Topic: [SOLVED ]How to ban some external IPs on forwarded ports?

[M3kk]

Hello,

I have a problem.. I have an SME as Gateway, i have 1 WAN, 1 LAN. I have a port forward to a client PC (RDP). Some time ago two ips are abusing the Client with RD Brute forcer, so i would like to ban them by sme side. How i can do it?

PS: Yes, the IPs are the same, i just need to know how i can ban/drop them even if the port fwd rule is alive for other external ips.

Thank you in advice.

[Stefano]

hi

first of all I suggest you not to expose RDC on WAN but use a VPN.. once VPN tunnel is up, you can safely connect to RDC

anyway, take a look at http://wiki.contribs.org/Fail2ban

[M3kk]

Unfortunatelly i must use this method (RDP port forward to an internatl client).
I tried this method, but i think this is only for non forwarded ports..

I will take a look on Fail2Ban, not sure if it will work with c custom port, or only with the SSH, and only on the SME, and not on a forwarded port to a client.

[Stefano]

I guess we're talking about RDP, and I guess it's already protected by certificates..

anyway, take a look here http://serverfault.com/questions/568381/fail2ban-for-windows-2008-rdp

you need something acting on windows' side

[M3kk]

Yes, sorry, RDP .

So i cant block that IPs from SME side?

I want something like this, iptables ban externap ip, on a concrete port.. So the externap ip cant go after the SME on that port..

[Daniel B.]

You won't be able to automatically ban IP if they are brut forcing the RDP service: SME only sees a raw TCP stream and won't look at the content. But you can manually ban IP from the SME itself. You can do this either through a custom template, or if you run smeserver-fail2ban, you can manually add bans:

Code: [Select]

db fail2ban set badguy1 ban BanTimestamp $(date +%s) UnbanTimestamp $(($(date +%s)+3600)) Host 12.13.14.15
db fail2ban set badguy2 ban BanTimestamp $(date +%s) UnbanTimestamp $(($(date +%s)+604800)) Host 21.22.23.24
signal-event fail2ban-update

With this example, 21.22.23.24 will be banned for 1 week and 12.13.14.15 for 1 hour. If you wan't a permanent ban, just set UnbanTimestamp to some huge number like 9999999999999999 and it'll never be unbanned (well, not until you replace your server and at this time, we'll probably be using IPv159 anyway )

[CharlieBrady]

Add an AllowHosts entry to your portforwarding rule. See:

http://bugs.contribs.org/show_bug.cgi?id=2379

[Stefano]

it's in the FAQ:

http://wiki.contribs.org/SME_Server:Documentation:FAQ:Section05#Additional_information_on_customizing_iptables

better link FAQ's page rather than bugzilla..

BTW, we have so many features that sometimes we forgot them at all

[M3kk]

As i said, i tried like this: http://wiki.contribs.org/Firewall#Block_incoming_IP_address . The ip addres apprears in the "iptables -L INPUT -v -n", but its  not banned, due the port is forwarded to a client PC, so basically the ip is banned form the SME, not from the clients too.. I wanted to block manually the ip from the SME, and from the forwards too..

[Daniel B.]

Use the FORWARD table instead of the INPUT one

[CharlieBrady]

it's in the FAQ:

http://wiki.contribs.org/SME_Server:Documentation:FAQ:Section05#Additional_information_on_customizing_iptables

better link FAQ's page rather than bugzilla..

The wiki documentation doesn't refer to portforwarding entries, only to services.

The required syntax for OP to use is in the bugzilla entry, in the Verification.

[M3kk]

Use the FORWARD table instead of the INPUT one

So in the custom template file i use "/sbin/iptables -A FORWARD -s ipaddress -j DROP" instead of "/sbin/iptables -A INPUT -s ipaddress -j DROP". Is that enough, or i need to use other switches? Ty.

LE: Yes, the "/sbin/iptables -A FORWARD -s ipaddress -j DROP" did the trick, TY . Can marked as [SOLVED].

[Stefano]

The wiki documentation doesn't refer to portforwarding entries, only to services.

The required syntax for OP to use is in the bugzilla entry, in the Verification.

ok.. I see that bug is still open..
is this a feature available?
if so, we need to wikify it


[edit: I need vacations..]