1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to block an IP address?

Discussion in 'Tomato Firmware' started by Ronnie_USA, Feb 3, 2011.

  1. Ronnie_USA

    Ronnie_USA Networkin' Nut Member

    I don't see any where in the firewall to do this.
    Here is one of the IP address I would like to block .
    I'm using Tomato Firmware v1.28.7441 MIPSR2-Toastman E3000 USB Ext

    Thank You for any help on this.
  2. Toastman

    Toastman Super Moderator Staff Member Member

    Put this in firewall script box:

    iptables -I INPUT -s -j DROP
  3. rhester72

    rhester72 Network Guru Member


    iptables -t nat -A WANPREROUTING -s -j DROP # inbound
    iptables -t filter -A wanout -d -j DROP # outbound

  4. Ronnie_USA

    Ronnie_USA Networkin' Nut Member

    Thank You both very much.
  5. Ronnie_USA

    Ronnie_USA Networkin' Nut Member

    Is there a way to block one specif country? ( China )
  6. bogderpirat

    bogderpirat Network Guru Member

    not generically. you can block all of china if you have a list of subnets that are allocated to china and block them all using the above method.
  7. Ronnie_USA

    Ronnie_USA Networkin' Nut Member

  8. scrupul0us

    scrupul0us LI Guru Member

  9. phuque99

    phuque99 LI Guru Member

    Is there enough NVRAM space to include all CIDRs from a single country in IPTABLE deny rules?
  10. Ronnie_USA

    Ronnie_USA Networkin' Nut Member

    No, I tried it.
    Be nice if there was a way to do this.
  11. phuque99

    phuque99 LI Guru Member

    Probably not within the realm of the humble router. I believe iptables are too primitive and inefficient. Imagine a valid packet has to traverse through a huge table before being passed into the network.

    Commercial firewall or routers does geographic blocking by comparing the IP with a built-in (or external) database that returns a positive/negative match of country code. That's outside the realm of "routing" :)
  12. phuque99

    phuque99 LI Guru Member

    While I was poking around the recent source codes from git, I noticed in "release/src-rt/linux/linux-2.6/config_base", geoIP netfilter is enabled as a module:

    I compiled a quick K2.6 build, loaded into my router and checked loadable modules available in the router:

    # cat /lib/modules/modules.dep | grep geo
    So this is interesting; country matching is available for iptables. So I added a rule to block access US from accessing my internal SSH server (I already have port forward settings to send port 22 into my internal machine):

    # insmod xt_geoip
    # iptables -I wanin -p tcp -m geoip --src-cc US -d --dport 22 -j DROP
    US was the only other geographical location that I could test from. I went into a US based machine and confirmed that access to port 22 of my machine was dropped. I checked again for dropped packets registered by the router:

    # iptables -vnL
    Chain wanin (1 references)
     pkts bytes target     prot opt in     out     source               destination
        3   180 DROP       tcp  --  *      *          Source country: US tcp dpt:22
    Anyone who is interested in dropping traffic from certain geographical location could try this out. Please remember to test to ensure what I shared here is not snake oil.

    Edit: I missed out mentioning that the modules check the static path /var/geoip/ for geographic database that I've already saved in router. You can fix your own copy following instructions here: "http://ubuntuforums.org/showthread.php?t=125380". csv2bin tool can be downloaded here: "http://people.netfilter.org/acidfu/geoip/tools/"

    Because of this dependency, you'll have to hack this in a couple of ways:

    1. Created the latest copy of geoipdb.bin and geoipdb.idx, save it on a USB drive.

    2. Either change the source code to static link the DB to the USB drive path, wget (after wanup) both files from the web into /var/geoip or copy them from USB into that location after the drive is mounted.

    Either way, figuring out the best sequence is required to make sure the geo rules survive a router reboot.
  13. Masterman

    Masterman Networkin' Nut Member

    The only effective method of doing this is with Optware and some clever bash scripting.

