Community discussions

MikroTik App
 
imperia
just joined
Topic Author
Posts: 14
Joined: Tue Sep 19, 2017 8:15 am

Need help blocking IP from accessing device in my internal network behind NAT

Wed Nov 08, 2017 12:30 pm

Hello,
I need help to block specific blacklist from accessing my set-top-box which is behind NAT.
I have port forwarding rule that points to my STB in my private home network. I use this port forwarding for watching TV from my STB when I am not at home, but I want to block specific IP addresses from accessing it.

I see the following in my logs. Looks firewall is blocking it, BUT I see the intruder connected to my Set-Top-Box!
When I connect to my STB (which is Linux) and type netstat I see the intruder connected to port 8001(streaming port).
I guess some other rule is overwriting blocking rule and/or order of rules is incorrect.
Please help. I am attaching my config below.
11:43:31 firewall,info blacklist input: in:ether1 out:(none), src-mac cc:e1:7f:fb:2a:00, proto TCP (RST), 111.222.111.222:40362->MY_REAL_IP:8001, len 40 
11:43:31 firewall,info blacklist input: in:ether1 out:(none), src-mac cc:e1:7f:fb:2a:00, proto TCP (RST), 111.222.111.222:40362->MY_REAL_IP:8001, len 40 
11:43:31 firewall,info blacklist input: in:ether1 out:(none), src-mac cc:e1:7f:fb:2a:00, proto TCP (RST), 111.222.111.222:40362->MY_REAL_IP:8001, len 40 
11:43:31 firewall,info blacklist input: in:ether1 out:(none), src-mac cc:e1:7f:fb:2a:00, proto TCP (RST), 111.222.111.222:40362->MY_REAL_IP:8001, len 40 
11:43:31 firewall,info blacklist input: in:ether1 out:(none), src-mac cc:e1:7f:fb:2a:00, proto TCP (RST), 111.222.111.222:40362->MY_REAL_IP:8001, len 40 
11:43:31 firewall,info blacklist input: in:ether1 out:(none), src-mac cc:e1:7f:fb:2a:00, proto TCP (RST), 111.222.111.222:40362->MY_REAL_IP:8001, len 40 
11:43:31 firewall,info blacklist input: in:ether1 out:(none), src-mac cc:e1:7f:fb:2a:00, proto TCP (RST), 111.222.111.222:40362->MY_REAL_IP:8001, len 40 
11:43:31 firewall,info blacklist input: in:ether1 out:(none), src-mac cc:e1:7f:fb:2a:00, proto TCP (RST), 111.222.111.222:40362->MY_REAL_IP:8001, len 40
/ip firewall address-list
add address=111.222.111.222 list=blacklist
add address=111.222.111.223 list=blacklist

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input in-interface=ether1 ipsec-policy=in,ipsec
add action=accept chain=input dst-port=500,4500 in-interface=ether1 protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=drop chain=input in-interface=ether1 log=yes log-prefix=blacklist src-address-list=blacklist
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat comment="IPSEC" dst-address=192.168.0.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 port="" protocol=tcp to-addresses=192.168.0.30 to-ports=8001
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1180
Joined: Fri Jul 28, 2017 2:53 pm

Re: Need help blocking IP from accessing device in my internal network behind NAT

Wed Nov 08, 2017 12:39 pm

If you want to look your TV out of home, you need setup a simple rule wich will allow only your IP or IPs as a source. Others will just drop.
 
imperia
just joined
Topic Author
Posts: 14
Joined: Tue Sep 19, 2017 8:15 am

Re: Need help blocking IP from accessing device in my internal network behind NAT

Wed Nov 08, 2017 2:35 pm

If you want to look your TV out of home, you need setup a simple rule wich will allow only your IP or IPs as a source. Others will just drop.
My IP is always different when I am outside. Still I should be able to block specific IP addresses.
I am sure I am doing something wrong.

