FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
256 views 5 comments
by anonymous
I want deny a public IP address from access to the router (RUT240, RUT2_R_00.07.04.3).

I wrote a traffic rule (screenshot provided) and placed it on top of all rules.

To my surprise the login attempts to port 22 remaining, as I see in the event log. What goes wrong here?

Any hints are welcome
by anonymous
hint: no screenshots provided.

2 Answers

0 votes
by anonymous
The screenshot is provided with name "2023-06-22 11_33_32-RUT240 - Teltonika Networks.jpg".
by anonymous
Attachments are visible only to forum moderators, but not to visitors. If you seek help, then insert image into post.
by anonymous
Attachments are visible only to forum moderators, but not to visitors. If you seek help, then insert image into post.

 

Sorry, I didn´t realize this restriction. Now the screenshot as inline (hope it works).

0 votes
by anonymous

Hi, I can't see the screenshot but could you check if you added a firewall traffic rule with:

  • correct source zone (should be "wan" by default, but I'd recommend to double check if interface via which you're reaching the router is actually under that zone)
  • specific source IP address
  • source port set to "Any"
  • destination zone set to "Device (input)"
  • destination address set to "Any"
  • destination port set to "Any"
  • and action set to drop/reject

 

If all seems well then I'd recommend to check if the rule is being matched against iptables rules using:

iptables -t filter -L -n -v

or

iptables-save -t filter -c

and then search for the source IP address (or grep it). Packet count should be going up if that rule is being matched by iptables. If not then perhaps a packet with different source IP address is hitting router interface?

by anonymous

As I see, the rule is written correctly in input chain

Chain zone_wan_input (2 references)
 pkts bytes target     prot opt in     out     source               destination
 4583  187K input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan input rule chain */
    0     0 zone_wan_src_REJECT  tcp  --  *      *       195.3.147.77         0.0.0.0/0            /* !fw3: DENY_All_195_3_147_77 */
    0     0 zone_wan_src_REJECT  udp  --  *      *       195.3.147.77         0.0.0.0/0            /* !fw3: DENY_All_195_3_147_77 */
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IPsec-ESP */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:4500 /* !fw3: Allow-IPsec-NAT-T */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* !fw3: Allow-IPsec-IKE */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* !fw3: Enable_HTTP_WAN */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:80 /* !fw3: Enable_HTTP_WAN */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 /* !fw3: Enable_HTTPS_WAN */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:443 /* !fw3: Enable_HTTPS_WAN */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
 4583  187K zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

 

Wondering eventually the rule is obsolet because of reject policy. Why then I have many records in the events log with "bad password attempt for root from 195.3.147.77"?

by anonymous
It shouldn't be related to reject or drop policy, both will deny connection, the difference is whether packet will be dropped silently or not. Interestingly, however, there does not seem to be any matches when it comes to any of these rules (besides first and last). Do you have some other rules, for example DMZ (port forward all ports to a single host) or anything that would match and bypass traffic rules in general?

Could you post all of the /etc/config/firewall file? Might be able to spot something from there.