Somebody tries to connect my ftp from internet. How can I block his address not to connect to mine?
error is:
login failure for user Administrator from (ip address)
also another person always pings me.
I have changed ftp’s port but that bot still tries to log in. That causes traffic. I just want to block that bot’s ip address. How can I do that?
/ip firewall filter add chain=input src-address=a.b.c.d action=drop
where a.b.c.d is the IP Address you wish to block
This code will drop all connections to the router from a.b.c.d. You may wish to narrow the net a little by specifying the protocol (TCP) and port.
I did that from routing part. Is that also OK?
Well that code didn’t helped me to get pings:
/ip firewall filter add chain=input src-address=a.b.c.d action=drop
/ip firewall filter add chain=input dst-address=a.b.c.d action=drop
/ip firewall filter add chain=output src-address=a.b.c.d action=drop
/ip firewall filter add chain=output dst-address=a.b.c.d action=drop
I entered these 4 rules, but it still I can connect to other side and other side can connect to me.
In routing drop part, I couldn’t connect other part but other part can connect me.
You need only two “drop” rules to completely block a particular IP address. One in the input chain and the other in the forward chain. This rules must then be placed above all other “allow” rules, preferably at the very top of the filter rules.
/ip firewall filter add chain=input src-address=a.b.c.d action=drop
/ip firewall filter add chain=forward src-address=a.b.c.d action=drop
you must replace “a.b.c.d” in the above codes with the ip address you wish to block and then move this rules to the very top in filter.
That let’s me not to connect that ip, I don’t want that ip to make connection to me.
Just my two cents worth:
Here is are some of the rules that we use on our production routers that allow for connection blocking by IP address and dynamic blocking for specified time by IP for given protocol (e.g ICMP). Just another method of blocking connections that I find to be a little easier to manage (which is needed when you have 40+ routerboards in the field). Also for the advanced users please forgive the step by step instructions, just trying to make it as easy to understand for beginners as possible. I know I still need the instructions from time to time.
# Define Source lists for connections to block/allow
add action=drop chain=ProtectRouter comment="Drop connections from bad people" disabled=no src-address-list=BadPeople
add action=accept chain=ProtectRouter comment="Accept connections from good people" disabled=no src-address-list=GoodPeople
# Allow related connections
add action=accept chain=ProtectRouter comment="Allow related connections" connection-state=related disabled=no
# Dynamically Allow Connections
add action=accept chain=ProtectRouter comment="Accept < 5 pings" disabled=no limit=5/10s,1 protocol=icmp
add action=accept chain=ProtectRouter comment="Allow < 3 SSH attempts" disabled=no dst-port=22 limit=1/6s,1 protocol=tcp
# Dynamic Connection Blocking
# address-list - This parameter is set to the list we defined for our "BadPeople" list
# address-list-timeout - This parameter can be set to block for timed period if removed this equals always block
# chain - This parameter is set to the "ProtectRouter" chain for rule grouping and to allow related connections
add action=add-src-to-address-list address-list=BadPeople address-list-timeout=1h chain=ProtectRouter comment="Block > 5 pings" disabled=no protocol=icmp
add action=add-src-to-address-list address-list=BadPeople address-list-timeout=1d chain=ProtectRouter comment="Block > 3 SSH attempts" connection-state=new disabled=no dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=BadPeople address-list-timeout=1d chain=ProtectRouter comment="Block Port Scanners" disabled=no protocol=tcp psd=21,3s,3,1
To block/allow connections permanently you can add static entries into the BadPeople/GoodPeople list via the console like this:
/ip firewall address-list add list=BadPeople address=xxx.xxx.xxx.xxx
You and also add static entries via WinBox like this:
- Navigate to Address List
a. IP → Firewall → Address List - Add New Entry (Red plus sign)
- Select GoodPeople/BadPeople from drop down list
- Add IP address to block/allow
Hope it helps,
John Annis
The Wireless Web
You make everything complicated. There’s a only one person who is bad person, boogy man or whatever you call.
How can I block his address?
add action=drop chain=ProtectRouter comment=“Drop connections from bad people” disabled=no src-address-list=BadPeople
add action=add-src-to-address-list address-list=BadPeople address-list-timeout=1h chain=ProtectRouter comment=“Block > 5 pings” disabled=no protocol=icmp
add action=add-src-to-address-list address-list=BadPeople address-list-timeout=1d chain=ProtectRouter comment=“Block > 3 SSH attempts” connection-state=new disabled=no dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=BadPeople address-list-timeout=1d chain=ProtectRouter comment=“Block Port Scanners” disabled=no protocol=tcp psd=21,3s,3,1
/ip firewall address-list add list=BadPeople address=xxx.xxx.xxx.xxx
are those enough to keep only badperson from my network? Anybody can ping and try to connect my router except that person who has xxx.xxx.xxx.xxx ip address. I just want to do that.
sarpkaya:
I apologize for the confusion, let me try to clarify the information in my original post.
If the only thing you want to do is block a single IP address then following two lines will accomplish just that.
add action=drop chain=ProtectRouter comment="Drop connections from bad people" disabled=no src-address-list=BadPeople
/ip firewall address-list add list=BadPeople address=xxx.xxx.xxx.xxx
Having said that I am ever the pessimist and like to take a proactive approach and preemptively block the otherwise nefarious would be intruders. These three entries monitor inbound traffic and look for possible bad people that might be attempting to compromise your network and temporarily ban their IP for x amount of time.
# If a person pings my IP more than 5 times then block add their IP to the BadPeople list for 1 hour
add action=add-src-to-address-list address-list=BadPeople address-list-timeout=1h chain=ProtectRouter comment="Block > 5 pings" limit=5/10s,1 protocol=icmp
# If a person attempts more than 3 SSH connections in x time their IP to the BadPerson list for 1 day
add action=add-src-to-address-list address-list=BadPeople address-list-timeout=1d chain=ProtectRouter comment="Block > 3 SSH attempts" connection-state=new disabled=no dst-port=22 protocol=tcp limit=1/6s,1 protocol=tcp
# If a person attempts to port scan the router add their IP to the BadPerson list for 1 day
add action=add-src-to-address-list address-list=BadPeople address-list-timeout=1d chain=ProtectRouter comment="Block Port Scanners" disabled=no protocol=tcp psd=21,3s,3,1
I hope this clarifies any confusion that I may have inadvertently caused.
John Annis
The Wireless Web
what’s the prefix of these 3 codes like /ip firewall? it is not working.
sarpkaya:
Do you ever get the feeling that you always forget to include something important, I always re-read my post before submitting and inevitably always for get something important. To apply those three rules via the console you need to be at /ip firewall filter.
Sorry about that,
John Annis
The Wireless Web
/ip firewall add action=drop chain=ProtectRouter comment=“Drop connections from bad people” disabled=no src-address-list=BadPeople
is not working. That’s what I’m saying.
sarpkaya:
Notice keyword filter in the console command below, it looks like you have forgot to include it when trying to add the rule to the firewall.
/ip firewall filter add action=drop chain=ProtectRouter comment="Drop connections from bad people" disabled=no src-address-list=BadPeople
Thank you,
John Annis
The Wireless Web