I believe firewall rule is blocking blacklist, but then port forwarding is letting him in. Something like that.
But how to fix it?!
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1180
Joined: Fri Jul 28, 2017 2:53 pm

Re: Need help blocking IP from accessing device in my internal network behind NAT

Wed Nov 08, 2017 2:50 pm

If you want to look your TV out of home, you need setup a simple rule wich will allow only your IP or IPs as a source. Others will just drop.
My IP is always different when I am outside. Still I should be able to block specific IP addresses.
I am sure I am doing something wrong.

I believe firewall rule is blocking blacklist, but then port forwarding is letting him in. Something like that.
But how to fix it?!
Just write script which will get your new IP address and paste it in your firewall and NAT rule. Try to search for it in Internet.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1875
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Need help blocking IP from accessing device in my internal network behind NAT

Wed Nov 08, 2017 3:27 pm

Just create any VPN to your router and do not expose STB to the public network at all.
Real admins use real keyboards.
To quote or not to quote, there is the topic: viewtopic.php?f=2&t=168474
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1180
Joined: Fri Jul 28, 2017 2:53 pm

Re: Need help blocking IP from accessing device in my internal network behind NAT

Wed Nov 08, 2017 3:33 pm

Just create anz VPN to zour router and do not expose STB to the public network at all.
For VPN server also will be access to public, so he also need to allow his public IP's and drop others.

VPN could be more interesting if he push in it some telnet or web, or some clear text traffic. Here, he need just video stream.
 
imperia
just joined
Topic Author
Posts: 14
Joined: Tue Sep 19, 2017 8:15 am

Re: Need help blocking IP from accessing device in my internal network behind NAT

Wed Nov 08, 2017 4:23 pm

Guys I can put password authentication to my streaming port and its done, but I want to block specific IP address to access my network no matter what. And still have port forwarding.
add action=drop chain=input in-interface=ether1 log=yes log-prefix=blacklist src-address-list=blacklist
I thought this rule block address no matter what. I guess I am doing something wrong.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1875
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Need help blocking IP from accessing device in my internal network behind NAT

Wed Nov 08, 2017 4:27 pm

Yes, of course but only he could connect to this VPN. Noone else. And it is the point for setting VPN server.

There are two ways:

A. Easier: setup VPN server and connect to it before watching TV. Only "registerd" users will be able to watch TV .... there could be more than one allowed user !!! Simple, clean, easy configuration.

B. Longer version:
Set up blocking rules for all connections trying to reach streaming and somehow inform router what is his current "valid" IP to have "accept" rule to be updated according to this information.
It is quite easy task if you install Dynamic DNS client and register your computer for such service.
In the firewall rule he needs to set address list of choosen Dynamic DNS names .... yes, yes .... instead of direct IP you can just use myname.dynamicdnsservice.com .... Then the firewall rule should specify "address-list=my_allowed_ips_list" as source of allowed IPs.
Mikrotik itself periodically refreshes current IPs in this aaddress list from global DNS so this list should be valid all the time.
The problem is when the user disconnects and reconnects with different IP then DynamicDNS change is not propagated immediatelly and router is droping connection till next DNS refresh.

So .... use option A.
Real admins use real keyboards.
To quote or not to quote, there is the topic: viewtopic.php?f=2&t=168474
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1180
Joined: Fri Jul 28, 2017 2:53 pm

Re: Need help blocking IP from accessing device in my internal network behind NAT

Thu Nov 09, 2017 11:04 am

Guys I can put password authentication to my streaming port and its done, but I want to block specific IP address to access my network no matter what. And still have port forwarding.
add action=drop chain=input in-interface=ether1 log=yes log-prefix=blacklist src-address-list=blacklist
I thought this rule block address no matter what. I guess I am doing something wrong.
Right, but this chain have to be higher than accept chain, in order the router check incoming traffic first by drop chain and then by accept chain.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1180
Joined: Fri Jul 28, 2017 2:53 pm

Re: Need help blocking IP from accessing device in my internal network behind NAT

Thu Nov 09, 2017 11:19 am

Yes, of course but only he could connect to this VPN. Noone else. And it is the point for setting VPN server.

