Is blacklist of certain IP addresses possible?


#1

Hello - I want to know how to set the rules for iptables or for ip6tables - when they exist in built-in openwrt …

Or is there a simple blacklist file where I can add ip-addresses I want to block ?!

For example these five IP-addresses are from blackhats and need to be blocked :

fe80::b131:5a4d:9ebf:4c36
and
fe80::da58:d7ff:fe00:8d0c
as well
fe80::f3fc:6782:d370:2e3
and
fe80::1bd8:afb0:2df8:be65
too this
fe80::309f:5d2d:cffa:8a15

For these 5 addresses iptables resp. ip6tables is not strong enough - some addresses are forcing themselves through with portscans, which are really molesting the whole days.


#2

The firewall feature set offered via LuCI is rather simple/rudimentary and lacks advanced features (e.g. port scan protection, blocklists, permanent/temporary ip blocking, rate limiting) not something like https://configserver.com/cp/csf.html

However, iptables/nftables can be utilized in any event to achieve such goals, it just requires the TO user to develop own rule sets to be integrated manually.


#3

blacklisting is like keeping a list of people who are not allowed to harm you (everyone else may). this may work for a small number of ppl but not for 2^64 (link-local) or 2^128 (all possible) of ipv6.


#4

Apparently missed that fe80::/10 are reserved IP addresses for Link-Local Unicast as per https://tools.ietf.org/html/rfc4291 and thus are supposedly not malicious agents.


#5

I thought addresses beginning with fe80:: … something is reserved for Fritzbox-routers (Fritzbox-modems) only ? Is this wrong ? - no to what you say … these mentioned IP addresses in my question above are malicious …


#6

When I set the above mentioned IP-6-Adresses on drop with:

sudo iptables --policy INPUT fe80::b131:5a4d:9ebf:4c36 -j DROP

This works only short time - after a while this address is continueing with portscanning my internet-connection.

This counts too for this:

sudo ip6tables -I INPUT -s fe80::da58:d7ff:fe00:8d0c -j DROP

But the other addresses are dropped successfully - I would only to get sure, to block them altogether in Turris Router too with a black-list like for example a file with name “hosts.deny” or similiar.


#7

fe80::/10 ips are not particular to AVM products but being utilized as Link-Local Unicast by any device broadcasting a service to a LAN, such as SmartTV, loudspeaker, media server etc.

Run an ip lookup, e.g. https://dnslytics.com/ipv6/fe80::309f:5d2d:cffa:8a15 or https://www.whatismyip.com/ip-address-lookup/

Why do you think those malicious, unless any such device is already infected with malicious code?

A port scan is not targeting the traffic, as in internet-connection, but scanning devices for open ports.
Which ports are being scanned?

You can add custom rules to the TO firewall either via ssh cli or more permanently via the LuCI front end. Suppose due to the design of iptables it requires ip6tables to deal with an ipv6 address


#8

In particular, any link-local traffic (i.e. traffic on these address ranges) won’t pass through a router between LAN and WAN – more explanation e.g. on wiki. Therefore I don’t expect blocking these will be of much use.