Block attack ports with iptables?

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Goto page Previous  1, 2
View previous topic :: View next topic  
Author Message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6447
Location: UK, London, just across the river..
PostPosted: Sat Feb 22, 2020 13:12    Post subject: Reply with quote
Cartel...as i see you are not new in the forum...always when you ask something, tell us your router model/revision/ and current build running...

as i said on some routers multiport command is present or its range is very limited or its not present at all..

best hit...line per port....
unless you are not struggling with lack of nvram...
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Back to top View user's profile Send private message
Sponsor
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1416
PostPosted: Sat Feb 22, 2020 17:05    Post subject: Reply with quote
Yes those would work, as noted depending on your router version/firmware the "multiport" module may not be present, and you would have to enter each port on a different line, but you seem to get the syntax (a reference is: https://wiki.dd-wrt.com/wiki/index.php/Iptables_command)
Back to top View user's profile Send private message
danielwritesback
DD-WRT User


Joined: 29 Aug 2011
Posts: 240
PostPosted: Wed Apr 01, 2020 20:53    Post subject: Reply with quote
Currently, I have:
Code:
iptables -t nat -I PREROUTING -p tcp -m multiport --sport 22,23,53,135,139,445,623,3389,5357,5900,9971,16992,16993,16994,16995 -j DROP
iptables -t nat -I PREROUTING -p udp -m multiport --sport 22,135,137,138,161,445,623,1900,3702,5355,9971,16992,16993,16994,16995 -j DROP
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
iptables -I OUTPUT -p tcp --dport 53 -j REJECT
iptables -I FORWARD -d 8.8.8.8 -j REJECT
iptables -I FORWARD -d 8.8.4.4 -j REJECT

The last two lines are for preventing excessively high connection count from Google home and chromecast devices.
Back to top View user's profile Send private message Visit poster's website
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum