What's new

AC66U doen't block countries

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Thanks for bearing with me. Not having ipset v6 here makes it a tad difficult.
I've cleaned up the script a bit so it does not use "paste", so you can get rid of it:
Code:
opkg remove coreutils-paste

You should be able to use this as is withou any modifications:
Code:
#!/bin/sh

# Preparing folder to cache downloaded files
IPSET_LISTS_DIR=/jffs/ipset_lists
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR
# Check dependencies exist
[ -x "/usr/sbin/ip6tables-save" ] && LIST6TABLE="ip6tables-save" || LIST6TABLE="ip6tables -L"

# Different routers got different iptables and ipset syntax
case $(uname -m) in
  armv7l)
    MATCH_SET='--match-set'; CREATE='create'; ADD='add'; SWAP='swap'; IPHASH='hash:ip'; NETHASH='hash:net family inet'; NETHASH6='hash:net family inet6'; SETNOTFOUND='name does not exist'
    # Loading ipset modules
    lsmod | grep -q "xt_set" || \
    for module in ip_set ip_set_nethash ip_set_iphash xt_set; do
      insmod $module
    done;;
  mips)
    MATCH_SET='--set'; CREATE='--create'; ADD='--add'; SWAP='--swap'; IPHASH='iphash'; NETHASH='nethash'; SETNOTFOUND='Unknown set'
    # Loading ipset modules
    lsmod | grep -q "ipt_set" || \
    for module in ip_set ip_set_nethash ip_set_iphash ipt_set; do
      insmod $module
    done;;
esac

# Block traffic from Tor nodes [IPv4 nodes only]
if $(ipset $SWAP TorNodes TorNodes 2>&1 | grep -q "$SETNOTFOUND"); then
  ipset $CREATE TorNodes $IPHASH
  [ -e $IPSET_LISTS_DIR/tor.lst ] || wget -q -O $IPSET_LISTS_DIR/tor.lst http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
  for IP in $(cat $IPSET_LISTS_DIR/tor.lst); do
    ipset $ADD TorNodes $IP
    [ $? -eq 0 ] && entryCount=$((entryCount+1))
  done
  logger -t Firewall "$0: Added TorNodes list ($entryCount entries)"
fi
iptables-save | grep -q TorNodes || iptables -I INPUT -m set $MATCH_SET TorNodes src -j DROP

# Block incoming traffic from some countries. cn and pk is for China and Pakistan. See other countries code at http://www.ipdeny.com/ipblocks/
country_list="au br ca cn de fr gb jp kr pk ru sa sc tr tw ua vn"
if $(ipset $SWAP BlockedCountries BlockedCountries 2>&1 | grep -q "$SETNOTFOUND"); then
  ipset $CREATE BlockedCountries $NETHASH
  for country in ${country_list}; do
    entryCount=0
    [ -e $IPSET_LISTS_DIR/$country.lst ] || wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/aggregated/$country-aggregated.zone
    for IP in $(cat $IPSET_LISTS_DIR/$country.lst); do
      ipset $ADD BlockedCountries $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
    logger -t Firewall "$0: Added country [$country] to BlockedCountries list ($entryCount entries)"
  done
fi
iptables-save | grep -q BlockedCountries || iptables -I INPUT -m set $MATCH_SET BlockedCountries src -j DROP
if [ $(nvram get ipv6_fw_enable) -eq 1 -a $(uname -m) = "armv7l" ]; then
  if $(ipset $SWAP BlockedCountries6 BlockedCountries6 2>&1 | grep -q "$SETNOTFOUND"); then
    ipset $CREATE BlockedCountries6 $NETHASH6
    for country in ${country_list}; do
      entryCount=0
      [ -e $IPSET_LISTS_DIR/${country}6.lst ] || wget -q -O $IPSET_LISTS_DIR/${country}6.lst http://www.ipdeny.com/ipv6/ipaddresses/aggregated/${country}-aggregated.zone
      for IP6 in $(cat $IPSET_LISTS_DIR/${country}6.lst); do
        ipset $ADD BlockedCountries6 $IP6
        [ $? -eq 0 ] && entryCount=$((entryCount+1))
      done
      logger -t Firewall "$0: Added country [$country] to BlockedCountries6 list ($entryCount entries)"
    done
  fi
  $LIST6TABLE | grep -q BlockedCountries6 || ip6tables -I INPUT -m set $MATCH_SET BlockedCountries6 src -j DROP
fi

# Block Microsoft telemetry spying servers [IPv4 only]
if $(ipset $SWAP MicrosoftSpyServers MicrosoftSpyServers 2>&1 | grep -q "$SETNOTFOUND"); then
  ipset $CREATE MicrosoftSpyServers $IPHASH
  [ $? -eq 0 ] && entryCount=0
  for IP in 23.99.10.11 63.85.36.35 63.85.36.50 64.4.6.100 64.4.54.22 64.4.54.32 64.4.54.254 \
        65.52.100.7 65.52.100.9 65.52.100.11 65.52.100.91 65.52.100.92 65.52.100.93 65.52.100.94 \
        65.55.29.238 65.55.39.10 65.55.44.108 65.55.163.222 65.55.252.43 65.55.252.63 65.55.252.71 \
        65.55.252.92 65.55.252.93 66.119.144.157 93.184.215.200 104.76.146.123 111.221.29.177 \
        131.107.113.238 131.253.40.37 134.170.52.151 134.170.58.190 134.170.115.60 134.170.115.62 \
        134.170.188.248 157.55.129.21 157.55.133.204 157.56.91.77 168.62.187.13 191.234.72.183 \
        191.234.72.186 191.234.72.188 191.234.72.190 204.79.197.200 207.46.223.94 207.68.166.254; do
    ipset $ADD MicrosoftSpyServers $IP
    [ $? -eq 0 ] && entryCount=$((entryCount+1))
  done
  logger -t Firewall "$0: Added MicrosoftSpyServers list ($entryCount entries)"
fi
iptables-save | grep -q MicrosoftSpyServers || iptables -I FORWARD -m set $MATCH_SET MicrosoftSpyServers src,dst -j DROP

# Block traffic from custom block list
if $(ipset $SWAP CustomBlock CustomBlock 2>&1 | grep -q "$SETNOTFOUND"); then
  if [ -e $IPSET_LISTS_DIR/custom.lst ]; then
    ipset $CREATE CustomBlock $IPHASH
    [ $? -eq 0 ] && entryCount=0
    for IP in $(cat $IPSET_LISTS_DIR/custom.lst); do
      ipset $ADD CustomBlock $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
    logger -t Firewall "$0: Added CustomBlock list ($entryCount entries)"
  fi
fi
iptables-save | grep -q CustomBlock || iptables -I INPUT -m set $MATCH_SET CustomBlock src -j DROP

# Allow traffic from Whitelist [IPv4 only] [$IPSET_LISTS_DIR/whitelist.lst can contain a combination of IPv4 IP or IPv4 netmask]
if $(ipset $SWAP Whitelist Whitelist 2>&1 | grep -q "$SETNOTFOUND"); then
  if [ -e $IPSET_LISTS_DIR/whitelist.lst ]; then
    ipset $CREATE Whitelist $NETHASH
    [ $? -eq 0 ] && entryCount=0
    for IP in $(cat $IPSET_LISTS_DIR/whitelist.lst); do
      [ "${IP##*/}" == "$IP" ] && ipset $ADD Whitelist $IP/31 || ipset $ADD Whitelist $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
  fi
  logger -t Firewall "$0: Added Whitelist ($entryCount entries)"
fi
iptables-save | grep -q Whitelist || iptables -I INPUT -m set $MATCH_SET Whitelist src -j ACCEPT

You can create a handy alias in your profile (in /opt/etc/profile or /jffs/configs/profile.add)
Code:
alias blockstats='iptables -L -v | grep " set"; ip6tables -L -v | grep " set"'

then you can quickly check up on how your blocklists are functioning, how many packets blocked etc. by just typing 'blockstats'

Thanks for testing the changes
 
Thanks for bearing with me. Not having ipset v6 here makes it a tad difficult.
I've cleaned up the script a bit so it does not use "paste", so you can get rid of it:
Code:
opkg remove coreutils-paste

You should be able to use this as is withou any modifications:
Code:
#!/bin/sh

# Preparing folder to cache downloaded files
IPSET_LISTS_DIR=/jffs/ipset_lists
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR
# Check dependencies exist
[ -x "/usr/sbin/ip6tables-save" ] && LIST6TABLE="ip6tables-save" || LIST6TABLE="ip6tables -L"

