Hello,
I have a Problem, I use a MT RB750GL 5.24 and today I got an email from my ISP which told me, that someone in my LAN use my I-Net Connection for hacking attacks.
I cannot find anything on my devices, the androids and windows clients were scanned today, 100% no infection or something else.
Is there someone who can explain me, how to find out the infected client?
I found one connection in my connection-list which scares me a little…
and above see my firewall settings…
2 ;;; Accept established connections
chain=input action=accept connection-state=established
3 ;;; Accept related connections
chain=input action=accept connection-state=related
4 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid
5 ;;; Allow limited pings
chain=input action=accept protocol=icmp limit=50/5s,2
6 ;;; Drop excess pings
chain=input action=drop protocol=icmp
7 ;;; From our LAN
chain=input action=accept src-address=192.168.100.0/24 in-interface=ether2
12 ;;; Log everything else
chain=input action=log log-prefix="DROP INPUT"
13 ;;; Drop everything else
chain=input action=drop
If you suspect one of your localnet computers, you should be watching the forward chain also. If you know the ip of the victim, it should be easy to tell who it is.
That first entry indicates a connection from a Carrier NAT address to a Google server which might mean that somebody is relaying through you.
You could upload output from /export compact for a better interpretation. If you want a faster resolution drop me an email and I can have a live look at the router in question.
It will if you add the rules to filter it. By default, there is no firewall filtering for forward chain. The input chain only blocks or allows connections to the router. You need to block the forward chain (in one interface and out another) to get the desired result. Something like this if 1.2.3.4 is the hacking victim IP:
