Sagecom Fast 5250 and the famous Steve router question :)

[smarch291]

Hi everyone !

My setup:
Sagecom Fast 5250.
This router is from Virgin Internet (bell).

I'm having TCP traffic on port 80. It's open
on purpose. nat redirection to my web server
lubuntu.

I was checking access.log and webalyzer. and I didn't like it.
So I've done some research about ipset and iptables. Decide to
ban subnet from russia, china, north korea... etc.

The problem is I still see traffic from them but with error 302.
To make sure the iptables rules was working, I used Tor browser
and force it to exit out from Russia and yes, it working ... almost.

The question is why, if I drop traffic using my ban rules I still see
traffic in access.log . In the first place, is it suppose to not let them in ?

And the juicy...
I can access my router port 22 as the owner of the Virgin contract and
I found that I could do a "login" in the ssh shell as root.
Then I created /home/<myuser>.
I can write file in there and change permission and I even have access
to /usr/bin/iptables which is completely normal to exist in busybox.

Would it be more accurate/logic to create my ban rules in my router ?
that would be fantastic.

Thanks and regard
smarch291
longueuil, qc
canada

[Philip]

Yes, it would make more sense to ban them at the router I suppose, but either way should work. I'd look into your iptables rules. They shouldn't be denied access, you should be DROPping incoming requests from the IP ranges. They shouldn't be getting to your server at all, if they are, something is incorrect with your rules, or you need to reload the rules into iptables for them to take effect... Also, note you may have to use some type of hash of all the network ranges you are adding for performance reasons, large blocks may not work with single rules.

To list the current rules:
iptables -L

To restart iptables (may be different depening on distro and init.d vs systemd):
/etc/init.d/iptables restart
or
sysctl iptables restart


Many distros have a front end to iptables now, ufw for Ubuntu I believe, firewalld for Fedora, etc. You may have to explore what firewall is running.
Also, how are you loading all those IP ranges? It may be a good idea to use "hash:net" or "hash:ip" with your firewall. hash:ip is good for smaller number of IPs, does not work well with large subnets at all!!! Use "hash:net" for larger subnets / network ranges.


Once you load your IP ranges into a hash:net, you then issue a rule something like this:
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports 0:65535 -m set --match-set myhashnet src -j DROP

(the above command assumes firewalld, and that your hash:net is called "myhashnet").


Just some pointers, good luck with it