# Different routers got different iptables and ipset syntax
case $(uname -m) in
  armv7l)
    MATCH_SET='--match-set'; CREATE='create'; ADD='add'; SWAP='swap'; IPHASH='hash:ip'; NETHASH='hash:net family inet'; NETHASH6='hash:net family inet6'; SETNOTFOUND='name does not exist'
    # Loading ipset modules
    lsmod | grep -q "xt_set" || \
    for module in ip_set ip_set_nethash ip_set_iphash xt_set; do
      insmod $module
    done;;
  mips)
    MATCH_SET='--set'; CREATE='--create'; ADD='--add'; SWAP='--swap'; IPHASH='iphash'; NETHASH='nethash'; SETNOTFOUND='Unknown set'
    # Loading ipset modules
    lsmod | grep -q "ipt_set" || \
    for module in ip_set ip_set_nethash ip_set_iphash ipt_set; do
      insmod $module
    done;;
esac

# Block traffic from Tor nodes [IPv4 nodes only]
if $(ipset $SWAP TorNodes TorNodes 2>&1 | grep -q "$SETNOTFOUND"); then
  ipset $CREATE TorNodes $IPHASH
  [ -e $IPSET_LISTS_DIR/tor.lst ] || wget -q -O $IPSET_LISTS_DIR/tor.lst http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
  for IP in $(cat $IPSET_LISTS_DIR/tor.lst); do
    ipset $ADD TorNodes $IP
    [ $? -eq 0 ] && entryCount=$((entryCount+1))
  done
  logger -t Firewall "$0: Added TorNodes list ($entryCount entries)"
fi
iptables-save | grep -q TorNodes || iptables -I INPUT -m set $MATCH_SET TorNodes src -j DROP

# Block incoming traffic from some countries. cn and pk is for China and Pakistan. See other countries code at http://www.ipdeny.com/ipblocks/
country_list="au br ca cn de fr gb jp kr pk ru sa sc tr tw ua vn"
if $(ipset $SWAP BlockedCountries BlockedCountries 2>&1 | grep -q "$SETNOTFOUND"); then
  ipset $CREATE BlockedCountries $NETHASH
  for country in ${country_list}; do
    entryCount=0
    [ -e $IPSET_LISTS_DIR/$country.lst ] || wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/aggregated/$country-aggregated.zone
    for IP in $(cat $IPSET_LISTS_DIR/$country.lst); do
      ipset $ADD BlockedCountries $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
    logger -t Firewall "$0: Added country [$country] to BlockedCountries list ($entryCount entries)"
  done
fi
iptables-save | grep -q BlockedCountries || iptables -I INPUT -m set $MATCH_SET BlockedCountries src -j DROP
if [ $(nvram get ipv6_fw_enable) -eq 1 -a $(uname -m) = "armv7l" ]; then
  if $(ipset $SWAP BlockedCountries6 BlockedCountries6 2>&1 | grep -q "$SETNOTFOUND"); then
    ipset $CREATE BlockedCountries6 $NETHASH6
    for country in ${country_list}; do
      entryCount=0
      [ -e $IPSET_LISTS_DIR/${country}6.lst ] || wget -q -O $IPSET_LISTS_DIR/${country}6.lst http://www.ipdeny.com/ipv6/ipaddresses/aggregated/${country}-aggregated.zone
      for IP6 in $(cat $IPSET_LISTS_DIR/${country}6.lst); do
        ipset $ADD BlockedCountries6 $IP6
        [ $? -eq 0 ] && entryCount=$((entryCount+1))
      done
      logger -t Firewall "$0: Added country [$country] to BlockedCountries6 list ($entryCount entries)"
    done
  fi
  $LIST6TABLE | grep -q BlockedCountries6 || ip6tables -I INPUT -m set $MATCH_SET BlockedCountries6 src -j DROP
fi