    An example of the init.d script is located here:


    This is running on my DD-WRT router as Tomato has problems with the service command that is needed to run it. It was specifically scripted for DD-WRT as well (I wish I could run it on Tomato). The options are unlimited. I can add country codes, ranges etc.

    My firewall script:

    iptables -I INPUT 2 -i $wanf -p tcp --dport 21 -j logaccept
    iptables -I INPUT 2 -i $wanf -p udp --dport 20:29800 -j asia 
    iptables -I INPUT 2 -i $wanf -p tcp --dport 20:29800 -j asia 
    iptables -I FORWARD 1 -i $wanf -p udp --dport 20:29800 -j asia 
    iptables -I FORWARD 1 -i $wanf -p tcp --dport 20:29800 -j asia
    Also you can echo an IP/Subnet to the script via a symlink:

    root@Asustek:~# cat /opt/etc/asia.spam              # QWEST-INET-14            # VIS-71-96           # MEDIACOM-RESIDENTIAL-CUST            # BROADBANDAUDIT          #           # AKAMAI          #          # UNICOM-HE            # MICROSOFT-1BLK           # DNE-EDIN-VLAN            # SINGNET-SG           # NEOSTRADA-ADSL           # AMAZON-EC2-7           # ST-DYNXDSL-95-102          # EA          # PRIMUS-BLKA1          #           # CHANGZHOU-ZHONGXIN-CORP           # SINGNET-SG            # intergenia AG        # NETDIRECT-NET           # SINGNET-SG         # HOSTNOC-5BLK          # TWRS         # UK2-INFRA-SHARED-WEB-HOSTING          # GigaTux_1        # TRUE-BB-ADSL         # HOSTINGSERVICES-INC         #          # GOOGLE        # UK-MML-SYMERA-EASTSERVE-LTD         # NTTA-128-242         # RCMS          # GOOGLE         # SOFTLAYER-4-3           # IEPHOSTING         # VP-NET-1-UGMK-TELECOM-RU          #          # SUAVEMENTE-SAN-DIEGO         # FASTIT-DE-DUS1-COLO4         # FAST-GNS         # SECUREST_LTD         # CRITEO-USA          # NIGHTFLIGHT-NET        #          # ES-AITIC-20050706      #       #      # MCS-COL3        # OTENET        # VIS-BLOCK
    There are many more available options as well:

    root@Asustek:~# service
    Service:            factconfig (/opt/etc/init.d/S00factdefault)
    Service:                 named (/opt/etc/init.d/S09named) disabled
    Service:                xinetd (/opt/etc/init.d/S10xinetd)
    Service:                  dbus (/opt/etc/init.d/S20dbus)
    Service:             automount (/opt/etc/init.d/S35automount)
    Service:          reloc_syslog (/opt/etc/init.d/S40relocate_syslog)
    Service:             pixelserv (/opt/etc/init.d/S45pixelserv)
    Service:          soundmodules (/opt/etc/init.d/S45soundmodules) disabled
    Service:               portmap (/opt/etc/init.d/S55portmap) disabled
    Service:                 unfsd (/opt/etc/init.d/S56unfsd) disabled
    Service:                zabbix (/opt/etc/init.d/S70zabbix) disabled
    Service:              lighttpd (/opt/etc/init.d/S80lighttpd) disabled
    Service:                 pound (/opt/etc/init.d/S80pound) disabled
    Service:                 samba (/opt/etc/init.d/S80samba)
    Service:             vlighttpd (/opt/etc/init.d/S80vlighttpd) disabled
    Service:                  kaid (/opt/etc/init.d/S85kaid) disabled
    Service:              asterisk (/opt/etc/init.d/S90asterisk) disabled
    Service:                nzbget (/opt/etc/init.d/S90nzbget) disabled
    Service:          transmission (/opt/etc/init.d/S90transmission) disabled
    Service:             fixtables (/opt/etc/init.d/S94fixtables)
    Service:            stophammer (/opt/etc/init.d/S94stophammer)
    Service:             asiablock (/opt/etc/init.d/S95asiablock)
    Service:            birmablock (/opt/etc/init.d/S95birmablock) disabled
    Service:                twonky (/opt/etc/init.d/S95twonky) disabled
    Service:          watchprinter (/opt/etc/init.d/S95watchprinter) disabled
    Service:            worldblock (/opt/etc/init.d/S95worldblock) disabled
    Service:               siproxd (/opt/etc/init.d/S98siproxd) disabled
    Service:              stophack (/opt/etc/init.d/S98stophack) disabled
  14. phuque99

