I am trying to block all traffic from a subnet (58.218.199.x) I set up a firewall rule to drop all packets from 58.218.199.0/24
I can see in ip tables:
DROP       all  --  58.218.199.0/24      anywhere

However, I can see traffic from these malicious IPs. I am puzzled... what's the error?
Thanks

OpenWrt / Excessive Incoming WAN Traffic?

fyi,

Can you please elaborate - how this link relates to my question? I don't have excessive traffic; I have specific computers on specific subnet somewhere in China poking my services. I see unsuccessful attempts in HTTP log, in FTP log, and attempts to connect through SSH.
So, I am trying to block specific address range. I don't understand how this link applies.

Or - you meant to post it in some other thread?

If you have open services, then that information has nothing to do with you.

Did you define a forward or input rule?

1)
Make sure that your rule is the first rules in the iptables rulechain, so that an "accept rule" does not have time to accept the packet first, before the drop rule sees it.

2)
Elaborating jow's question a bit: the "INPUT" chain and its subchains handle traffic to the router itself, while "FORWARD" chain (and subchains) handle the traffic through the router to the LAN. You might set the drop rule to the both chains.

@jow. Input rule (I want to drop the packets; how would I specify it in the forward?) But the logs I am looking are on the other server; so *forwarding* is not prevented. I don't have logs on the router itself for space reasons. Are you suggesting that putting input rule doesn't prevent from forwarding?

hnuman: 1. it is the first rule
2. How do I specify DROP in FORWARD rule (either in UI, or if impossible - in iptables command)? Also, for testing, I set a similar blocking rule for a single IP address. It stopped me cold for both "INPUT" and "FORWARD" ports

ymhee_bcex, correct - input does not prevent forward and forward does not prevent input. In order to completely drop traffic from a certain subnet towards both your server and the router you'll need two rules.

For /etc/config/firewall this is:

# Input rule (no dest)
config rule
  option src wan
  option src_ip 1.2.3.4/24
  option target DROP

# Forward rule (dest = lan)
config rule
  option src wan
  option dest lan
  option src_ip 1.2.3.4/24
  option target DROP

Manual iptables rules would be:

iptables -I INPUT -i $(uci -P/var/state get network.wan.ifname) -s 1.2.3.4/24 -j DROP
iptables -I FORWARD -i $(uci -P/var/state get network.wan.ifname) -s 1.2.3.4/24 -j DROP

jow, thank you very much - I didn't realize that! Indeed, with two rules it works exactly as I would like it.

The bad part - I can't set "prevent forward" from UI. The good part - if I set this rule in /etc/config/firewall, it doesn't get wiped out when I make unrelated changes through UI (X-Wrt had such problem). This custom rule even shows in some funny way in input rules table.

I can also specify iptables rule in the "custom rules" tab which will put it in /etc/firewall.user

Love OpenWrt

Hey man, I just installed OpenWrt on my router (OpenWrt Chaos Calmer 15.05.1 r49389) and
I'm experiencing the same issue blocking some offending ip addresses (sipvicious ones), problem
is when I add the iptable rules to "Custom Rules" and I go to Status -> Firewall I don't see them there,
could this be a glitch with my firmware build?

I would appreciate if you could help me confirm that.
Thanks