AC66U doen't block countries

[Tallguynl]

Hi all,

I have the Asus RT-AC66U with MerlinWRT 380.64_2 running. In it I have the 'famous' country IP block script running.

#!/bin/sh

# Loading ipset modules
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
    insmod $module
done

# Preparing folder to cache downloaded files
IPSET_LISTS_DIR=/jffs/ipset_lists
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR

# Different routers got different iptables syntax
case $(uname -m) in
  armv7l)
    MATCH_SET='--match-set'
    ;;
  mips)
    MATCH_SET='--set'
    ;;
esac

# Block traffic from Tor nodes
if [ "$(ipset --swap TorNodes TorNodes 2>&1 | grep 'Unknown set')" != "" ]
then
    ipset -N TorNodes iphash
    [ -e $IPSET_LISTS_DIR/tor.lst ] || wget -q -O $IPSET_LISTS_DIR/tor.lst http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
    for IP in $(cat $IPSET_LISTS_DIR/tor.lst)
    do
        ipset -A TorNodes $IP
    done
fi
[ -z "$(iptables-save | grep TorNodes)" ] && iptables -I INPUT -m set $MATCH_SET TorNodes src -j DROP

# Block incoming traffic from some countries. cn pk sa  is for China Pakistan Saudi Arabia  See other countries code at http://www.ipdeny.com/ipblocks/
if [ "$(ipset --swap BlockedCountries BlockedCountries 2>&1 | grep 'Unknown set')" != "" ]
then
    ipset -N BlockedCountries nethash
    for country in pk cn ph sa kr af ru ua ro th tr us br it hu mx co pl hk kp kz my ng sg vn ar fr
    do
        [ -e $IPSET_LISTS_DIR/$country.lst ] || wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/countries/$country.zone
        for IP in $(cat $IPSET_LISTS_DIR/$country.lst)
        do
            ipset -A BlockedCountries $IP
        done
    done
fi
[ -z "$(iptables-save | grep BlockedCountries)" ] && iptables -I INPUT -m set $MATCH_SET BlockedCountries src -j DROP

# Block Microsoft telemetry spying servers
if [ "$(ipset --swap MicrosoftSpyServers MicrosoftSpyServers 2>&1 | grep 'Unknown set')" != "" ]
then
    ipset -N MicrosoftSpyServers iphash
    for IP in 23.99.10.11 63.85.36.35 63.85.36.50 64.4.6.100 64.4.54.22 64.4.54.32 64.4.54.254 \
              65.52.100.7 65.52.100.9 65.52.100.11 65.52.100.91 65.52.100.92 65.52.100.93 65.52.100.94 \
              65.55.29.238 65.55.39.10 65.55.44.108 65.55.163.222 65.55.252.43 65.55.252.63 65.55.252.71 \
              65.55.252.92 65.55.252.93 66.119.144.157 93.184.215.200 104.76.146.123 111.221.29.177 \
              131.107.113.238 131.253.40.37 134.170.52.151 134.170.58.190 134.170.115.60 134.170.115.62 \
              134.170.188.248 157.55.129.21 157.55.133.204 157.56.91.77 168.62.187.13 191.234.72.183 \
              191.234.72.186 191.234.72.188 191.234.72.190 204.79.197.200 207.46.223.94 207.68.166.254
    do
        ipset -A MicrosoftSpyServers $IP
    done
fi
[ -z "$(iptables-save | grep MicrosoftSpyServers)" ] && iptables -I FORWARD -m set $MATCH_SET MicrosoftSpyServers dst -j DROP

# SET CONFIG
path=/jffs/filters
#path for malware filter files
# END CONFIG

# SET VARIBLES
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`
# END VARIBLES

# Loading ipset modules
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
    for module in ip_set ip_set_iptreemap ipt_set; do
        insmod $module
    done

# Different routers got different iptables syntax
case $(uname -m) in
armv7l)
    MATCH_SET='--match-set'
;;
mips)
    MATCH_SET='--set'
;;
esac

# Get lists
get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

get_update () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-updates.txt
 }

# Create the malware-filter (primary) if does not exists
if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep 'Unknown set')" != "" ]; then
    get_list
    ipset -N malware-filter iphash
        for IP in $(cat $path/malware-filter.txt)
    do
        ipset -A malware-filter $IP
    done
    [ -z "$(iptables-save | grep malware-filter)" ] && iptables -I FORWARD -m set $MATCH_SET malware-filter dst -j DROP
fi

# Destroy this transient set just in case
ipset --destroy malware-update > /dev/null 2>&1

# Load the latest rule(s)
(echo -e "-N malware-update iphash\n" && \
    get_update | \
        nice sed 's/^/-A malware-update /' && \
    echo -e "\nCOMMIT\n" \
) | \

nice ipset --restore && \
nice ipset --swap malware-update malware-filter && \
nice ipset --destroy malware-update
exit $?

Now, When running this script all seems fine. It takes about 5 minutes for it to finish.

The log shows me these sorts of info:
Jan 15 18:28:51 kernel: net/ipv4/netfilter/ip_set_nethash.c: nethash_retry: rehashing of set BlockedCountries triggered: hashsize grows from 448398 to 672597

I gues that's ok?

Because when testing if I can access my NAS from one of those countries (using http://www.webpagetest.org/ ) I see that the router is actually allowing access to my NAS! WHUT? That's not what I want!!

2017-01-15 18:02:07 Alert 192.168.0.1 user kernel ACCEPT <4>ACCEPT IN=eth0 OUT=br0 <1>SRC=122.248.198.232 DST=192.168.0.197

Now I've seen a posting here about ARM CPU's not understanding the IPT_Set. Hoewever changing it to XT_SET gives an error back. So IPT_SET seems to work fine.

Now...Why isn't my router blocking those countries? In the \JFFS\IP_lists\ folder I see the files for all those countries.
"...It seems this is not blocking the so-called FORWARD CHAIN..." someone told me. Is this the reason? If So, how do I fix that?

 

[redhat27]

Bump.... I have the same question.

 

[swetoast]

its not ipset v6 compatible read the wiki, soo rework the script no need for more bumps.

 

[redhat27]

I disabled IPv6 on the router. The test still failed. I am assuming other machines that have an IPv6 in a blocked country still access my router's open port? ipset6 is not available as opkg package for merlin firmware.

So the script only blocks traffic from machines that have IPv4 only, right? When you say rework the script, there is actually no way I can make use of ipset6 without it being available as an entware package for a mipsel router

 

[tomsk]

ASUS mipsel routers use an older version of the linux kernel and are unable to support ipset version 6. However mipsel routers use ipset4, support for which is already complied in, you just have to load the kernel modules.
Ipset 4 is perfectly capable of handling IPv6 however as @swetoast mentions, some rework of the script is necessary.
the newer merlin firmware in ARM routers are compiled with ipset version 6 support, which loads different kernel modules and has different command syntax. You will either need different versions of the script , or a script which can auto detect the version to deal with this.

 

[redhat27]

I have that script working (additional kernel modules loaded from the script) I have verified that an source with an IPv4 in a blocked country cannot connect. However, I am trying to figure out how to block sources that have an IPv6.

You mentioned "Ipset 4 is perfectly capable of handling IPv6" which gives me a lot of hope.
Would it be as simple as loading lists from IPv6 blocklist and then using ip6tables instead of iptables with -A INPUT -m set --set <blacklist> src -j REJECT
If the above is not the way to go about it, can you give me some pointers on how to use Ipset4 to handle IPv6 addresses

 

[tomsk]

You can't mix different IP versions in the same ipset... so my approach would be to grab an IPv6 blocklist and put that list into a separate ipset with inet6 family. Then you can use that ipset in a separate iptables rule.

 

[redhat27]

I cannot get ipset v4 to work with IPv6 addresses:

admin@RT-AC66R-D700:/tmp/home/root# ipset -N BlockedCountries6 nethash family inet6
Bad argument `family'

also:

admin@RT-AC66R-D700:/tmp/home/root# ipset -N BlockedCountries6 nethash
admin@RT-AC66R-D700:/tmp/home/root# ipset -A BlockedCountries6 2407:c000:0000:0000:0000:0000:0000:0000/32
ipset v4.5: Out of range cidr `2407:c000:0000:0000:0000:0000:0000:0000/32' specified

So when you say:

Ipset 4 is perfectly capable of handling IPv6

I'm at a loss as to how to get ipset v4 take ipv6 netmasks

 

[tomsk]

The man page for ipset v4 can be found here http://man.cx/ipset(8) but now having a look at it myself, I don't see the option to specify an IPv6 set. So I may have led you astray there.... for ipset v6 if you want to specify an IPv6 set you just add inet6 without the "family"
Anyone can confirm ipset4 doesn't support IPv6 addresses?

 

[swetoast]

I can else I've would have supported

 

[tomsk]

I can else I've would have supported

Thats a shame.... means all those mips routers out there on IPv6 networks can't take advantage of it.
So sorry to waste your time and get your hopes up there @Shounak De i was under the impression ipset6 was just a greater range of set types...didn't realise it meant the difference between having IPv6 support or not.

 

[john9527]

I can else I've would have supported

True....IPv6 support was first added in ipset5, which was a total rewrite of ipset.

 

[tomsk]

True....IPv6 support was first added in ipset5, which was a total rewrite of ipset.

So if you want to implement country blocking without the benefit of ipsets for IPv6... are you back to a whole string of iptables rules for every ip range you want to block?

 

[redhat27]

Looks like I am stuck with IPv6 country blocking using ip6tables only
That will be a huge list to load and maybe will affect router performance

FWIW, I've modified the original script to be ipset v6 compatible, that maybe useful to for arm routers that have ipset v6:
The main change is in the BlockedCountries section

#!/bin/sh

# Preparing folder to cache downloaded files
IPSET_LISTS_DIR=/jffs/ipset_lists
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR

# Different routers got different iptables syntax
case $(uname -m) in
  armv7l)
  MATCH_SET='--match-set'; CREATE='create'; ADD='add'; SWAP='swap'; IPHASH='hash:ip'; NETHASH='hash:net family inet'; NETHASH6='hash:net family inet6'
  # Loading ipset modules
  lsmod | grep -q "xt_set" || \
  for module in ip_set ip_set_nethash ip_set_iphash xt_set; do
    insmod $module
  done
  ;;
  mips)
  MATCH_SET='--set'; CREATE='--create'; ADD='--add'; SWAP='--swap'; IPHASH='iphash'; NETHASH='nethash'
  # Loading ipset modules
  lsmod | grep -q "ipt_set" || \
  for module in ip_set ip_set_nethash ip_set_iphash ipt_set; do
    insmod $module
  done
  ;;
esac

# Block traffic from Tor nodes [IPv4 nodes only]
if $(ipset $SWAP TorNodes TorNodes 2>&1 | grep -q 'Unknown set'); then
  ipset $CREATE TorNodes $IPHASH
  [ -e $IPSET_LISTS_DIR/tor.lst ] || wget -q -O $IPSET_LISTS_DIR/tor.lst http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
  for IP in $(cat $IPSET_LISTS_DIR/tor.lst)
  do
    ipset $ADD TorNodes $IP
    [ $? -eq 0 ] && entryCount=$((entryCount+1))
  done
  logger -t Firewall "$0: Added TorNodes list ($entryCount entries)"
fi
iptables-save | grep -q TorNodes || iptables -I INPUT -m set $MATCH_SET TorNodes src -j DROP

