I have this one particular IP range that keeps attempting to connect to my VPN through IPsec on my L2TP server. My secrets and passwords are very strong so no worries there but was curious if someone might know of a way to put in a firewall rule or something that would just drop all traffic from them all together? I tried several firewall settings but nothing seems to work.
Thanks!!!
Add this rule for each ip you want to block:
/ip firewall filter add chain=input src-address=[ip-address] action=drop
Be sure to put it above all other rules that would accept it otherwise.
Check how the firewall filter actually works.
Of course you can ban the annoying addresses completely like @HzMeister suggests, but you can also ban them selectively only for UDP destination ports 500 and 4500 through which the IPsec connections come in. You can also log packets coming from these addresses to find out which other services it is attempting to connect to. The internet is full of “white hat” and “black hat” scanners - check for ****
shadowserver
and
shodan.io
.
I have the following semi-automatic address recorder in action:
/ip firewall add
add action=jump chain=input connection-state=new dst-address=xxx.xxx.xxx.xxx dst-port=500,4500 in-interface=ether4 jump-target=ipsec-in protocol=udp
...
add action=accept chain=ipsec-in src-address-list=ipsec-clients
add action=drop chain=ipsec-in src-address-list=white-hat-scan
add action=add-src-to-address-list address-list=ipsec-attacks address-list-timeout=none-static chain=ipsec-in connection-state=new
add action=drop chain=ipsec-in
I check the ****
address-list=ipsec-attacks
occasionally, and use
put [resolve ip.add.re.ss]
to see whether it resolves to an fqdn or not. Most of those which do resolve come from
shodan.io
and
shadowserver
, so I move them to the
address-list=white-hat-scan
Thank you HzMeister. That worked but I will look in to sindy’s idea as well as I like that option because it gives me something to try and learn. Thanks!!
To expand on HzMeister’s firewall example, here is part of my standard firewall rules addressing unsolicited incoming traffic. What I like about this set of rules is I can apply it to any protocols and port(s) that I wish. I found the basic example for blacklisting some time ago I believe on the MT forums, wiki or somewhere and expanded on it somewhat.
In this example, after checking the whitelist (whitelist.mgmt), any new connection attempt received on ether1 is processed through and will end up in the blacklist after a certain number of connection attempts within a certain time window. The jump rule can be more specific, such as for specific protocols and ports. It can also be used for traffic in the forward chain in case you are exposing an internal host service to the internet, such as a web server or FTP simply by adding a matching jump rule.
/ip firewall address-list
add address=<mgmt subnets> list=whitelist.mgmt
/ip firewall filter
add action=jump chain=input connection-state=new in-interface=ether1 jump-target=blacklist src-address-list=blacklist
add action=add-src-to-address-list address-list=blacklist address-list-timeout=1w chain=blacklist comment="Blacklist processing" log=yes log-prefix="Blacklisted: " src-address-list=pre-blacklist4
add action=add-src-to-address-list address-list=pre-blacklist4 address-list-timeout=5m chain=blacklist src-address-list=pre-blacklist3
add action=add-src-to-address-list address-list=pre-blacklist3 address-list-timeout=5m chain=blacklist src-address-list=pre-blacklist2
add action=add-src-to-address-list address-list=pre-blacklist2 address-list-timeout=5m chain=blacklist src-address-list=pre-blacklist1
add action=add-src-to-address-list address-list=pre-blacklist1 address-list-timeout=5m chain=blacklist log=yes log-prefix="pre-bl1: "
add action=accept chain=blacklist src-address-list=!blacklist
add action=drop chain=blacklist log=yes log-prefix="Blacklist Drop: "
/ip firewall raw
add action=accept chain=prerouting src-address-list=whitelist.mgmt
add action=add-src-to-address-list address-list=blacklist address-list-timeout=1w chain=prerouting log=yes log-prefix="Blacklist renew: " src-address-list=blacklist
add action=drop chain=prerouting src-address-list=blacklist
add action=drop chain=prerouting dst-address-list=blacklist log=yes log-prefix="Traffic to BL host: "