I'm trying to block a subnet but the ipsets don't seem to be blocking.
What am I doing wrong please??
IPSet is set to source IP Address of 179.189.0.0/16
And its set to DROP...
Yet I still ahve incomming connections listed.
When I blocked 179.189.89.0/24 it worked for a while.
Help please, these attacks from Brazil are trying to kill me.
Please post the /etc/config/firewall so we can see how you’ve set things up.
This is the IPSET for those brazillian IPs tat are hitting locations.
config rule
option src 'wan'
option name 'br-block'
option target 'DROP'
option direction 'in'
option device 'eth0'
option ipset 'brazil'
list proto 'all'
config ipset
option name 'brazil'
option family 'ipv4'
option maxelem '65535'
option counters '1'
list match 'ip'
list entry '64.62.156.162'
list entry '85.11.183.25'
list entry '78.128.112.74'
list entry '179.189.0.0/16'
list entry '198.235.24.254'
list entry '189.36.0.0/16'
list entry '45.172.0.0/16'
If I run it as a pure firewall system as..
config rule
option src '*'
option name 'blockerz'
option target 'DROP'
option dest '*'
list src_ip '179.189.0.0/16'
list src_ip '189.36.0.0/16'
list src_ip '45.172.0.0/16'
list src_ip '186.209.0.0/16'
list src_ip '179.108.0.0/16'
list src_ip '143.0.0.0/16'
Then they get blocked fine..
Into /etc/config/network
config route
option interface 'loopback'
option type 'blackhole'
option target '192.168.0.0/16'
option metric '38'
These parameters are not common. In fact, device is an advanced option.
Did you use the web GUI to make this rule?
(Or making blackhole routes work too.)
use the banip package instead ?
Change ip to net.
Well I want to block the incomming from the external, so yes I set it to the DEVICE so that it wasn't looking at the traffic from the other NICs and wasting the resources checking all those too.
What does "net" do that "ip" doesn't?
It allows the /16 CIDR syntax.
If I'm to do that, then someone would need to buy me better hardware.
chain prerouting_ip_drop {
type filter hook prerouting priority -500;
ip saddr { 64.62.156.162, 85.11.183.25, 78.128.112.74, 179.189.0.0/16, 198.235.24.254, 189.36.0.0/16, 45.172.0.0/16 } log prefix "BR-DROP-" counter drop
}
so ip only allows /24?
Trying the banip way, but banip won't start, just keeps saying "error" and no details provided.
No, ip ignores the mask completely, since your list of IPs are a mix of individual IPs and subnets. It’s a simple change to net.
list match 'src_net'
correct?
src is assumed if not specified, but yes, that would be correct.
That's simply wrong: Just look in the tab "Processing log" ... and look in the readme ...
Hi folks,
I'm wanting to know if there is any way I can perform IP blocking without having to do the save and apply?
Can be by the CLI, just want one command that will allow me to add an IP or IP with CIDR and jsut have it take effect immediately and drop all the connections for that IP/Range.
Is there any way to add a start and end IP address and have it calculate the CIDR for ease of use?
Also, are there any options for COUNTRY blocking?
You'll have to edit and save on the CLI as well.
No. But there's many subnet calculator websites if you need help subneting.
I recall a thread where: