Security: rules, need to limit incoming connections to 10/hour per IP

Hi, i need to help with security.. i dont get rules logic or so..

OpenWRT is my second router in a row, used as a wifi-client bridged to lan ports
there is no WAN zone
only luci-proto-realy bridge wifi-client to lan ports = LAN zone

i am getting UDP flooding from internet, destination IP is same everytime along with destination PORT

source IP address differ, cause its botnet from the outside internet
i still need to have that port opened, cause there is a server service, where casual users connect

i need to achieve somehow: and trying to figure out with rules, there is firewall4 preinstalled
i could install iptables or firewalld using packages, but idk if that is supported or etc

i just need to LIMIT incoming connections from ANY internet IP to 1 destination IP:PORT in LAN to 10 per hour or so. other connections drop or reject, etc.

like limit accept of any IP to to 10/hour, otherwise drop/reject

could you point me to tutorial, show me how, or just give example of rule? i am fighting rules for hours already and it does not work as expected (my fault probably)

how about you whitelist the IPs, subnets or countries allowed to connect ?

As long as the attacker can send UDP traffic your way they can always simply try to crowd out your legitimate traffic by flooding your link. To guard against such (distributed) denial of service attack you need help from upstream, so either your ISP or some commercial dos defense service...

1 Like

it is 90 millions connections per month, 1000-2000 per minute
cause source is botnet, i would probably also blacklist casual users
cause its server service, users connecting have mostly very random country, ip, location

because destination in my network is everytime same =
i just need to make rule limiting connection from any host to 10/hour to this client ip
otherwise drop/reject

i am not skilled or awared how to use rules probably. most things i have setup, but i am fighting what zones should i list as source and destination. so it doesnt work yet.

i have 3 interfaces : wifi-client, wifi-luci-proto relay bridge, and lan = all in lan zone

you could always try fail2ban, it's capable of blacklisting IPs based on connection frequency (among other things).

1 Like

regarding third party utils or additions i am very sceptic, cause .. i prefer standalone openwrt and its capabilities, that are almost limitless.. and such a list of IPs could end up with megabytes of datas, which would crash server-open wrt router with very limited memory and space.

why not use the built-in features and minimilistic solutions than are already here?

if not openwrt rules, what about iptables? im sure i had installed these already in openwrt and seem em working. problem is how to confire rule for em or for openwrt

Something like ?

BanIP would be good here as well with a daily updating block list of known botnets and bad IPs.

I think he wants 10/hr per IP source.

Note to @soundguy when you say

the firewall can absolutely track 10/hr per source but it needs to keep a list of anything that has been seen in the last hr. If 90M bots have tried to access then thats around 400MB of memory just for the list.

The job you are trying to do is better done by a heavier duty machine. Something like an ARM board with 4GB of RAM like NanoPi r4s or Raspberry Pi 4 or an x86 mini PC


Even my provider does not protect me from that or so. They just limit connections to 2000 then strict cutoff.

Yeah, i want 10/hour per IP source.

Yeah i know im limited cause router has 16 or 32 megs or RAM and half is consumed by firmware in ROM.

What i was able to create was this set of a rules:

o cant determine which one of the first 3 rules work, but one probably does.. and i dont know if 4th rule is needed. What i think is, that system applies em in a row from the first on the top till the bottom of the list.

This has really cutoff the attack in 3 minutes and appears it does not continue nor repeat. I am watching it, cause there is only 3 minutes log. What am i trying to find out is also if casual users can connect.

What i need to determine, or what would like to is, whether i need the 4th rule to drop other packets and which one of first 3 rules really works. I tried disabling and enabling one by one, but im not sure at all.
Problem is with zones of source and destination probably.

Its not about routing at all. No routing is being made. It is from LAN to LAN, just there is bridged WIFI and LAN.

no, those are overall limits, not per ip. your attacker sends 10 packets, the rule hits its limit and then no-one can send more packets.

I don't think anyone can really read your mind about the way your network is configured, but it does seem like you are configurating a router that routes between other networks and a network, and the botnets are on the internet, so yes, there's some routing going on here.

What you want is a per ip limit, which is doable by nftables directly but I'm not sure how openwrt configures that in the current fw4. I don't have any openwrt devices to check with at the moment. This used to be called a hashlimit under iptables, under nftables its either called a "meter" or uses the generic "set" syntax

also as I said before, it would be pretty trivial to overload your router's RAM by a botnet if it's using the dynamic sets / meters. To do this properly you need to run a much beefier router, in terms of RAM available. I'd get something with 2G minimum since that kind of thing is available for less than $100 (RPi 4 is down to $77 or so on Amazon for 4GB, nano pi R4s with case and power supply and 4GB is about $110)

Yeah i have noticed.. 10 packets per hour was enough to filter ddos attack and bots, but also casual users said they were not able to connect, it took 3-5 minutes then they did...

Sure i have router, then another router, that is behaving like a swittch, just wirelessly bridging another lan, but both are same subnet and ip range.. and you dont need to magic ball, its written in the first message.

Sure, i need achieve connections per ip limit. I was told, that iptables should do that, with using easy rule, but i was unable to find iptables config tab. Altought i have installed iptables on my openwrt and the tab was there (in some previous versions), i dont know where to find it.. half year or year ago.. now with clean install im missing it and could not find. Something like this "iptables -A INPUT -p UDP --dport 7700:8700 -m ttl --ttl-gt 240 --jump DROP" they said.

I am not big expert on openwrt, i want achieve minimalistic installattion with as lowest number of packages as possible. im awared router is stupid box.. 16-32 mb of ram, cpu, ten years old. its like game of my rules and algorhitms against the attackers. i cant invest.. if i would... they have botnet of thousands computers.. does not make sense to do it. just need to limit connections per ip.

This is just kind of the wrong setup. You want the rule to be running on the border router. you want the border router to be a memory+cpu-beefy device with 2GB or more of RAM, wired only would be smart.

Once you've got what you need, you want to add a meter to the nftables rules by placing the rule in a file that's included into the main firewall. This is files inside /etc/nftables.d/

Unfortunately openwrt wiki is acting very sluggish at the moment, taking about 3 mins to load a page, and I'm not sure what wiki info will help you writing this rule and putting it in the correct file.

Nevertheless, by putting a rule like the ones discussed in the nftables wiki link above, you would be able to express this limit rule just like you want, but only if you've got at least hundreds of megabytes of memory if not multiple gigabytes

What i am sure now, is this is not regarding packets number or so, but connections number or limit connection numbers.

What i am trying achieve is simple, ban or ban and list those ddos attackers, mostly its few ip addresses doing thousand connections, so if list could last / hold on an hour, it would probably be enough.

I have hardware what i have, does not matter if border router or another device, where traffic is pointed, if i reach ddos attack connections got closed/rejected.

There used to be iptables settings in every tab of openwrt in some previous versions.. but now i have installed iptables and there is no settings for em. There is conntrack or something.

I dont know linux tools / parts of the system / nor abilities, im just trying to achieve simple thing using simpliest method available. I cant compete with hackers to buy hardware for great costs, they have botnet of thousands computers of infected / hacked computers, i cant compete with. Need simple rule or so.

UDP is a connectionless protocol. A packet just gets fired at your machine, it's not part of a "connection". The firewall does create a memory of those packets as part of its firewalling but for example your machine doesn't have to reply in a way that says "yes I'm hearing you". This is unlike TCP, where the initiator says "SYNthesize a connection" and the responder says "ACKnowledge your SYNthesis request" and then the initiator says "ACKnowledge your response" and at that point they both know they're talking together.

That's what makes UDP annoying for DoS is that the attacker can just hammer you with packets without any response from your machine.

If you don't block the connection at the border, then you'll be putting their attacking packets onto your LAN. You can filter it at the access point, but it's definitely less good than if you filter it before it ever even hits your LAN.

you should NOT have iptables installed anywhere on your router, that can cause problems.

discusses how to insert your own custom nftables rules. Something like this:

table dosfilter {
    set mydosset { 
     type ipv4_addr
     size 65535
     flags dynamic
     elements = {}
   chain ip { 
      type filter hook input priority 0;
      udp dport 7777 add @mydosset { ip saddr limit rate 10/minute } accept

By putting that in the right file in /etc/nftables.d/ and/or debugging it it should drop packets beyond the first 10 in any minute from each IP address.

note, this would be for a border router where it's filtering "input" but you've got your machine filtering on a bridge and that requires more fiddling around. I would have to look up filtering on a bridge and we'd have to know more specifically about how you've got your device set up

Thank you for detailed response. I am trying to understand whats described inside it.

OpenWRT lists udp ddos attack as connections.. and even counts em, but yeah probably it is like u said, with every connection there is packets number and it rises with every another connection.

yeah also my provider reported this attack.. i cant help em, they cant do anything.. im number one in their 10k computers network.. probably most wanted.. zzz russians.
i can block on my border router or swap border router for one with openwrt, but still need that port accesible from outside. i have tried (as well as others using same SW) change that udp port, it does NOT help, attackers adapt.

so buying superexpensive hardware would not solve this, even for my provider.. if they cant find solution themselves, they are not skilled or lazy, idk. they just cutoff my network when 2000 connections is reached.

  1. so ... NFTtables, is this preinstalled on openwrt?
  2. i was already searching how to edit any file inside openwrt file structure and etc.. havent found way. will this work using ssh and casual linux commands? like VI editor etc.. ?

yeah best would be cutoff such an attack after first idk.. 100 packets or 10 packets, i will find right number, mostly then attack stops entirely from that ip.. and after some time, comes from another ip

its obvious we are talking about botnet and scripts making ddos attacks, thousands ips, etc. i have to just find - create smarter script.

EDIT: Ok i used ssh, found the dir..What means.. if you put it into right file? cant i use any new? VI seems to work. There is only file: 10-custom-filter-chains.nft

Rules that include a table declaration like @dlakelan posted should be put into /usr/share/nftables.d/ruleset-post/ directory (create ruleset-post first. The filename you choose should end with .nft

so .. the only dirs with nft files were:


did i correctly choose the first one? others could be .. idk some symlink only like mirror of these or not, idk

i have created the dir.. when listed its blue color, idk what it means, with prd.nft file inside
containing the whole table script above

gonna restart router now... how do i recognize, that it is in use and properly working? is there some output or place where could i check any output or log data? does it store the 65536 bytes of ip addresses ? somewhere in a file or in memory? router reports free memory 16 mbs, but free disk space only 500 kb

The correct directory is /usr/share/nftables.d/ruleset-post/. Run these commands to put the file in the correct location, check for errors, then restart the firewall and print the full ruleset:

mkdir -p /usr/share/nftables.d/ruleset-post/
mv /etc/nftables.d/ruleset-post/prd.nft /usr/share/nftables.d/ruleset-post/
fw4 -q print | nft -c -f /dev/stdin
service firewall restart
nft list ruleset

Are you sure about the directory? I have pasted default openwrt structure on my device, but sure i can try to create such a dir ... there was /usr/share/nftables.d/ already but not /ruleset-post/ that i have created.

The question regarding script.. 65535 is bytes size for temporarily storing IP addresses of bots?
Does this consume memory of a device or file size in filesystem? Cause i have 16 mb memory free but only 500kb on disk space.
I would increase it anyway if that is possible? Should not interfere with anything, right?

Then i have ran all the commands you .. wait sec, there is some error msg (Looks like many syntax errors.)...... i will examine and post it.