I just noticed someone in china accessed my Gmail account. I discovered that Firefox was hacked. Luckily, I was running it in a Avast VM and I killed it and was ok. I still had to change my Google password but that’s not going to be auto logged on from now on:P
So I started thinking that now I have this 680mhz monster for my home network, if its feasible to block out the entire country of china in the forwarding tables. Then I noticed there were ALOT of subnets in there. If I did, would it be better to make it an input chain instead of forward? I am still learning how to optimize rules in iptables.
I know someone cannot get inside the network with a proper drop rule in there, but is it worth it to catch all traffic going too a country you suspect?
I started on this track because my grandmother was recently hacked but I only found out about it after I was messing with her computer. She doesn’t do online banking but I was teaching her how to use eBay so that spooked me. I thought I could get another 750G just for her. It might not stop her from being hacked, but at the very least I will know about it in an email or getting her logs:P
Properly set up firewall will protect from most of the attacks. Blocking whole country is not going to solve your problem.
here you can find a lot of firewall config examples http://wiki.mikrotik.com/wiki/Firewall
Potentially, but not in your case.
Statistically speaking it is very unlikely that ‘your firefox got hacked’, and far more likely that you went to look at a porn site that gave you drive by malware, that in turn submitted credentials somehow obtained back to the author or whoever he sold it to. That means that you initiated the infection at least from a network perspective. It very likely wasn’t hosted in China, either. It is very hard to solve that issue with a firewall at all, because generally speaking you want the people behind the router to be able to initiate any traffic they want and not be completely blocked from the net. The determination whether or not something is malware is not something RouterOS can do for you, appliances that can do inline analysis for malware are much, much more expensive and usually also require subscription services to enable you to obtain the latest signatures for the latest threats.
That said whether or not the router you have could feasibly block China depends on how much throughput you expect - doing filtering on 5 megs of traffic is easier than doing it on 500 megs of traffic. It also depends on what else the router is doing to traffic. And it depends on how you implement the rules. Generally speaking if you want to take the same action for a bunch of IP addresses you should always use address lists as it simplifies the logic necessary to perform comparisons and is considerably cheaper on resources.
Lastly, do read the wiki on the IP firewall filter, or any other iptables documentation. For your purposes of preventing exposure of gmail passwords the ‘input’ chain would near useless as it only contains traffic that is - after NAT - destined to the router itself, and not to clients behind it.
It wasn’t porn! Honest! I was just looking for Warez! Honest!
I picked up some more information and found that my DNS querys were being redirected. Thank god for VM. It also looks like he didn’t use my real password/user name but took the gmail cookie that was transferred. (found this out from an email to Google) I am not to worried about it as I do run all my web sessions in VM, but was more thinking if someone in my home revived a root kit, I could tell by the unusual traffic going to country’s that we just don’t visit. Is there a way to trap DNS querys going outside my router? I guess I can make an output rule that just allows the router to do DNS and log everything else, but again, I am a noob and not sure it will work.
Not that I am trying to say I don’t visit unsafe sites, the issue I have been finding is that malware has been showing up on legit sites with bad banner ads. Again, my grandmother, who was embarrassed at any kind of nudity on an R rated movie, received a root kit from her looking for recipes off Google. We ran into quite allot of this when I was at the help desk at Nokia. It looks like one of the distributes websites had some bad banner ads that Norton would never notice. There wasn’t a week when someone was complaining about this new “Personal AV” software that kept asking for a credit card. That was scares me, this stuff getting mainstream.
Kind of on topic, but I kind of get confused about the input, output chains. See, I know input blocks data going to the router itself, but how does the router know, without an established connection, that the data is for it or for a server inside the nat? I would think you need both an input and a forwarding rule to forward a port on the nat but the forward rule seems enough. And I just read about using prerouting chains. Wouldn’t it be better to drop it from that chain so it saves cpu rather than going though the forward chain?
I get iptables, I just don’t have the experience on what is the best processes for things. I like to know why I am doing something than just cut and paste scripts.
Kind of on topic, but I kind of get confused about the input, output chains. See, I know input blocks data going to the router itself, but how does the router know, without an established connection, that the data is for it or for a server inside the nat? I would think you need both an input and a forwarding rule to forward a port on the nat but the forward rule seems enough. And I just read about using prerouting chains. Wouldn’t it be better to drop it from that chain so it saves cpu rather than going though the forward chain?
It knows because of the destination IP address in the IP header of the packet. Once destination NAT has happened (as the last step of the prerouting processes) the destination IP address is either configured on one of the router’s interface or it is not. If it is on one of its own interfaces the packet is destined for the router itself and is put into the ‘input’ chain, if it’s not the router will route the packet and put it into the ‘forward’ chain. You can filter traffic in the prerouting chain, but the prerouting filters happen before destination NAT so you do not yet know if the packet is destined for the router or going through the router. Usually the filters for the two scenarios are quite different, so it’s better to wait until you know. If there are no rules to process in the prerouting chain the only thing you’re saving is destination NAT (which probably isn’t a lot to process). You’d be saving a little processing, but most likely trade it off by having a more complicated ruleset with more rules to process in prerouting.
Premature optimization on firewall rulesets is generally not a good thing to do. Optimize if you have performance issues. In most scenarios it’s far more valuable to have a more expensive ruleset that is easy to understand and troubleshoot than to have a very efficient ruleset and two hours of downtime because you can’t figure out why in the hell the traffic you need to get to the inside network is being blocked. http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
I am not sure what you mean by ‘trap DNS queries’. RouterOS doesn’t do well with DNS application layer inspection, if that is what you mean. You can however ensure that DNS queries only go to specific DNS servers on the outside, or use the router as a caching resolver and forbid clients from using outside DNS servers.
Overall I don’t think you’ll gain anything by blocking a country and keeping up with what their regional internet registry assigns them only to find that the next attack was based in a country you don’t block.
