Community discussions

MikroTik App
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

[Firewall] Drop rule from address-list not working.

Mon Aug 26, 2013 11:15 am

Hi Guys,

I'm trying to drop incoming connections to my router, which are not listed in a address list, but for some reason the below rule isn't working.

What am I missing?

Any help would be greatly appreciated!

Firewall Filter:

0 ;;; Drop SSH connection from Non-RSA IP's
chain=input action=drop protocol=tcp src-address-list=!RSA-IP-BLOCKS src-port=22


Firewall Address Lists:

# LIST ADDRESS
0 RSA-IP-BLOCKS 41.0.0.0/11
1 RSA-IP-BLOCKS 41.48.0.0/13
2 RSA-IP-BLOCKS 41.56.0.0/16
3 RSA-IP-BLOCKS 41.57.0.0/18
4 RSA-IP-BLOCKS 41.57.112.0/22
5 RSA-IP-BLOCKS 41.57.128.0/18
6 RSA-IP-BLOCKS 41.61.0.0/16
7 RSA-IP-BLOCKS 41.63.64.0/18
8 RSA-IP-BLOCKS 41.66.64.0/18
9 RSA-IP-BLOCKS 41.66.128.0/18
10 RSA-IP-BLOCKS 41.71.0.0/17
11 RSA-IP-BLOCKS 41.72.128.0/19
12 RSA-IP-BLOCKS 41.73.32.0/19
13 RSA-IP-BLOCKS 41.74.96.0/20
14 RSA-IP-BLOCKS 41.74.144.0/20
15 RSA-IP-BLOCKS 41.74.176.0/20
16 RSA-IP-BLOCKS 41.74.192.0/20
17 RSA-IP-BLOCKS 41.74.224.0/20
18 RSA-IP-BLOCKS 41.75.96.0/20
19 RSA-IP-BLOCKS 41.75.128.0/20
20 RSA-IP-BLOCKS 41.75.224.0/20
[SNIP]

LOG:
09:59:43 system,error,critical login failure for user someuser from 78.47.79.193 via ssh

78.0.0.0 is definitely not a South African IP range.
 
balanila
just joined
Posts: 16
Joined: Sun Aug 25, 2013 12:45 pm
Location: Moldova, Chishinev

Re: [Firewall] Drop rule from address-list not working.

Mon Aug 26, 2013 11:20 am

maybe dst-port=22 ?
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: [Firewall] Drop rule from address-list not working.

Mon Aug 26, 2013 11:42 am

maybe dst-port=22 ?
Strange, I orginally used dst-port and it didn't seem to work.... but after trying from a different international IP, now it works... Maybe I just wasn't paying attention.

Anyhow, It's working now.


If anyone knows of a better/optimized way to do the above, please let me know!

I originally had SSH blacklist rules (obtained from Mikrotik site) but after the recent spades of ssh attempts on my router from several different IP's, simple SSH blacklisting won't work as well.
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: [Firewall] Drop rule from address-list not working.

Mon Aug 26, 2013 12:14 pm

For those who wish to filter SSH (or anything else) connections based on geographic IP addresses...

Here is the command:

/ip firewall filter add chain=input action=drop protocol=tcp src-address-list=!RSA-IP-BLOCKS in-interface=all-ppp dst-port=22

Be sure to name your address lists and WAN interface to something else.

The above rule will filter/drop inbound IP's, that are NOT in the address list.

To obtain the country IP address blocks, just to a Google search, but here is one of the many sites out there: http://ipinfodb.com/ip_country_block.php

To import the lists, there are several scripts on the Mikrotik site that can help, otherwise PM me.
 
AndreasA
just joined
Posts: 1
Joined: Tue Mar 28, 2023 12:19 pm

Re: [Firewall] Drop rule from address-list not working.

Tue Mar 28, 2023 12:21 pm

Another vendor that allows you to get plenty of information of an IP address is ipbase.com. You need an API key but there is a free plan with 150 requests per month.
Last edited by AndreasA on Tue Mar 28, 2023 12:23 pm, edited 1 time in total.

Who is online

Users browsing this forum: joshnielsen, phascogale and 60 guests