There are two ways:

A. Easier: setup VPN server and connect to it before watching TV. Only "registerd" users will be able to watch TV .... there could be more than one allowed user !!! Simple, clean, easy configuration.

B. Longer version:
Set up blocking rules for all connections trying to reach streaming and somehow inform router what is his current "valid" IP to have "accept" rule to be updated according to this information.
It is quite easy task if you install Dynamic DNS client and register your computer for such service.
In the firewall rule he needs to set address list of choosen Dynamic DNS names .... yes, yes .... instead of direct IP you can just use myname.dynamicdnsservice.com .... Then the firewall rule should specify "address-list=my_allowed_ips_list" as source of allowed IPs.
Mikrotik itself periodically refreshes current IPs in this aaddress list from global DNS so this list should be valid all the time.
The problem is when the user disconnects and reconnects with different IP then DynamicDNS change is not propagated immediatelly and router is droping connection till next DNS refresh.

So .... use option A.
If his IP is'nt static, problem the same. Time to time IP will switch to another, and he have to know what IP he got.
 
2frogs
Long time Member
Long time Member
Posts: 587
Joined: Fri Dec 03, 2010 1:38 am

Re: Need help blocking IP from accessing device in my internal network behind NAT

Thu Nov 09, 2017 3:16 pm

First of all your rule to drop traffic to your STB is wrong. The input chain is traffic going to the router itself, ie Webfig, Winbox, FTP, DNS... Your drop rule should be for the forward chain. The forward chain is any traffic that is forwarded from one interface of the router to another. The term, port forward, gives some clue.

You have several options to block forwards from your blacklist:
/ip firewall filter add action=drop chain=forward comment="Drop Forwards from Blacklist" src-address-list=Blacklist
This will drop traffic in the Firewall Filter.
/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist protocol=tcp to-addresses=192.168.0.30 to-ports=8001
This modify's your DST-NAT rule to only forward traffic not (!=not, in winbox/webfig it is a small checkbox) from Blacklist.

Another way is to use a port knocker, https://wiki.mikrotik.com/wiki/Port_Knocking , this will add your remote IP to safe list and you can only allow that safe list to connect.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1875
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Need help blocking IP from accessing device in my internal network behind NAT

Fri Nov 10, 2017 11:59 am

A. Easier: setup VPN server and connect to it before watching TV. Only "registerd" users will be able to watch TV .... there could be more than one allowed user !!! Simple, clean, easy configuration.
.......
So .... use option A.
If his IP is'nt static, problem the same. Time to time IP will switch to another, and he have to know what IP he got.
No.
IPs assigned to users's computers are controlled with VPN settings so all users willing to watch TV are from static, predefined and known pool of LOCAL addresses assigned to VPN users. There is no need to make any rules blocking STB streaming, no need to make DST/SRC NAT. Users allowed to watch TV streaming HAVE TO connect to local network with VPN so they are verified/controlled/accepted/allowed with VPN authorization process and seen by STB device as local users = local addresses.

In my opinion VPN solves problem permanently. Period.

P.S.
What if current users' ISP (eg. hotel, cellular or any other) prohibits VPN connections?
Yes, it could be a problem but then users need to suffer TV detoxication :-)
Real admins use real keyboards.
To quote or not to quote, there is the topic: viewtopic.php?f=2&t=168474
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1180
Joined: Fri Jul 28, 2017 2:53 pm

Re: Need help blocking IP from accessing device in my internal network behind NAT

Fri Nov 10, 2017 12:13 pm

A. Easier: setup VPN server and connect to it before watching TV. Only "registerd" users will be able to watch TV .... there could be more than one allowed user !!! Simple, clean, easy configuration.
.......
So .... use option A.
If his IP is'nt static, problem the same. Time to time IP will switch to another, and he have to know what IP he got.
No.
IPs assigned to users's computers are controlled with VPN settings so all users willing to watch TV are from static, predefined and known pool of LOCAL addresses assigned to VPN users. There is no need to make any rules blocking STB streaming, no need to make DST/SRC NAT. Users allowed to watch TV streaming HAVE TO connect to local network with VPN so they are verified/controlled/accepted/allowed with VPN authorization process and seen by STB device as local users = local addresses.