# Block Microsoft telemetry spying servers [IPv4 only]
if $(ipset $SWAP MicrosoftSpyServers MicrosoftSpyServers 2>&1 | grep -q "$SETNOTFOUND"); then
  ipset $CREATE MicrosoftSpyServers $IPHASH
  [ $? -eq 0 ] && entryCount=0
  for IP in 23.99.10.11 63.85.36.35 63.85.36.50 64.4.6.100 64.4.54.22 64.4.54.32 64.4.54.254 \
        65.52.100.7 65.52.100.9 65.52.100.11 65.52.100.91 65.52.100.92 65.52.100.93 65.52.100.94 \
        65.55.29.238 65.55.39.10 65.55.44.108 65.55.163.222 65.55.252.43 65.55.252.63 65.55.252.71 \
        65.55.252.92 65.55.252.93 66.119.144.157 93.184.215.200 104.76.146.123 111.221.29.177 \
        131.107.113.238 131.253.40.37 134.170.52.151 134.170.58.190 134.170.115.60 134.170.115.62 \
        134.170.188.248 157.55.129.21 157.55.133.204 157.56.91.77 168.62.187.13 191.234.72.183 \
        191.234.72.186 191.234.72.188 191.234.72.190 204.79.197.200 207.46.223.94 207.68.166.254; do
    ipset $ADD MicrosoftSpyServers $IP
    [ $? -eq 0 ] && entryCount=$((entryCount+1))
  done
  logger -t Firewall "$0: Added MicrosoftSpyServers list ($entryCount entries)"
fi
iptables-save | grep -q MicrosoftSpyServers || iptables -I FORWARD -m set $MATCH_SET MicrosoftSpyServers src,dst -j DROP

# Block traffic from custom block list
if $(ipset $SWAP CustomBlock CustomBlock 2>&1 | grep -q "$SETNOTFOUND"); then
  if [ -e $IPSET_LISTS_DIR/custom.lst ]; then
    ipset $CREATE CustomBlock $IPHASH
    [ $? -eq 0 ] && entryCount=0
    for IP in $(cat $IPSET_LISTS_DIR/custom.lst); do
      ipset $ADD CustomBlock $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
    logger -t Firewall "$0: Added CustomBlock list ($entryCount entries)"
  fi
fi
iptables-save | grep -q CustomBlock || iptables -I INPUT -m set $MATCH_SET CustomBlock src -j DROP

# Allow traffic from Whitelist [IPv4 only] [$IPSET_LISTS_DIR/whitelist.lst can contain a combination of IPv4 IP or IPv4 netmask]
if $(ipset $SWAP Whitelist Whitelist 2>&1 | grep -q "$SETNOTFOUND"); then
  if [ -e $IPSET_LISTS_DIR/whitelist.lst ]; then
    ipset $CREATE Whitelist $NETHASH
    [ $? -eq 0 ] && entryCount=0
    for IP in $(cat $IPSET_LISTS_DIR/whitelist.lst); do
      [ "${IP##*/}" == "$IP" ] && ipset $ADD Whitelist $IP/31 || ipset $ADD Whitelist $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
  fi
  logger -t Firewall "$0: Added Whitelist ($entryCount entries)"
fi
iptables-save | grep -q Whitelist || iptables -I INPUT -m set $MATCH_SET Whitelist src -j ACCEPT

You can create a handy alias in your profile (in /opt/etc/profile or /jffs/configs/profile.add)
Code:
alias blockstats='iptables -L -v | grep " set"; ip6tables -L -v | grep " set"'

then you can quickly check up on how your blocklists are functioning, how many packets blocked etc. by just typing 'blockstats'

Thanks for testing the changes
Thanks for that. It ran ok except for:

iptables v1.4.14: Set CustomBlock doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.14: Set Whitelist doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.
 
That is fixed too. The updated script is here. Could you post the output of
Code:
cat /tmp/syslog.log | grep "Firewall"
and
Code:
iptables -L -v | grep " set"; ip6tables -L -v | grep " set"
for my curiosity?
 
It ran perfectly this time!
The output of cat /tmp/syslog.log | grep "Firewall"

