1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IP address is portscanning me (tomato - WRT54GL) - Block it with IPtables

Discussion in 'Tomato Firmware' started by fced, Feb 21, 2012.

  1. fced

    fced Network Guru Member

    Hello,
    i'm searching how to block an ip address wich is portscanning my network...
    I'm using Tomato on a WRT54GL, and there is no Block Portscan option in Firewall, so i'm trying to create a iptables rules to block this IP addrsss...

    Who can help me please ?

    Here are the examples i have found (but i'm not sure if they work, because i still see the ip scanning all my ports in the Tomato log after saving the rule in the scripts window : http://tomatorouteraddress/admin-scripts.asp - (without restarting the router)) :

    Example 1 :
    iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
    Example 2 :
    iptables -t nat -A WANPREROUTING -s xxx.xxx.xxx.xxx -j DROP # inbound

    Is the syntax correct for Polarcloud Tomato + WRT54GL (i haven't found "-i" and "-t" options in telnet tomato -> iptables -help)

    Any help please ?
    Thankyou

    Cedric
     
  2. fced

    fced Network Guru Member

    after added a rule by tenlet to block the ip address wich is trying to hack my network :
    iptables -I INPUT -s 41.104.xx.xx -j DROP

    i still see it trying to access port in the log...

    Code:
    Feb 21 23:24:39 unknown user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=41.104.xx.xx DST=41.250.242.14 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=39826 PROTO=TCP SPT=21883 DPT=3792 WINDOW=0 RES=0x00 ACK RST URGP=0
    Feb 21 23:24:42 unknown user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=41.104.xx.xx DST=41.250.242.14 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=39846 PROTO=TCP SPT=21898 DPT=3792 WINDOW=0 RES=0x00 ACK RST URGP=0
    Feb 21 23:24:48 unknown user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=41.104.xx.xx DST=41.250.242.14 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=39888 PROTO=TCP SPT=21933 DPT=3792 WINDOW=0 RES=0x00 ACK RST URGP=0
    Feb 21 23:24:53 unknown user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=41.104.xx.xx DST=41.250.242.14 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=39924 PROTO=TCP SPT=21959 DPT=3801 WINDOW=0 RES=0x00 ACK RST URGP=0
    Feb 21 23:24:56 unknown user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=41.104.xx.xx DST=41.250.242.14 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=39936 PROTO=TCP SPT=21971 DPT=3801 WINDOW=0 RES=0x00 ACK RST URGP=0
    Feb 21 23:25:02 unknown user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=41.104.xx.xx DST=41.250.242.14 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=39976 PROTO=TCP SPT=22006 DPT=3801 WINDOW=0 RES=0x00 ACK RST URGP=0 
    Is there any way to completely ignore all request of this ip, to put it in an ban list for 1 hour or more ?
     
  3. mikester

    mikester Network Guru Member

    Pretend it's your friendly Algerian door to door spam salesman and ignore it. Make sure "Respond to ICMP ping" is off. Don't port scan his IP. I'd also add the iptables command to your firewall script to block tthe IP again after your next reboot.
     
  4. dailyglen

    dailyglen Networkin' Nut Member

    Hi fced,

    You are doing the right thing. The fact his requests are showing up as DROPped means it is being ignored. Personally I'm trying to setup "fwknop" so that I only open ports when requested.

    Thanks.
     
  5. fced

    fced Network Guru Member

    Thankyou for answers guys :)

    Firstly i have typed the iptables command directly in telnet (telnet my router)... and after restarting the router the rule have been erased, i can't found it in :
    telnet router -> "iptables -vnL --line-numbers"

    Then i have put it in tomato web interface :
    Tomato webif -> Administration -> Scripts -> Firewall panel -> "iptables -I INPUT -s 41.104.43.16 -j DROP" -> then i saved it, and restarted the router...

    But after the router restarted, it's the same problem, i can't find the ip blocked in :
    telnet router -> "iptables -vnL --line-numbers"

    Did i have done something wrong ?

    And today,the guy have changed of ip address : 41.104.156.56
    is there any way with iptables to block any incoming ip beginning by 41.104 - or may be an iptable option to block portscan ?

    The problem with tomato is there is no option in firewall to block portscan, is there an other distribution of tomato wich have block portscan option ?


    Thanks
    Ced

    ps2 : it's the first time i ear about fwknop, i will have a look on it...
     
  6. dailyglen

    dailyglen Networkin' Nut Member

    Hi Ced,

    That looks right to me but I'm no expert. Another way to check is by running:

    Code:
    cat /etc/iptables
    Which will show you the iptables commands used (with "iptables") removed. This will also show all the 'tables' (mangle, nat, filter). The default table you are looking at is "filter" which should work. Your instructions all look correct to me (that is what I do and it works)...I don't know why it isn't working. Are you using a VLAN build, maybe a bug?

    Thanks.
     
  7. fced

    fced Network Guru Member

    Thankyou for your answer Dailyglen,
    i think i was doing something wrong, because now (after i typed the iptable command in Firewall Scripts of Tomato web interface) after restarting the router, i can see the ip blocked in iptables rules ...

    But it didn't really solve my problem, because if the guys is like me and have his ip address changing every 24 hours, i will need to modify the rule each days...
    Better than nothing, but not ideal ... :)
    May be in the modded by users Tomato Firmware i will found a better firewall...

    Who know if one of thoses alternatives firmwares based on Tomato have Block port scan option ?
    http://www.linksysinfo.org/index.php?threads/tomato-modifications.26037/
     
  8. ntest7

    ntest7 Network Guru Member

    This seems to work pretty well. Check for folks trying to connect to port 139 or 23 (frequent scanner targets, should be unused externally) and block all access for an hour. Adjust the target port if needed. Or add more ports!

    note: some versions of tomato you need to check the "limit connection attempts" near the bottom of the Administration/Admin Access page to make this work.

    Code:
    # block abuse for a while
    iptables -I INPUT  -m recent --name portscan --remove
    iptables -I INPUT  -m recent --name portscan --rcheck --seconds 3600 -j DROP
    iptables -I FORWARD -m recent --name portscan --remove
    iptables -I FORWARD -m recent --name portscan --rcheck --seconds 3600 -j DROP
     
    # set ports to block
    iptables -A INPUT  -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
    iptables -A INPUT  -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
    iptables -A INPUT  -p tcp -m tcp --dport 23 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
    iptables -A INPUT  -p tcp -m tcp --dport 23 -m recent --name portscan --set -j DROP
    
    (edited for command order and to block forwarded ports)
     
  9. dailyglen

    dailyglen Networkin' Nut Member

Share This Page