DD-WRT :: View topic - Blocking incoming, unwanted IP connections

Blocking incoming, unwanted IP connections

DD-WRT Forum Index -> Advanced Networking

Goto page 1, 2 Next

View previous topic :: View next topic

Author

Message

MLandi
DD-WRT Guru

Joined: 04 Dec 2007
Posts: 1018

Posted: Thu Jan 12, 2023 18:29 Post subject: Blocking incoming, unwanted IP connections

I've never wanted to block incoming connections from an IP or range, but I am seeing unwanted incoming connections and want to add firewall rules to block them. I did a lot of reading and IPTABLES is still confusing to me. Simple question, does adding this line to the Firewall Rules block connections from 179.60.147.x? (The "FORWARD" confuses me.)

iptables -I FORWARD -s 179.60.147.0/24 -j DROP
_________________
Netgear R9000
DD-WRT v3.0-r55779 std (04/12/24)
Linux 4.9.337 #721 SMP Mon Apr 8 08:07:27 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps

Sponsor

Per Yngve Berg
DD-WRT Guru

Joined: 13 Aug 2013
Posts: 6865
Location: Romerike, Norway

Posted: Thu Jan 12, 2023 18:46 Post subject:
Incoming connections are blocked by the Firewall by default. The connection must have been started from your LAN or you have opened a port at the router. The FORWARD chain is for routing between WAN and LAN. For processes running at the router, use the INPUT chain.

MLandi
DD-WRT Guru

Joined: 04 Dec 2007
Posts: 1018

Posted: Thu Jan 12, 2023 18:54 Post subject:

Per Yngve Berg wrote:

Incoming connections are blocked by the Firewall by default.

The connection must have been started from your LAN or you have opened a port at the router.

The FORWARD chain is for routing between WAN and LAN. For processes running at the router, use the INPUT chain.

Ah, so I need to change my rule to INPUT
_________________
Netgear R9000
DD-WRT v3.0-r55779 std (04/12/24)
Linux 4.9.337 #721 SMP Mon Apr 8 08:07:27 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12877
Location: Netherlands

Posted: Thu Jan 12, 2023 18:57 Post subject:

Incoming connections are already blocked by default so no need to block it again.

It helps if you describe your problem.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

MLandi
DD-WRT Guru

Joined: 04 Dec 2007
Posts: 1018

Posted: Thu Jan 12, 2023 19:07 Post subject:

egc wrote:

Incoming connections are already blocked by default so no need to block it again.

It helps if you describe your problem.

I see log entries like this. I see this as someone trying to connect to my router and I want to block it. Is that not a good idea?

Code:

Jan 12 13:41:31 LandiRouter authpriv.info dropbear[4077]: Child connection from 179.60.147.157:40226
Jan 12 13:41:33 LandiRouter authpriv.info dropbear[4077]: Exit before auth from <179.60.147.157:40226>: Integrity error
Jan 12 13:41:33 LandiRouter authpriv.info dropbear[4079]: Child connection from 179.60.147.157:46102
Jan 12 13:41:36 LandiRouter authpriv.warn dropbear[4079]: Login attempt for nonexistent user
Jan 12 13:41:37 LandiRouter authpriv.info dropbear[4079]: Exit before auth from <179.60.147.157:46102>: Exited normally

_________________
Netgear R9000
DD-WRT v3.0-r55779 std (04/12/24)
Linux 4.9.337 #721 SMP Mon Apr 8 08:07:27 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps

Per Yngve Berg
DD-WRT Guru

Joined: 13 Aug 2013
Posts: 6865
Location: Romerike, Norway

Posted: Thu Jan 12, 2023 19:29 Post subject:
Looks like you have ssh open on the wan and someone trues to login.

MLandi
DD-WRT Guru

Joined: 04 Dec 2007
Posts: 1018

Posted: Thu Jan 12, 2023 19:32 Post subject:

Per Yngve Berg wrote:

Looks like you have ssh open on the wan and someone trues to login.

I do, and I have the port set to something other than 22. I also have password login disabled and I have an authorized key created. Should I try blocking these IPs?
_________________
Netgear R9000
DD-WRT v3.0-r55779 std (04/12/24)
Linux 4.9.337 #721 SMP Mon Apr 8 08:07:27 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps

Per Yngve Berg
DD-WRT Guru

Joined: 13 Aug 2013
Posts: 6865
Location: Romerike, Norway

Posted: Thu Jan 12, 2023 19:39 Post subject:
With password login disabled you are safe. Blocking it will only move the attack to another address.