In my opinion VPN solves problem permanently. Period.

P.S.
What if current users' ISP (eg. hotel, cellular or any other) prohibits VPN connections?
Yes, it could be a problem but then users need to suffer TV detoxication :-)
I meant public IP, which needs for vpn registration.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1875
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Need help blocking IP from accessing device in my internal network behind NAT

Fri Nov 10, 2017 12:19 pm

But it is common problem for VPN settings, sharing nothing with problem of exposing TV stream to the public for particular users "somewhere in the world".
Real admins use real keyboards.
To quote or not to quote, there is the topic: viewtopic.php?f=2&t=168474
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1180
Joined: Fri Jul 28, 2017 2:53 pm

Re: Need help blocking IP from accessing device in my internal network behind NAT

Fri Nov 10, 2017 1:21 pm

But it is common problem for VPN settings, sharing nothing with problem of exposing TV stream to the public for particular users "somewhere in the world".
Okay. Let the TS to choose.
 
stoser
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 21, 2016 12:04 am

Re: Need help blocking IP from accessing device in my internal network behind NAT

Fri Nov 10, 2017 6:19 pm

Going back to the topic author's original question: 2frogs is correct. You are dropping requests on the INPUT chain. You need to drop on the forward chain. Also, I recommend dropping ICMP input requests.

And I would also like to suggest a double or tripple port knocking as another alternative. If the topic author does not want to set up a VPN, he can
1) first DROP ICMP requests,
2) set up pork knocking, and
3) if by some chance the bad guy gets through, he can drop the blacklist correctly in the forward chain.

It's a bit cumbersome compared to a VPN, but at least he'll learn a little more about setting up firewalls.
 
imperia
just joined
Topic Author
Posts: 14
Joined: Tue Sep 19, 2017 8:15 am

Re: Need help blocking IP from accessing device in my internal network behind NAT

Tue Nov 21, 2017 2:58 pm

Guys I can put password authentication to my streaming port and its done, but I want to block specific IP address to access my network no matter what. And still have port forwarding.
add action=drop chain=input in-interface=ether1 log=yes log-prefix=blacklist src-address-list=blacklist
I thought this rule block address no matter what. I guess I am doing something wrong.
Right, but this chain have to be higher than accept chain, in order the router check incoming traffic first by drop chain and then by accept chain.
Sorry for delayed answer. I was out of town.

You mean rule or chain?
Do you mean that drop rules have to be before(higher) accept?
Last edited by imperia on Tue Nov 21, 2017 3:13 pm, edited 1 time in total.
 
imperia
just joined
Topic Author
Posts: 14
Joined: Tue Sep 19, 2017 8:15 am

Re: Need help blocking IP from accessing device in my internal network behind NAT

Tue Nov 21, 2017 3:12 pm

First of all your rule to drop traffic to your STB is wrong. The input chain is traffic going to the router itself, ie Webfig, Winbox, FTP, DNS... Your drop rule should be for the forward chain. The forward chain is any traffic that is forwarded from one interface of the router to another. The term, port forward, gives some clue.

You have several options to block forwards from your blacklist:
/ip firewall filter add action=drop chain=forward comment="Drop Forwards from Blacklist" src-address-list=Blacklist
This will drop traffic in the Firewall Filter.
/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist protocol=tcp to-addresses=192.168.0.30 to-ports=8001
This modify's your DST-NAT rule to only forward traffic not (!=not, in winbox/webfig it is a small checkbox) from Blacklist.
Sorry for delayed answer.
Thanks for your answer. You understood me right!

