Help me block an IP use iptables please

Discussion in 'Tomato Firmware' started by wycf, Apr 29, 2009.

  1. wycf

    wycf Network Guru Member

    I am not familiar with iptables. All I'm trying to do is block an IP address.

    I put this line(the only line) in Administration-->Scripts-->Init

    Save then reboot. Then I ssh into tomato. When I check use "iptables -L" command, I didn't see the rule to block the IP.

    Is there anyting I did wrong? Should I move this line to the Firewall tab?

    Thanks for help.
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yep. Any iptables rule set up before the "firewall" service is started/restarted will be cleared out.
  3. wycf

    wycf Network Guru Member

    Thanks SgtPepperKSU for the quick reply. I moved the line to Firewall tab and it seems works.

    Only I found out that "iptables -L' shows:
    Here the host name is at IP which I want to block.

    The reason I want block this IP is someone from this IP trying to inject a SIP call from my Asterisk server resides behind tomato. In the hacker's SIP Header (UDP) it included its IP address but not host name. I am not 100% sure this will block the SIP request because it seems based on host name rather than IP address.
  4. mstombs

    mstombs Network Guru Member

    use "iptables -vnL" so the IP addresses are not converted to names for display.

    I doubt INPUT is the chain you want to insert this block in, this only stops connections to the router itself. Use FORWARD for connections that are routed (using portforwards), or maybe "-t nat PREROUTING" - use "iptables -vnL -t nat" to see whats going on in there.
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I agree. Here is a good resource to show what tables are used for different situations and in what order.
  6. wycf

    wycf Network Guru Member

    For my understanding, if the hacker (or my real client) want initiate a VoIP phone call, he/she must send a SIP INVITE by UDP to my router at port 5060. Then my router will forward the request to my Asterisk server. In this SIP INVITE it must contain the source IP address so my asterisk server know to where it reply to. So if I block all the connection from that IP (well, I can just block port 5060 on UDP for the hacker's IP, but I just want keep it simple by block everything from that IP), there will be no more SIP INVITE from that IP then I should be safe.

    I think I need read more about the FORWARD and NAT you mentioned here and see what can I do. Right now I am a little confused and not fully understand what mstombs said here.

    I'll keep close watch on my Asterisk log to see if there any more hacking activities.
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What he was saying is that the INPUT chain (where you inserted your rule) will not be run at all in your case and won't block anything from that IP. You should place it in the FORWARD chain to block it after it gets to your router and is translated to your LAN IP, or in the PREROUTING chain of the nat table to block it before it even does that translation (see the link I provided before). The INPUT chain is only for packets whose final destination is the router.

    ie, one of the following:
    iptables -t nat -I PREROUTING -s -j DROP
    iptables -I FORWARD -s -j DROP
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice