Menu
What's new
By:
Filters Better Search

Skynet Ban outgoing only from specific subnet?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

S

sbsnb

Very Senior Member
My mission is to block the entire IP space of China for my IOT guest network, which has it's own IP subnet (I may experiment with blocking all SYN packets regardless of destination - not sure how to handle UDP data yet). I can do it with 7,000 lines of iptables commands, but seeing as how Skynet has some of this functionality already I didn't want to reinvent the wheel if I can use it for my purposes.

Is there a way in Skynet to specify that I want to block outgoing packets only that originate from a specific subnet?
 
Make a group in iptables to make a chain from instead of 7k lines. Throw all of the CN subnets CIDRs into it and then it's a single line to deal with. You can add and remove from the group without reloading the rules and it processes faster to keep speeds up.
 
I'm afraid that's beyond my level of expertise with iptables.
 
https://serverfault.com/a/996252 - this might work easier
https://docs.rackspace.com/support/how-to/block-ip-range-from-countries-with-geoip-and-iptables/ - similar
https://linoxide.com/block-ips-countries-geoip-addons/ - a little more in depth


# ipset create countryblock nethash
This is how you make a container for iptable and then just dump the CIDR's into it with the command
# ipset add countryblock 1.0.1.0/24
The one aside when creating the ipste list is to use the highest option for nethash to make sure you can fit all of the CIDR's into the same list

LinuxOPsys: Linux How-to guide, Tutorials & Tips

LinuxOPsys is a Linux blog website that publishes how-to guide, tutorials & tips about server adminstration, installation, commands, and security.
linoxide.com

https://wiki.archlinux.org/title/Ipset - goes a little more in depth on ipset commands

Using ipset to block IP addresses - firewall - Tech Knowledge Base - jaytaala.com Confluence

confluence.jaytaala.com confluence.jaytaala.com

How to use ipset Command in Linux – The Geek Diary

IP sets are stored collections of IP addresses, network ranges, MAC addresses, port numbers, and network interface names. The iptables tool can leverage IP sets for more efficient rule matching. For example, let's say you want to drop traffic that originates from one of several IP address ranges...
www.thegeekdiary.com www.thegeekdiary.com
howto.lintel.in

How to use ipset command on linux to block bulk IPs - Lintel Technologies Blog

ipset is a companion application for the iptables Linux firewall. It allows you to setup rules to quickly and easily block a set of IP addresses, among other things. Installation Debian based system “`# apt install ipset“` Redhat based system “`# yum install ipset“` Blocking a list of network...
howto.lintel.in howto.lintel.in

You can also make ipset groups for TCP / UDP filtering as well by port number. It might take some tinkering but, if you grab the CIDR's you want to block converting them into commands is easiest by using notepad++ to do a find and replace to insert the command before the CIDR in bulk fashion. The perk though is you can add / remove IP's w/o messing with the rule in iptables or reordering them with -I / -A / -D and getting caught up in refreshing the view to make sure they're all in the right spot. For making the rules / adding the group use the -N to add it as an option in IPT before it can be used but, once it's there you're done. Then it's just adding the single line rule to block based on the container / list used for ipset.
 
OK. Seems simple enough. My only worry is that creating the group involves about 13,000 networks. Is this something the router can handle efficiently? How does Skynet do it?
 
I don't know how skynet does it but, you can condense the networks into higher level /'s looking them up on https://bgp.he.net/ to find the /12 /8/ or higher level. This reduces the lookups as only the first octet needs to hit a match vs the whole /24 IP. Since you seem to only want to block in one direction and on one subnet it shouldn't take up much resources on the router.
 
I think I might experiment with blocking all outgoing TCP connections first. I can't think of any reason I want an IOT device initiating a connection with anything.
 
You must log in or register to reply here.

Similar threads

M
Solved Weird destination ip when connecting to a subnet
Replies
3
Views
777
drinkingbird
drinkingbird
P
Tutorial Subnetting isolation without a VLAN switch
Replies
6
Views
905
Justinh
J
D
questions about building wireless mesh LAN
Replies
13
Views
1K
drinkingbird
drinkingbird
drinkingbird
Tutorial How to force a new WAN IP Address (to fix sites not loading, high latency, incorrect location displayed, etc)
Replies
7
Views
4K
drinkingbird
drinkingbird
C
RT-AC87U Block Camera From WAN
Replies
5
Views
3K
Aerandir14
A
Similar threads
Thread starter Title Forum Replies Date
W Skynet Why does Skynet ban perfectly legit websites Asuswrt-Merlin AddOns 4

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 839 (members: 20, guests: 819)
Top