# Block incoming traffic from some countries. cn and pk is for China and Pakistan. See other countries code at http://www.ipdeny.com/ipblocks/
country_list=$(ls -1 $IPSET_LISTS_DIR/??.lst | sed -e 's/^.*\///' | cut -f1 -d"." | paste -s -d" ")
country_list=${country_list:-"br cn kr pk ru sa sc tr tw ua vn"}  # Default country list, if not found in $IPSET_LISTS_DIR
if $(ipset $SWAP BlockedCountries BlockedCountries 2>&1 | grep -q 'Unknown set'); then
  ipset $CREATE BlockedCountries $NETHASH
  for country in ${country_list}
  do
    entryCount=0
    [ -e $IPSET_LISTS_DIR/$country.lst ] || wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/aggregated/$country-aggregated.zone
    for IP in $(cat $IPSET_LISTS_DIR/$country.lst)
    do
      ipset $ADD BlockedCountries $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
    logger -t Firewall "$0: Added country [$country] to BlockedCountries list ($entryCount entries)"
  done
fi
iptables-save | grep -q BlockedCountries || iptables -I INPUT -m set $MATCH_SET BlockedCountries src -j DROP
if [ $(nvram get ipv6_fw_enable) -eq 1 -a $(uname -m) = "armv7l" ]; then
  if $(ipset $SWAP BlockedCountries6 BlockedCountries6 2>&1 | grep -q 'Unknown set'); then
    ipset $CREATE BlockedCountries6 $NETHASH6
    for country in ${country_list}
    do
      entryCount=0
      [ -e $IPSET_LISTS_DIR/${country}6.lst ] || wget -q -O $IPSET_LISTS_DIR/${country}6.lst http://www.ipdeny.com/ipv6/ipaddresses/aggregated/${country}-aggregated.zone
      for IP6 in $(cat $IPSET_LISTS_DIR/${country}6.lst)
      do
        ipset $ADD BlockedCountries6 $IP6
        [ $? -eq 0 ] && entryCount=$((entryCount+1))
      done
      logger -t Firewall "$0: Added country [$country] to BlockedCountries6 list ($entryCount entries)"
    done
  fi
  ip6tables-save | grep -q BlockedCountries6 || ip6tables -I INPUT -m set $MATCH_SET BlockedCountries6 src -j DROP
fi

# Block Microsoft telemetry spying servers [IPv4 only]
if $(ipset $SWAP MicrosoftSpyServers MicrosoftSpyServers 2>&1 | grep -q 'Unknown set'); then
  ipset $CREATE MicrosoftSpyServers $IPHASH
  [ $? -eq 0 ] && entryCount=0
  for IP in 23.99.10.11 63.85.36.35 63.85.36.50 64.4.6.100 64.4.54.22 64.4.54.32 64.4.54.254 \
        65.52.100.7 65.52.100.9 65.52.100.11 65.52.100.91 65.52.100.92 65.52.100.93 65.52.100.94 \
        65.55.29.238 65.55.39.10 65.55.44.108 65.55.163.222 65.55.252.43 65.55.252.63 65.55.252.71 \
        65.55.252.92 65.55.252.93 66.119.144.157 93.184.215.200 104.76.146.123 111.221.29.177 \
        131.107.113.238 131.253.40.37 134.170.52.151 134.170.58.190 134.170.115.60 134.170.115.62 \
        134.170.188.248 157.55.129.21 157.55.133.204 157.56.91.77 168.62.187.13 191.234.72.183 \
        191.234.72.186 191.234.72.188 191.234.72.190 204.79.197.200 207.46.223.94 207.68.166.254
  do
    ipset $ADD MicrosoftSpyServers $IP
    [ $? -eq 0 ] && entryCount=$((entryCount+1))
  done
  logger -t Firewall "$0: Added MicrosoftSpyServers list ($entryCount entries)"
fi
iptables-save | grep -q MicrosoftSpyServers || iptables -I FORWARD -m set $MATCH_SET MicrosoftSpyServers src,dst -j DROP

# Block traffic from custom block list
if $(ipset $SWAP CustomBlock CustomBlock 2>&1 | grep -q 'Unknown set'); then
  if [ -e $IPSET_LISTS_DIR/custom.lst ]; then
    ipset $CREATE CustomBlock $IPHASH
    [ $? -eq 0 ] && entryCount=0
    for IP in $(cat $IPSET_LISTS_DIR/from_log.lst)
    do
      ipset $ADD CustomBlock $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
    logger -t Firewall "$0: Added CustomBlock list ($entryCount entries)"
  fi
fi
iptables-save | grep -q CustomBlock || iptables -I INPUT -m set $MATCH_SET CustomBlock src -j DROP

