Community discussions

MikroTik App
 
WayneF
newbie
Topic Author
Posts: 34
Joined: Sat May 23, 2020 4:51 am

Many Drop not from LAN - Hackers or Error?

Thu Jan 20, 2022 11:55 pm

Hi,

I have many log entries stating drop not from lan. It's a constant flow of dropped packets. Is this hackers (normal) or is this an error in my config?

Here is my config, hope this is sufficient and the best way to make the information available:

Log sample:
jan/21 10:41:24 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), proto TCP (SYN), 138.199.32.100:58804->122.60.239.110:465, len 44 
jan/21 10:41:47 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), proto TCP (SYN), 89.248.165.97:51573->122.60.239.110:55269, len 44 
jan/21 10:41:50 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59004->23.77.145.95:443, len 40 
jan/21 10:41:50 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59004->23.77.145.95:443, len 40 
jan/21 10:41:57 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether10) out:pppoe-spark, src-mac c8:d0:83:df:d4:01, proto TCP (RST), 192.168.2.222:58287->184.27.81.116:443, len 40 
jan/21 10:41:57 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether10) out:pppoe-spark, src-mac c8:d0:83:df:d4:01, proto TCP (RST), 192.168.2.222:58287->184.27.81.116:443, len 40 
jan/21 10:41:58 firewall,info drop-invalid-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto TCP (ACK,RST), 52.94.225.123:443->122.60.239.110:60089, len 40 
jan/21 10:41:58 firewall,info drop-invalid-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto TCP (ACK,RST), 52.94.225.123:443->122.60.239.110:60094, len 40 
jan/21 10:41:58 firewall,info drop-invalid-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto TCP (ACK,RST), 52.94.225.123:443->122.60.239.110:60093, len 40 
jan/21 10:41:58 firewall,info drop-invalid-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto TCP (ACK,RST), 52.94.225.123:443->122.60.239.110:60090, len 40 
jan/21 10:41:58 firewall,info drop-invalid-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto TCP (ACK,RST), 52.94.225.123:443->122.60.239.110:60091, len 40 
jan/21 10:41:58 firewall,info drop-invalid-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto TCP (ACK,RST), 52.94.225.123:443->122.60.239.110:60092, len 40 
jan/21 10:41:58 firewall,info drop-invalid-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto TCP (ACK,RST), 52.94.225.123:443->122.60.239.110:60104, len 40 
jan/21 10:42:02 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), proto TCP (SYN), 89.248.165.97:51573->122.60.239.110:55213, len 44 
jan/21 10:42:13 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59019->23.77.153.39:443, len 40 
jan/21 10:42:13 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59019->23.77.153.39:443, len 40 
jan/21 10:42:19 dhcp,info dhcp-168.2 deassigned 192.168.2.217 from F4:1B:A1:89:D7:0F 
jan/21 10:42:19 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 48:89:e7:41:38:68, proto TCP (ACK,FIN), 192.168.2.216:60104->52.94.225.123:443, len 40 
jan/21 10:42:19 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 48:89:e7:41:38:68, proto TCP (ACK,RST), 192.168.2.216:60104->52.94.225.123:443, len 40 
jan/21 10:42:25 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto UDP, 45.134.144.124:5075->122.60.239.110:5060, len 444 
jan/21 10:42:27 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59023->23.77.159.200:443, len 40 
jan/21 10:42:27 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59023->23.77.159.200:443, len 40 
jan/21 10:42:27 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59027->184.27.89.102:443, len 40 
jan/21 10:42:27 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59027->184.27.89.102:443, len 40 
jan/21 10:42:28 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), proto TCP (SYN), 205.209.159.201:43721->122.60.239.110:28017, len 52 
jan/21 10:42:28 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), proto TCP (SYN), 89.248.165.97:51573->122.60.239.110:55463, len 44 
jan/21 10:42:29 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59024->23.77.159.200:443, len 40 
jan/21 10:42:32 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59040->17.253.67.203:443, len 40 
jan/21 10:42:32 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59040->17.253.67.203:443, len 40 
jan/21 10:42:35 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 48:89:e7:41:38:68, proto TCP (ACK,RST), 192.168.2.216:60100->52.98.140.2:443, len 40 
jan/21 10:42:37 firewall,info drop-invalid-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto TCP (ACK,RST), 52.98.140.2:443->122.60.239.110:60100, len 40 
jan/21 10:42:40 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59070->184.27.81.116:443, len 40 
jan/21 10:42:40 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59070->184.27.81.116:443, len 40 
jan/21 10:42:45 dhcp,info dhcp-168.2 assigned 192.168.2.217 to F4:1B:A1:89:D7:0F 
jan/21 10:42:46 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), proto TCP (SYN), 194.26.29.195:57621->122.60.239.110:8158, len 44 
jan/21 10:42:57 dhcp,info dhcp-168.2 deassigned 192.168.2.204 from 50:02:91:48:63:F8 
jan/21 10:42:57 dhcp,info dhcp-168.2 assigned 192.168.2.204 to 50:02:91:48:63:F8 
jan/21 10:42:58 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59029->23.55.38.26:443, len 40 
jan/21 10:42:58 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59087->23.77.154.17:443, len 40 
jan/21 10:42:58 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59087->23.77.154.17:443, len 40 
jan/21 10:42:59 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59031->23.55.38.26:443, len 40 
jan/21 10:43:03 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), proto TCP (SYN), 167.248.133.69:43513->122.60.239.110:7999, len 44 
jan/21 10:43:04 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto UDP, 112.173.52.216:123->122.60.239.110:123, len 32 
jan/21 10:43:07 system,info,account user admin logged in via local 
jan/21 10:43:08 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:bridge-ap_9_10(ether10), src-mac 58:d3:49:e9:04:46, proto TCP (RST), 192.168.2.200:56421->192.168.2.222:58687, len 40 
jan/21 10:43:09 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether10) out:pppoe-spark, src-mac d2:a2:77:5f:cd:22, proto TCP (RST), 192.168.2.215:52429->31.13.78.13:443, len 40 
jan/21 10:43:09 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether10) out:pppoe-spark, src-mac d2:a2:77:5f:cd:22, proto TCP (RST), 192.168.2.215:52429->31.13.78.13:443, len 40 
jan/21 10:43:09 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether10) out:pppoe-spark, src-mac d2:a2:77:5f:cd:22, proto TCP (RST), 192.168.2.215:51506->31.13.78.19:443, len 40 
jan/21 10:43:10 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), proto TCP (SYN), 92.149.45.21:58800->122.60.239.110:23, len 44 
Interface config:
# model = RB4011iGS+

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge protocol-mode=none
add comment="bridge access point 9 - upstairs" disabled=yes name=bridge-ap9
add name=bridge-ap_9_10

/interface vlan
add comment="eth1 not part of the bridge" interface=ether1 loop-protect=on name=vlan-spark vlan-id=10

/interface pppoe-client
add add-default-route=yes comment=SPRK disabled=no interface=vlan-spark keepalive-timeout=disabled name=pppoe-spark password="XX" user=xxx

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge-ap_9_10 comment=defconf interface=ether8
add bridge=bridge-ap_9_10 comment=defconf interface=ether9
add bridge=bridge-ap_9_10 comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1

/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-spark list=WAN
add interface=bridge-ap9 list=LAN
add interface=bridge-ap_9_10 list=LAN
Firewall Config:
# model = RB4011iGS+

/ip firewall address-list
add address=192.168.1.200-192.168.1.253 list=addr-list-ap9
add address=192.168.0.10-192.168.0.199 list=addr-list-lan
add address=192.168.2.200-192.168.2.253 list=addr-list-ap10
add address=192.168.0.0/16 list=addr-list-local

/ip firewall filter
add action=accept chain=input comment="1: defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="2: defconf: drop invalid" connection-state=invalid log=yes log-prefix=drop-invalid--
add action=accept chain=input comment="3: defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="4: defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="5: defconf: drop all not coming from LAN" connection-nat-state="" in-interface-list=!LAN log=yes log-prefix=drop-not--from-lan--
add action=drop chain=input comment="6: protection - 139 and 445 : SMB" dst-port=21-23,53,80,443,2000,6129,137-139,445,8291 log=yes log-prefix=drop-tcp-ports-blocked-- protocol=tcp src-address-list=!addr-list-local
add action=drop chain=input comment="7: protection" dst-port=53,137-138 log=yes log-prefix=drop-udp-ports-blocked-- protocol=udp src-address-list=!addr-list-local
add action=accept chain=forward comment="8: defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="9: defconf: accept out ipsec policy" ipsec-policy=out,ipsec