MLandi
DD-WRT Guru

Joined: 04 Dec 2007
Posts: 1018

Posted: Thu Jan 12, 2023 19:55 Post subject:

Per Yngve Berg wrote:

With password login disabled you are safe.

Blocking it will only move the attack to another address.

Thank you, I'll stop being concerned about someone trying to hack
_________________
Netgear R9000
DD-WRT v3.0-r55779 std (04/12/24)
Linux 4.9.337 #721 SMP Mon Apr 8 08:07:27 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps

ho1Aetoo
DD-WRT Guru

Joined: 19 Feb 2019
Posts: 2966
Location: Germany

Posted: Fri Jan 13, 2023 8:36 Post subject:

Then you obviously didn't use a smart port. (there are ~50,000 ports and scanning them all takes a very long time)

You have the option "limit ssh access" under the firewall settings which can provide additional security.
The option should prevent ddos / brutforce attacks - they can create a very high load on your router.

Otherwise there are some other ways to harden ssh but not with the built in dropbear server.

E.g. disable banner, don't allow root login, use fail2ban etc...
(the dd-wrt banner directly reveals which system is used with which software and which security vulnerabilities are involved
the root user also makes it more insecure, because most ssh attacks target this user, if you use an unknown user the authentication attempts fail just because of the user = double security and not only the key)

fail2ban can be scripted so that it automatically bans according to desired criteria.

To block single IP-addresses manually makes no sense at all, if you look at how big the IPv4 address space is you will never be able to handle it.

MLandi
DD-WRT Guru

Joined: 04 Dec 2007
Posts: 1018

Posted: Fri Jan 13, 2023 13:41 Post subject:

ho1Aetoo wrote:

disable banner, don't allow root login

Can you point me to how to do these two? I do not see the options, but I may have missed them.
_________________
Netgear R9000
DD-WRT v3.0-r55779 std (04/12/24)
Linux 4.9.337 #721 SMP Mon Apr 8 08:07:27 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps

ho1Aetoo
DD-WRT Guru

Joined: 19 Feb 2019
Posts: 2966
Location: Germany

Posted: Fri Jan 13, 2023 13:56 Post subject:
this is complicated... because as you have already correctly pointed out dd-wrt has no setting for it https://lokcon.me/2020/05/03/ddwrt-ssh-banner https://www.reddit.com/r/DDWRT/comments/bj8t92/disable_root_login_on_dropbear/

MLandi
DD-WRT Guru

Joined: 04 Dec 2007
Posts: 1018

Posted: Fri Jan 13, 2023 14:03 Post subject:

ho1Aetoo wrote:

this is complicated... because as you have already correctly pointed out dd-wrt has no setting for it

https://lokcon.me/2020/05/03/ddwrt-ssh-banner

https://www.reddit.com/r/DDWRT/comments/bj8t92/disable_root_login_on_dropbear/

The first is near-painless. For the second, if I drop "root", what do I use for SSH login? I'm thinking that since I use a key not a password, I am not risking much
_________________
Netgear R9000
DD-WRT v3.0-r55779 std (04/12/24)
Linux 4.9.337 #721 SMP Mon Apr 8 08:07:27 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps

ho1Aetoo
DD-WRT Guru

Joined: 19 Feb 2019
Posts: 2966
Location: Germany

Posted: Fri Jan 13, 2023 14:11 Post subject:
Best practice create another user for ssh. But this is as said complicated at least with the dd-wrt possibilities....

MLandi
DD-WRT Guru

Joined: 04 Dec 2007
Posts: 1018

Posted: Fri Jan 13, 2023 14:12 Post subject:

ho1Aetoo wrote:

Best practice create another user for ssh.
But this is as said complicated at least with the dd-wrt possibilities....

Thanks for the advice
_________________
Netgear R9000
DD-WRT v3.0-r55779 std (04/12/24)
Linux 4.9.337 #721 SMP Mon Apr 8 08:07:27 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps

Goto page 1, 2 Next

Display posts from previous:

Page 1 of 2

DD-WRT Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

Blocking incoming, unwanted IP connections

Quick Links

Log in