# Allow traffic from Whitelist [IPv4 only] [$IPSET_LISTS_DIR/whitelist.lst can contain a combination of IPv4 IP or IPv4 netmask]
if $(ipset $SWAP Whitelist Whitelist 2>&1 | grep -q 'Unknown set'); then
  if [ -e $IPSET_LISTS_DIR/whitelist.lst ]; then
    ipset $CREATE Whitelist $NETHASH
    [ $? -eq 0 ] && entryCount=0
    for IP in $(cat $IPSET_LISTS_DIR/whitelist.lst)
    do
      [ "${IP##*/}" == "$IP" ] && ipset $ADD Whitelist $IP/31 || ipset $ADD Whitelist $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
  fi
  logger -t Firewall "$0: Added Whitelist ($entryCount entries)"
fi
iptables-save | grep -q Whitelist || iptables -I INPUT -m set $MATCH_SET Whitelist src -j ACCEPT

It is indeed a shame my router cannot use the ipset v6 section, but it would be awesome if someone can test it using a amazon EC2 source (pick from dropdown list) from this site (which is almost always a IPv6 source) in a blocked country.

 

[wallyg8r]

I get the following when trying to run this script:

iptables v1.4.14: Set TorNodes doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.
./firewall-start2: line 41: paste: not found
./firewall-start2: line 74: ip6tables-save: not found
ip6tables v1.4.14: Set BlockedCountries6 doesn't exist.

Try `ip6tables -h' or 'ip6tables --help' for more information.
iptables v1.4.14: Set MicrosoftSpyServers doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.14: Set CustomBlock doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.14: Set Whitelist doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.

 

[redhat27]

hmm, you'll need package "coreutils-paste"

opkg install coreutils-paste

otherwise comment out the offending line (41), it should still work.

[1] Also what is the output of

cat /tmp/syslog.log | grep "Firewall"

after you run it
[2] Do you have the country lists and the country6 lists downloaded by the scripts in $IPSET_LISTS_DIR/ (the script should have downloaded these for you)

For some reason the ipsets are not getting created
can you try

ipset -L BlockedCountries | wc -l

and see what is the output

 

[wallyg8r]

I installed the package then ran firewall-start2 and got:

iptables v1.4.14: Set TorNodes doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.
ls: /jffs/ipset_lists/??.lst: No such file or directory
iptables v1.4.14: Set BlockedCountries doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.
./firewall-start2: line 74: ip6tables-save: not found
ip6tables v1.4.14: Set BlockedCountries6 doesn't exist.

Try `ip6tables -h' or 'ip6tables --help' for more information.
iptables v1.4.14: Set MicrosoftSpyServers doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.14: Set CustomBlock doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.14: Set Whitelist doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.

The output of:
cat /tmp/syslog.log | grep "Firewall" is nothing at all.

The output of:
ipset -L BlockedCountries | wc -l
is:
ipset v6.29: The set with the given name does not exist
0

 

[redhat27]

Regarding

./firewall-start2: line 74: ip6tables-save: not found

I do not know why you are getting that (not in path?). You should be able to safely substitute
ip6tables-save
with
ip6tables -L
in line 74

Your ipset lists are not getting created, period.
What is the output of

ipset --version

 

[wallyg8r]

Regarding I do not know why you are getting that (not in path?). You should be able to safely substitute
ip6tables-save
with
ip6tables -L
in line 74

Your ipset lists are not getting created, period.
What is the output of

ipset --version

Changing ip6tables-save to ip6tables -L got rid of the error in line 74.
ipset version is ipset v6.29, protocol version: 6

Thanks for helping me with this. I appreciate it.

 

[redhat27]

I'm guessing your ipset is saying something other than 'Unknown set' when it cannot find that set. What is the output of

ipset swap blah blah