So If I want to block connection for example to webfig or telnet port on router itself I block it in input chain and
If I want to block connection passing router and going to my devices behind NAT - I block connections in input and forward chains or only forward chain is enough?

Also if I use your second suggested method:
/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist protocol=tcp to-addresses=192.168.0.30 to-ports=8001
Can I have multiple lines for other blacklists, like this:
/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist_one protocol=tcp to-addresses=192.168.0.30 to-ports=8001
/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist_two protocol=tcp to-addresses=192.168.0.30 to-ports=8001
Last question.
My drop rules should be on top of the filter list or they should be last rules (bottom of list)?

Thanks a lot for you help.
 
imperia
just joined
Topic Author
Posts: 14
Joined: Tue Sep 19, 2017 8:15 am

Re: Need help blocking IP from accessing device in my internal network behind NAT

Tue Nov 21, 2017 3:18 pm

Going back to the topic author's original question: 2frogs is correct. You are dropping requests on the INPUT chain. You need to drop on the forward chain. Also, I recommend dropping ICMP input requests.

And I would also like to suggest a double or tripple port knocking as another alternative. If the topic author does not want to set up a VPN, he can
1) first DROP ICMP requests,
2) set up pork knocking, and
3) if by some chance the bad guy gets through, he can drop the blacklist correctly in the forward chain.

It's a bit cumbersome compared to a VPN, but at least he'll learn a little more about setting up firewalls.
Thanks for your answer.

You mean I should drop ICMP requests to router itself. Like PING? If that's what you mean. I prefer to leave it ON so I can ping my host from outside to diagnose connection problems and availability.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1180
Joined: Fri Jul 28, 2017 2:53 pm

Re: Need help blocking IP from accessing device in my internal network behind NAT

Tue Nov 21, 2017 4:36 pm

Guys I can put password authentication to my streaming port and its done, but I want to block specific IP address to access my network no matter what. And still have port forwarding.
add action=drop chain=input in-interface=ether1 log=yes log-prefix=blacklist src-address-list=blacklist
I thought this rule block address no matter what. I guess I am doing something wrong.
Right, but this chain have to be higher than accept chain, in order the router check incoming traffic first by drop chain and then by accept chain.
Sorry for delayed answer. I was out of town.

You mean rule or chain?
Do you mean that drop rules have to be before(higher) accept?
Yes.
 
stoser
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 21, 2016 12:04 am

Re: Need help blocking IP from accessing device in my internal network behind NAT

Wed Nov 22, 2017 1:55 am

So If I want to block connection for example to webfig or telnet port on router itself I block it in input chain and
You would not be blocking connections (stateful connections tracked by the router). You would be blocking packets. And if you want to block communications initiated by the router itself, you would use the output chain.
If I want to block connection passing router and going to my devices behind NAT - I block connections in input and forward chains or only forward chain is enough?
You would only use the forward chain

Last question.
My drop rules should be on top of the filter list or they should be last rules (bottom of list)?

Thanks a lot for you help.
Depends. The rules are executed in series, and unless action=passthrough, no rules are executed after there is a match. So whether you put them on top, in the middle, or on the bottom depends on you, the administrator. If it were my machine, I would drop all blacklisted ips as close as possible to the top of the rule list.
 
stoser
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 21, 2016 12:04 am

Re: Need help blocking IP from accessing device in my internal network behind NAT

Wed Nov 22, 2017 1:58 am

You mean I should drop ICMP requests to router itself. Like PING? If that's what you mean. I prefer to leave it ON so I can ping my host from outside to diagnose connection problems and availability.
I recommend turning it off, or using port knocking for all necessary administrative ports, or simply use a VPN as the other members recommended.
 