// not enabled -- add action=fasttrack-connection chain=forward comment="10: defconf: fasttrack" connection-state=established,related disabled=yes

add action=accept chain=forward comment="11: defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="12: defconf: drop invalid connection state" connection-state=invalid log=yes log-prefix=drop-invalid--
add action=drop chain=forward comment="13: defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=drop-not-dst-nat--

/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1300 out-interface=pppoe-spark passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=mark-connection chain=output comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-spark passthrough=no protocol=udp
add action=mark-connection chain=postrouting comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns-ap10 passthrough=no protocol=udp src-address-list=addr-list-ap10
add action=mark-connection chain=output comment=" DNS, TCP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-spark passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-spark passthrough=no protocol=udp
add action=mark-connection chain=postrouting comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns-ap10 passthrough=no protocol=udp src-address-list=addr-list-ap10
add action=mark-connection chain=forward comment="DNS, TCP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-spark passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="Generic Voice Traffic, DSCP EF 46" connection-state=new dscp=46 new-connection-mark=voip out-interface=pppoe-spark passthrough=no
add action=mark-connection chain=forward comment="Google Hangouts Audio/Video, DSCP 40" connection-state=new dscp=40 new-connection-mark=gvc out-interface=pppoe-spark passthrough=no
add action=mark-connection chain=forward comment="Google Hangouts, UDP DstPort" connection-state=new dst-port=19302-19309 new-connection-mark=gvc out-interface=pppoe-spark passthrough=no protocol=udp
add action=mark-connection chain=forward comment="Google Hangouts, TCP DstPort" connection-state=new dst-port=19305-19309 new-connection-mark=gvc out-interface=pppoe-spark passthrough=no protocol=tcp
add action=mark-connection chain=forward comment=SSH connection-state=new dst-port=22 new-connection-mark=ssh out-interface=pppoe-spark passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="HTTP, HTTPS" connection-state=new dst-port=80,443 new-connection-mark=http-https out-interface=pppoe-spark passthrough=no protocol=tcp
add action=mark-connection chain=postrouting comment="HTTP, HTTPS" connection-mark=http-https connection-state=new dst-port=80,443 new-connection-mark=http-https-ap10 passthrough=no protocol=tcp src-address-list=addr-list-ap10
add action=mark-connection chain=forward comment="btsync targeted TCP traffic" connection-state=new new-connection-mark=p2p out-interface=pppoe-spark passthrough=no port=4242 protocol=tcp
add action=mark-connection chain=forward comment="btsync targeted UDP traffic" connection-state=new new-connection-mark=p2p out-interface=pppoe-spark passthrough=no port=4242 protocol=udp
add action=mark-packet chain=postrouting comment=DNS connection-mark=dns new-packet-mark=dns out-interface=pppoe-spark passthrough=no
add action=mark-packet chain=postrouting comment=DNS connection-mark=dns-ap10 dst-address-list=addr-list-ap10 new-packet-mark=dns-ap10 passthrough=no
add action=mark-packet chain=forward comment="TCP SYN" new-packet-mark=tcp-syn-ack out-interface=pppoe-spark passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=forward comment="TCP SYN" new-packet-mark=tcp-syn-ack-ap10 out-interface=bridge-ap_9_10 passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=forward comment="TCP ACK" new-packet-mark=tcp-syn-ack out-interface=pppoe-spark packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=forward comment="TCP ACK" new-packet-mark=tcp-syn-ack-ap10 out-interface=bridge-ap_9_10 packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=forward comment=VoIP connection-mark=voip new-packet-mark=voip out-interface=pppoe-spark passthrough=no
add action=mark-packet chain=forward comment="Google Hangouts" connection-mark=gvc new-packet-mark=gvc out-interface=pppoe-spark passthrough=no
add action=mark-packet chain=forward comment=SSH connection-mark=ssh new-packet-mark=interactive out-interface=pppoe-spark passthrough=no
add action=mark-packet chain=forward comment="HTTP, HTTPS" connection-mark=http-https new-packet-mark=http-https out-interface=pppoe-spark passthrough=no
add action=mark-packet chain=postrouting comment="HTTP, HTTPS" connection-mark=http-https-ap10 new-packet-mark=http-https-ap10 out-interface=bridge-ap_9_10 passthrough=no
add action=mark-connection chain=prerouting comment=ICMP connection-state=new new-connection-mark=icmp-ap10 passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=icmp new-packet-mark=icmp passthrough=no
add action=mark-connection chain=postrouting connection-state=new new-connection-mark=icmp passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting connection-mark=icmp new-packet-mark=icmp passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat comment="\?\?\?\?" src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment="defconf: masquerade - wrong also need nat between interfaces" ipsec-policy=out,none out-interface-list=WAN
 
mkx
Forum Guru
Forum Guru
Posts: 7671
Joined: Thu Mar 03, 2016 10:23 pm

Re: Many Drop not from LAN - Hackers or Error?

Fri Jan 21, 2022 12:08 am

I'd say it's the usual dose of hacking.
BR,
Metod
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11726
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Many Drop not from LAN - Hackers or Error?

Fri Jan 21, 2022 12:27 am

There a gazilion bots banging on all public IPs all the time on different ports.
There is not individual hackers doing it.
There are individual hackers/groups targetting specific sites with their focus,

What I find amusing is that you would bother to record them......
Also I find amusing is that you have a plethora of what I call youtube garbage rules to try and protect your router and yet all that traffic is still hitting your door LOL.
You only need one rule
add action=drop chain=input/forward


What I dont also understand is the purpose of the rules after the In-interface-list=!LAN ???

add action=drop chain=input comment="5: defconf: drop all not coming from LAN" connection-nat-state="" in-interface-list=!LAN log=yes log-prefix=drop-not--from-lan--
add action=drop chain=input comment="6: protection - 139 and 445 : SMB" dst-port=21-23,53,80,443,2000,6129,137-139,445,8291 log=yes log-prefix=drop-tcp-ports-blocked-- protocol=tcp src-address-list=!addr-list-local
AND
add action=drop chain=input comment="7: protection" dst-port=53,137-138 log=yes log-prefix=drop-udp-ports-blocked-- protocol=udp src-address-list=!addr-list-local

Firstly, all the WAN stuff is taken care by the first rule, so really all you are saying is saying is that you dont wan LAN addresses that dont exist on the lan to reach the router from the LAN.

LIke I said,
add action=drop chain=input !!

What you actually need is three rules.
(1) The rule to permit ONLY the admin to the router for configuration purposes is legit!
add action=accept chain=input in-interface-list=Authorized src-address-list=Admin dst-port=xxxxxx,yyyyyy protocol=tcp {winbox & SSH ports}

In other words, only specific Admin Devices ( firewall address list named "Admin" ) and for specific ports is allowed access to the Router, FROM a specific interface list.

(2) Allow LAN users access to services IF REQUIRED. DNS and NTP come to mind
ex.
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP services if required etc}
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp

(3) A rule to drop everything else................ this can be split into two if you want to be picky like MKX or SOB.......... technically brilliant, but afraid to push anything down your throat, unlike moi!

Either the basic
ex
add action=drop chain=input

or the more refined (which allows one to troubleshoot more easily if the source of issue is LAN side, which is the more interesting case also to log)
ex
add action=reject chain=input in-interface-list=LAN reject-with=icmp-admin-prohibited { log this one }
add action=drop chain=input

Rinse Repeat (3) for the forward chain.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
WayneF
newbie
Topic Author
Posts: 34
Joined: Sat May 23, 2020 4:51 am

Re: Many Drop not from LAN - Hackers or Error?

Fri Jan 21, 2022 12:52 am

Thanks for the replies. I feel much more comfortable knowing some experts had a look at my configuration.

And yes I do have some duplicated "rules" with specific ports - it is some legacy rules that I have carried over time, and are redundant.
I think 90% of my rules are yes "YouTube" default rules. I cannot even recall the source. I also have some queuing going (using the mangling rules), not that's even required anymore.

Who is online

Users browsing this forum: BillyAkinbredalik, Google [Bot] and 21 guests