Block an IP address from the Internet

mano0000 · April 28, 2021, 1:11pm

Hi All,
Just trying to get my head around how to block an IP entering through the WAN onto a mail server on the LAN side.
For example the offending IP address is 5.188.206.123, which I wish to stop.
Viewing the various posts on this forum, I have implemented as below.. on outerOS 6.48

/ip firewall address-list
add address=5.188.206.123 list=blacklist

/ip firewall filter
add action=drop chain=input src-address-list=blacklist

I can see using Torch the packets coming in..
However, the mail server is still being hit.
Checking the counters on the Firewall/Filter Rules, the counter against the drop on blacklist is not incrementing and the mail server is still being hit.

Please advise

Thanks

rextended · April 28, 2021, 1:28pm

https://apps.db.ripe.net/db-web-ui/query?searchtext=5.188.206.123
I suggest you:
5.188.206.123 => abuse@fastvps.biz

/ip firewall raw
add action=drop chain=prerouting src-address-list=blacklist

mkx · April 28, 2021, 1:41pm

Chain=input is for traffic which terminates in router itself (source doesn’t matter, can be either internet or LAN).
Chain=forward is for traffic which passes router in any direction (e.g. source on intetnet, destination on LAN or sourde on LAN and destination on internet; if there are multiple LAN subnets, this chain also affects traffic between different LAN subnets)
Chain=output is for traffic originating from router itself (and is seldomly used)

And suggestion by @rextended is a fine one. Raw firewall filter does its magic even before connection tracking machinery starts to analyze packets.

mano0000 · April 28, 2021, 3:02pm

Thanks mkx and rextended,
will try the raw filter and report..it to abuse.
Quite my fault for buying an item from Far East… and my email being abused.

mano0000 · April 28, 2021, 3:24pm

solution from rextended works perfectly..Thanks
Also reported the offending IP address.

/ip firewall raw – interesting

Rgds
Mano

rextended · April 28, 2021, 3:32pm