admin@NETGEAR-87C8:/jffs/scripts# cat /tmp/syslog.log | grep "Firewall"
Mar 1 03:11:19 Firewall: ./firewall-start2: Added TorNodes list (7019 entries)
Mar 1 03:11:27 Firewall: ./firewall-start2: Added country [au] to BlockedCountr ies6 list (993 entries)
Mar 1 03:11:56 Firewall: ./firewall-start2: Added country [br] to BlockedCountr ies6 list (3987 entries)
Mar 1 03:12:05 Firewall: ./firewall-start2: Added country [cn] to BlockedCountr ies6 list (1225 entries)
Mar 1 03:12:06 Firewall: ./firewall-start2: Added country [kr] to BlockedCountr ies6 list (109 entries)
Mar 1 03:12:07 Firewall: ./firewall-start2: Added country [pk] to BlockedCountr ies6 list (77 entries)
Mar 1 03:12:17 Firewall: ./firewall-start2: Added country [ru] to BlockedCountr ies6 list (1308 entries)
Mar 1 03:12:17 Firewall: ./firewall-start2: Added country [sa] to BlockedCountr ies6 list (74 entries)
Mar 1 03:12:18 Firewall: ./firewall-start2: Added country [sc] to BlockedCountr ies6 list (9 entries)
Mar 1 03:12:20 Firewall: ./firewall-start2: Added country [tr] to BlockedCountr ies6 list (283 entries)
Mar 1 03:12:21 Firewall: ./firewall-start2: Added country [tw] to BlockedCountr ies6 list (84 entries)
Mar 1 03:12:23 Firewall: ./firewall-start2: Added country [ua] to BlockedCountr ies6 list (352 entries)
Mar 1 03:12:24 Firewall: ./firewall-start2: Added country [vn] to BlockedCountr ies6 list (77 entries)
Mar 1 03:12:25 Firewall: ./firewall-start2: Added MicrosoftSpyServers list (45 entries)

the output of iptables -L -v | grep " set"; ip6tables -L -v | grep " set" didn't return anything.

Thanks for fixing the script!
 
I wonder why you have BlockedCountries6 and not BlockedCountries list created o_O. You should have both

I am guessing the more accurate command to show the lists for your model would be
Code:
iptables -L -v | grep "match-set"; ip6tables -L -v | grep "match-set"
If possible, can you run the above?
 
I wonder why you have BlockedCountries6 and not BlockedCountries list created o_O. You should have both

I am guessing the more accurate command to show the lists for your model would be
Code:
iptables -L -v | grep "match-set"; ip6tables -L -v | grep "match-set"
If possible, can you run the above?
Here is the output:

admin@NETGEAR-87C8:/jffs/scripts# iptables -L -v | grep "match-set"; ip6tables -L -v | grep "match-set"
0 0 DROP all -- any any anywhere anywhere match-set BlockedCountries src
0 0 DROP all -- any any anywhere anywhere match-set TorNodes src
0 0 DROP all -- any any anywhere anywhere match-set MicrosoftSpyServers src,dst
0 0 DROP all any any anywhere anywhere match-set BlockedCountries6 src
 
admin@NETGEAR-87C8:/jffs/scripts# iptables -L -v | grep "match-set"; ip6tables -L -v | grep "match-set"
0 0 DROP all -- any any anywhere anywhere match-set BlockedCountries src
0 0 DROP all -- any any anywhere anywhere match-set TorNodes src
0 0 DROP all -- any any anywhere anywhere match-set MicrosoftSpyServers src,dst
0 0 DROP all any any anywhere anywhere match-set BlockedCountries6 src
You got all of them :)

Did you test it works from that webpagetest website? You can test this if you have a webserver running on your router. Or else just use the traceroute test.
 
You got all of them :)

Did you test it works from that webpagetest website? You can test this if you have a webserver running on your router. Or else just use the traceroute test.
I don't have a webserver running on my router. Not sure what the traceroute test is. I am able to open pages in Poland and Russia (just two of the countries I checked) which I have as blocked countries in the script. Not sure what is going on. Any ideas?
 
Setting up the block rules is to prevent machines from those countries connecting to your router or your home network behind the router. If you have no servers of any kind running, you do not even need to worry about blocking anything (provided ofcourse there is no trojan/malware server you are not aware of). Exception to this is the 'MicrosoftSpyServers' block rule, which aims to prevent windows machines in your LAN to connect to M$ telemetry servers (Note the 'dst' on the filter rule)
 
Setting up the block rules is to prevent machines from those countries connecting to your router or your home network behind the router. If you have no servers of any kind running, you do not even need to worry about blocking anything (provided ofcourse there is no trojan/malware server you are not aware of). Exception to this is the 'MicrosoftSpyServers' block rule, which aims to prevent windows machines in your LAN to connect to M$ telemetry servers (Note the 'dst' on the filter rule)
Ok thanks. Appreciate all your help.
 
Setting up the block rules is to prevent machines from those countries connecting to your router or your home network behind the router. If you have no servers of any kind running, you do not even need to worry about blocking anything (provided ofcourse there is no trojan/malware server you are not aware of). Exception to this is the 'MicrosoftSpyServers' block rule, which aims to prevent windows machines in your LAN to connect to M$ telemetry servers (Note the 'dst' on the filter rule)
my privacy filter covers this really well :)
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top