Hello Guys ,
Today , my data center has blocked my server saying that I’m performing net scan on the following ranges :
141.101.78.0/23
173.245.48.0/20
I’m using RouterOS as an L2TP vpn server so I assume one of the users is using the server to do net scan .
They told me I should block traffic to the above IP ranges but I don’t have winbox access .
How can I block output and forward traffic to the following IP ranges via terminal ?
141.101.78.0/23
173.245.48.0/20
Regards ,
Are these enough to block all outgoing traffic (output & forward) from all sources to those IP ranges I mentioned ?
/ip firewall filter
add action=drop chain=output dst-address=141.101.78.0/23
add action=drop chain=output dst-address=173.245.48.0/20
add action=drop chain=forward dst-address=141.101.78.0/23
add action=drop chain=forward dst-address=173.245.48.0/20
Should be. Output chain will stop anything originating from your router, and forward chain will stop anything passing through the router.
To be clear it appears you are saying that you have a client, an L2TP user on your server that is the bad actor, continually scanning those ranges…
If that is the case.
a. identify the user
b. block the traffic,
c. then decide what action to take!!
What you will need.
1 - Firewall address list to include SCAN-RANGES
2 - Firewall address list to capture the BAD-ACTOR
Combo Raw + Filter
/ip firewall raw
add chain=prerouting action=drop src-address=BAD-ACTOR dst-address-list=SCAN-RANGES
add chain=prerouting action=add src-to-address-list address-list=BAD-ACTOR log=yes dst-address-list=SCAN-RANGES
/IP firewall filter
add chain=forward action=drop src-address-list=BAD-ACTOR dst-address=SCAN-RANGE
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN
TRAIL OF ACTIVITY