2frogs
Long time Member
Long time Member
Posts: 587
Joined: Fri Dec 03, 2010 1:38 am

Re: Need help blocking IP from accessing device in my internal network behind NAT

Wed Nov 22, 2017 5:17 am

So If I want to block connection for example to webfig or telnet port on router itself I block it in input chain
That is correct.
If I want to block connection passing router and going to my devices behind NAT - I block connections in input and forward chains or only forward chain is enough?
Only Forward chain.
Can I have multiple lines for other blacklists, like this:
/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist_one protocol=tcp to-addresses=192.168.0.30 to-ports=8001
/ip firewall nat add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 src-address-list=!Blacklist_two protocol=tcp to-addresses=192.168.0.30 to-ports=8001
No, doing it this way any address that is NOT in Blacklist_one gets accepted by the first rule and will never make it to the second rule. you can use multiple on the firewall filter. Like:
/ip firewall filter 
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward src-address-list=Blacklist_one
add action=drop chain=forward src-address-list=Blacklist_two
add action=drop chain=forward connection-nat-state=!dst-nat in-interface=ether1
/ip firewall nat 
add action=dst-nat chain=dstnat comment="Enigma Stream" dst-address=MY_REAL_IP dst-port=8001 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 to-ports=8001l
Please note that the third drop rule also accepts forwards for all dst-nat.
Last question. My drop rules should be on top of the filter list or they should be last rules (bottom of list)?
Firewall rules are matched in order, so it depends on how broad of an effect you wish each rule to have. Accepting a Safe_List would go on top, Dropping a Black_List and Invalids would go below that. The broader Accept of Established and Related would go next, followed by the final Drop Everything else...
 
2frogs
Long time Member
Long time Member
Posts: 587
Joined: Fri Dec 03, 2010 1:38 am

Re: Need help blocking IP from accessing device in my internal network behind NAT

Wed Nov 22, 2017 5:22 am

I recommend turning it off, or using port knocking for all necessary administrative ports, or simply use a VPN as the other members recommended.
Out right blocking ICMP request is bad practice and can result in poor results. I do agree with port knocking and VPN...
 
imperia
just joined
Topic Author
Posts: 14
Joined: Tue Sep 19, 2017 8:15 am

Re: Need help blocking IP from accessing device in my internal network behind NAT

Wed Nov 22, 2017 11:19 am

Thank you guys for your help.
My current config looks like:
 0    chain=input action=accept protocol=icmp 
 1    chain=input action=accept connection-state=established,related log=no log-prefix="" 
 2    chain=input action=accept in-interface=ether1 log=no log-prefix="" ipsec-policy=in,ipsec 
 3    chain=input action=accept protocol=udp in-interface=ether1 dst-port=500,4500 log=no log-prefix="" 
 4    chain=input action=accept protocol=ipsec-esp in-interface=ether1 log=no log-prefix="" 
 5    chain=input action=drop in-interface=ether1 log=no log-prefix="" 
 6    chain=forward action=accept connection-state=established,related 
 7    chain=forward action=drop src-address-list=shodan in-interface=ether1 log=no log-prefix="shodan" 
 8    chain=forward action=drop src-address-list=facebook in-interface=ether1 log=no log-prefix="facebook" 
 9    chain=forward action=drop src-address-list=blacklist in-interface=ether1 log=yes log-prefix="blacklist" 
10    chain=forward action=drop connection-nat-state=!dstnat in-interface=ether1 
I have connection-state=established,related for both input and forward. Is that correct?
I added chain=forward action=drop connection-nat-state=!dstnat in-interface=ether1 (corrected !dstnat from !dst-nat)

Does that look alright?
Is also the rules ordered fine?
 
2frogs
Long time Member
Long time Member
Posts: 587
Joined: Fri Dec 03, 2010 1:38 am

Re: Need help blocking IP from accessing device in my internal network behind NAT

Thu Nov 23, 2017 9:09 pm

Your rules and order looks fine!
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: Need help blocking IP from accessing device in my internal network behind NAT

Sat Nov 25, 2017 9:43 pm

Consider using port-konocking. No overhead nor increase in CPU usage.
I have bigger routing table.

Who is online

Users browsing this forum: gocenik, Google [Bot] and 45 guests