    phuque99 LI Guru Member

    @Masterman: Thanks for the tip. Unfortunately what you shared seems to be xenophobic on Asia only. The maxmind.com database covers every country code.
  15. Masterman

    Masterman Networkin' Nut Member

    When the script was first created, it was designed to keep out any SouthEast Asian country. If you look at the script, you can add/remove ANY country code you wish. A little vi editing is all it takes..:wink:
  16. phuque99

    phuque99 LI Guru Member

    What does your iptables look after running the script? Is there large number of IP blocks? The script appears to be tailor specific to "block" IPs only. Running a geoip database with iptables tables allow you to customize more specific things, like:

    Allow FTP from US only
    Deny SSH from FR
    Allow SFTP only from BR,KR

    So I believe the method you choose will depend on your specific needs. You can modify the script to run on Tomato since the start stop services command is different on tomato firmware.
  17. Masterman

    Masterman Networkin' Nut Member

  18. phuque99

    phuque99 LI Guru Member

    Wow, more than 1000 lines of rules. I suppose if it works for you, no harm there. I've got geoipdb.bin on a USB drive plugged to the router. So on my end, I can configure a couple of country codes per service port as a single iptables command.
  19. Masterman

    Masterman Networkin' Nut Member


    Attached above is an output of my iptables- vnL.

    If I didn't have such a large port range dedicated to blocking those subnets, it wouldn't be as large (20:28900).

    Most people that run this script just do --dport 2:1024. I however, over several years, have found this configuration to be ideal for my LAN as I have alot of open ports from 20-28900.

    Also, the stophammer script is very important as well:


    root@Asustek:~# cat /opt/etc/iptables.hammer
    iptables-restore -n </opt/etc/iptables.hammer.rules
    iptables -I INPUT 2 -i vlan2 -p tcp --syn -j syn_flood
    iptables -I INPUT 2 -i vlan2 -j nologdrop
    pos=`iptables --line-numbers -nL FORWARD | grep ESTABLISHED | head -n1 | awk '{print $1}'`
    let pos+=1
    iptables -I FORWARD $pos -i vlan2 -p tcp --syn -j syn_flood
    iptables -I FORWARD $pos -i vlan2 -j nologdrop

    root@Asustek:~# cat /opt/etc/iptables.hammer.rules
    :syn_flood - [0:0]
    :nologdrop - [0:0]
    -A syn_flood -m multiport -p tcp --dports 80,8080,88 -j RETURN
    -A syn_flood -m limit --limit 1/s --limit-burst 5 -j RETURN
    -A syn_flood -j LOG --log-prefix "[hammer] : " --log-tcp-options --log-ip-options
    -A syn_flood -j DROP
    # Notorious hammer
    -A nologdrop -s -j DROP
    -A nologdrop -s -j DROP
    -A nologdrop -s -j DROP
    -A nologdrop -s -j DROP
    -A nologdrop -s -j ACCEPT
    -A nologdrop -s -j DROP
    -A nologdrop -s -j DROP
    -A nologdrop -s -j DROP
    -A nologdrop -s -j DROP
    -A nologdrop -s -j DROP
    -A nologdrop -s -j DROP
    -A nologdrop -s -j DROP
    -A nologdrop -s -j ACCEPT
    # End Notorious hammer

Share This Page