my network. So I have a port forward of port 25 to the mail server machine. My router is running TomatoUSB – a Linux based router I have root ssh access to.

I’ve tried this command:

 iptables -I INPUT -s 45.142.195.5 -j DROP

And

 iptables -L -nv 

returns a lot of stuff, and now at the very beginning looks like this:

 Chain INPUT (policy DROP 9 packets, 504 bytes)
  pkts bytes target     prot opt in     out     source               destination
     0     0 DROP       all  --  *      *       45.142.195.5         0.0.0.0/0

This did not stop the traffic, though, as my email server is still reporting connection attempts from this IP address, so the rule is not dropping anything.

Perhaps the INPUT chain is not where I need to add this? I’m not yet educated on the different chains yet. INPUT intuitively seemed like the right place, but because this is a NAT router, should I really have some sort of rule in the FORWARD chain that can say not to forward to anyone if this is the source address?

Seems like what I want to do should not be difficult, but I’m struggling to figure this one out so far.

One Answer

As I wrote "Perhaps the INPUT chain is not where I need to add this" I decided to look more closely at the output of the iptables -L -nv command. Sure enough, I found a chain called "wanin" that has all my port forwarding rules. Aha moment - I want to block some port forwarding!

So I changed my command to:

iptables -I wanin -s 45.142.195.5 -j DROP

and lo and behold - the constant logging in my email server logs of attempts to login from this address has stopped!

Now I have to figure out how to add this to a script run when the router reboots. This command is not "permanent" or remembered between boots.

I'll also probably change the source to 45.142.195.0/24 to block the whole subnet.

Answered by appDeveloper on December 28, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP