Community discussions

MikroTik App
  4. RouterOS
  5. General

Blocking an IP range from accessing IPsec

Post Reply
 
Vendetto
just joined
Topic Author
Posts: 10
Joined: Fri Nov 13, 2015 11:53 pm

Blocking an IP range from accessing IPsec

Sat Apr 14, 2018 3:52 am

I have this one particular IP range that keeps attempting to connect to my VPN through IPsec on my L2TP server. My secrets and passwords are very strong so no worries there but was curious if someone might know of a way to put in a firewall rule or something that would just drop all traffic from them all together? I tried several firewall settings but nothing seems to work.

Thanks!!!
Top
 
HzMeister
Frequent Visitor
Frequent Visitor
Posts: 73
Joined: Sun Jan 28, 2018 9:48 pm

Re: Blocking an IP range from accessing IPsec

Sat Apr 14, 2018 4:39 am

Add this rule for each ip you want to block:

/ip firewall filter add chain=input src-address=[ip-address] action=drop

Be sure to put it above all other rules that would accept it otherwise.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11274
Joined: Mon Dec 04, 2017 9:19 pm

Re: Blocking an IP range from accessing IPsec

Sat Apr 14, 2018 11:08 am

I tried several firewall settings but nothing seems to work.
Check how the firewall filter actually works.
Of course you can ban the annoying addresses completely like @HzMeister suggests, but you can also ban them selectively only for UDP destination ports 500 and 4500 through which the IPsec connections come in. You can also log packets coming from these addresses to find out which other services it is attempting to connect to. The internet is full of "white hat" and "black hat" scanners - check for
Code: Select all
shadowserver
and
Code: Select all
shodan.io
.


I have the following semi-automatic address recorder in action:
Code: Select all
/ip firewall add
add action=jump chain=input connection-state=new dst-address=xxx.xxx.xxx.xxx dst-port=500,4500 in-interface=ether4 jump-target=ipsec-in protocol=udp
...
add action=accept chain=ipsec-in src-address-list=ipsec-clients
add action=drop chain=ipsec-in src-address-list=white-hat-scan
add action=add-src-to-address-list address-list=ipsec-attacks address-list-timeout=none-static chain=ipsec-in connection-state=new
add action=drop chain=ipsec-in
I check the
Code: Select all
address-list=ipsec-attacks
occasionally, and use
Code: Select all
put [resolve ip.add.re.ss]
to see whether it resolves to an fqdn or not. Most of those which do resolve come from
Code: Select all
shodan.io
and
Code: Select all
shadowserver
, so I move them to the
Code: Select all
address-list=white-hat-scan
Top
 
Vendetto
just joined
Topic Author
Posts: 10
Joined: Fri Nov 13, 2015 11:53 pm

Re: Blocking an IP range from accessing IPsec

Sat Apr 14, 2018 5:21 pm

Thank you HzMeister. That worked but I will look in to sindy's idea as well as I like that option because it gives me something to try and learn. Thanks!!
Top
 
tippenring
Member
Member
Posts: 304
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:
Contact tippenring

Re: Blocking an IP range from accessing IPsec

Mon Apr 16, 2018 10:30 pm

To expand on HzMeister's firewall example, here is part of my standard firewall rules addressing unsolicited incoming traffic. What I like about this set of rules is I can apply it to any protocols and port(s) that I wish. I found the basic example for blacklisting some time ago I believe on the MT forums, wiki or somewhere and expanded on it somewhat.

In this example, after checking the whitelist (whitelist.mgmt), any new connection attempt received on ether1 is processed through and will end up in the blacklist after a certain number of connection attempts within a certain time window. The jump rule can be more specific, such as for specific protocols and ports. It can also be used for traffic in the forward chain in case you are exposing an internal host service to the internet, such as a web server or FTP simply by adding a matching jump rule.
Code: Select all
/ip firewall address-list
 add address=<mgmt subnets> list=whitelist.mgmt

/ip firewall filter
add action=jump chain=input connection-state=new in-interface=ether1 jump-target=blacklist src-address-list=blacklist
  add action=add-src-to-address-list address-list=blacklist address-list-timeout=1w chain=blacklist comment="Blacklist processing" log=yes log-prefix="Blacklisted: " src-address-list=pre-blacklist4
  add action=add-src-to-address-list address-list=pre-blacklist4 address-list-timeout=5m chain=blacklist src-address-list=pre-blacklist3
  add action=add-src-to-address-list address-list=pre-blacklist3 address-list-timeout=5m chain=blacklist src-address-list=pre-blacklist2
  add action=add-src-to-address-list address-list=pre-blacklist2 address-list-timeout=5m chain=blacklist src-address-list=pre-blacklist1
  add action=add-src-to-address-list address-list=pre-blacklist1 address-list-timeout=5m chain=blacklist log=yes log-prefix="pre-bl1: "
  add action=accept chain=blacklist src-address-list=!blacklist
  add action=drop chain=blacklist log=yes log-prefix="Blacklist Drop: "

/ip firewall raw
 add action=accept chain=prerouting src-address-list=whitelist.mgmt
 add action=add-src-to-address-list address-list=blacklist address-list-timeout=1w chain=prerouting log=yes log-prefix="Blacklist renew: " src-address-list=blacklist
 add action=drop chain=prerouting src-address-list=blacklist
 add action=drop chain=prerouting dst-address-list=blacklist log=yes log-prefix="Traffic to BL host: "
Top
Post Reply
  4. RouterOS
  5. General